AgentSkillsCN

Android Security Best Practices

Android 安全最佳实践

SKILL.md

name: android-security-best-practices description: Android security best practices — secrets, storage, network, components, WebView, R8. user-invocable: true

Android Security Best Practices

Cross-cutting skill — always activates alongside the project-type-specific skill.

Hard Rules

  • No hardcoded secrets (API keys, tokens, passwords) in source code.
  • Use EncryptedSharedPreferences or Android Keystore for sensitive data at rest.
  • Enforce HTTPS for all network traffic — no cleartext permitted.
  • Set android:exported="false" on all components unless explicitly needed.
  • Use PendingIntent.FLAG_IMMUTABLE for all PendingIntents (or FLAG_MUTABLE only when required).
  • Disable WebView file access — setAllowFileAccess(false).
  • Validate all incoming Intent data before use.
  • Enable R8 (minifyEnabled true) for release builds.
  • Never log sensitive data (tokens, passwords, PII) — not even at DEBUG level.
  • Use network_security_config.xml in production.

Core Patterns

  • Store secrets in local.properties (gitignored) or CI environment variables.
  • Use Secrets Gradle Plugin to inject secrets as BuildConfig fields.
  • Pin certificates for critical API endpoints.
  • Prefer explicit intents over implicit for internal communication.
  • Restrict ContentProvider access with read/write permissions.
  • Use Play Integrity API for device attestation — SafetyNet is deprecated and shut down.

References

  • references/secure_storage.md
  • references/network_security.md
  • references/webview_security.md
  • references/intent_component_security.md
  • references/r8_proguard.md
  • references/secrets_management.md
  • references/play_integrity.md