Android Legacy Security Standards
Priority: P0
Implementation Guidelines
Intents
- •Implicit: Always verify
resolveActivitybefore starting. - •Exported: Verify
android:exportedlogic (as persecurityskill). - •Data: Treat all incoming Intent extras as untrusted input.
WebView
- •JS: Default to
javaScriptEnabled = false. Only enable for trusted domains. - •File Access: Disable
allowFileAccessto prevent local file theft via XSS.
File Exposure
- •FileProvider: NEVER expose
file://URIs. UseFileProvider.
Anti-Patterns
- •Implicit Internal:
**No Implicit for Internal**: Use Explicit Intents (class name). - •World Readable:
**No MODE_WORLD_READABLE**: SharedPreferences/Files.