Android Security Standards
Priority: P0 (CRITICAL)
Implementation Guidelines
Data Storage
- •Secrets: NEVER store API keys in code. Use
EncryptedSharedPreferencesfor sensitive local data (Tokens). - •Keystore: Use Android Keystore System for cryptographic keys.
Network
- •HTTPS: Enforce HTTPS via
network_security_config.xml(cleartextTrafficPermitted="false"). - •Pinning: Consider Certificate Pinning for high-security apps.
Component Export
- •Exported: Explicitly set
android:exported="false"for Activities/Receivers unless intended for external use.
Anti-Patterns
- •No Sensitive Logs: Strip logs in Release builds.
- •No Homebrew Root Detection: Use Play Integrity API instead.
- •No Raw URL String Concatenation: Use
Uri.BuilderorHttpUrl(OkHttp) to prevent parameter injection.
References
Related Topics
common/security-standards | architecture