OpenSkillIndex← back to search
claude-code

Skillshub android-legacy-security

Standards for Intents, WebViews, and FileProvider. Use when securing Intent handling, WebViews, or FileProvider access in Android. (triggers: **/*Activity.kt, **/*WebView*.kt, AndroidManifest.xml, Intent, WebView, FileProvider, javaScriptEnabled)

install
source · Clone the upstream repo
git clone https://github.com/ComeOnOliver/skillshub
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ComeOnOliver/skillshub "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/HoangNguyen0403/agent-skills-standard/android-legacy-security" ~/.claude/skills/comeonoliver-skillshub-android-legacy-security && rm -rf "$T"
manifest: skills/HoangNguyen0403/agent-skills-standard/android-legacy-security/SKILL.md
source content

Android Legacy Security Standards

Priority: P0

Implementation Guidelines

Intents & Components

  • Visibility: Set 
    android:exported="false"
     in the Manifest for all internal Activities/Services unless explicitly needed for deep links or external integration.
  • Intents: Verify 
    resolveActivity
     before starting implicit intents. Use 
    LocalBroadcastManager
     (legacy) or 
    SharedFlow/StateFlow
     for internal communication.
  • Data: Treat all incoming Intent extras as untrusted. Validate all schema/data types before consumption.

WebView

  • JS: Default to 
    javaScriptEnabled = false
    . Use 
    WebViewClient
     and 
    WebChromeClient
     to restrict navigation and origin access.
  • File Access: Disable 
    allowFileAccess
     and 
    allowFileAccessFromFileURLs
     to prevent local file theft via XSS.
  • Bridge: If creating a 
    JavascriptInterface
    , use 
    @JavascriptInterface
     (API 17+) and strictly limit the exposed API surface.

Storage & Files

  • File Exposure: NEVER expose 
    file://
    URIs    . Use 
    FileProvider
     (androidx) to generate 
    content://
     URIs with temporary permissions.
  • SharedPreferences: Use 
    EncryptedSharedPreferences
     (Security library) for auth tokens and PII. Never use 
    MODE_WORLD_READABLE
     (deprecated/insecure).
  • Network: Use 
    NetworkSecurityConfig
     to disable 
    cleartextTrafficPermitted
     (mandatory for API 28+) and implement SSL Pinning/Certificate Pinning.

Anti-Patterns

  • No Implicit Intents Internally: Use explicit intents with the component class name.
  • No MODE_WORLD_READABLE: Never use for SharedPreferences or files.

References