Skillshub android-security

Standards for Data Encryption, Network Security, and Permissions. Load whenever API keys, auth tokens, cleartext traffic, android:exported, EncryptedSharedPreferences, certificate pinning, or root detection come up — even if the user just asks 'is this secure'. (triggers: network_security_config.xml, AndroidManifest.xml, EncryptedSharedPreferences, cleartextTrafficPermitted, intent-filter, api key, token storage, certificate pinning, root detection, secure storage)

install

source · Clone the upstream repo

git clone https://github.com/ComeOnOliver/skillshub

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/ComeOnOliver/skillshub "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/HoangNguyen0403/agent-skills-standard/android-security" ~/.claude/skills/comeonoliver-skillshub-android-security && rm -rf "$T"

manifest: skills/HoangNguyen0403/agent-skills-standard/android-security/SKILL.md

source content

Android Security Standards

Priority: P0 (CRITICAL)

Implementation Guidelines

Data Storage

Secrets: NEVER store API keys in code. Use
```
EncryptedSharedPreferences
```
for sensitive local data (Tokens).
Keystore: Use Android Keystore System for cryptographic keys.

Network

HTTPS: Enforce HTTPS via

network_security_config.xml

(

cleartextTrafficPermitted="false"

Pinning: Consider Certificate Pinning for high-security apps.

Component Export

Exported: Explicitly set
```
android:exported="false"
```
for Activities/Receivers unless intended for external use.

Anti-Patterns

No Sensitive Logs: Strip logs in Release builds.
No Homebrew Root Detection: Use Play Integrity API instead.
No Raw URL String Concatenation: Use
```
Uri.Builder
```
or
```
HttpUrl
```
(OkHttp) to prevent parameter injection.

References

Setup Examples
[common/common-security-standards] — shared OWASP baselines
[android/android-legacy-security] — Intent, WebView, and FileProvider hardening