Agent-skills-standard android-legacy-security
Harden Intent handling, WebView configuration, and FileProvider access in Android apps. Use when securing Intent extras, configuring WebViews, or exposing files via FileProvider. (triggers: **/*Activity.kt, **/*WebView*.kt, AndroidManifest.xml, Intent, WebView, FileProvider, javaScriptEnabled)
install
source · Clone the upstream repo
git clone https://github.com/HoangNguyen0403/agent-skills-standard
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/HoangNguyen0403/agent-skills-standard "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/android/android-legacy-security" ~/.claude/skills/hoangnguyen0403-agent-skills-standard-android-legacy-security && rm -rf "$T"
manifest:
skills/android/android-legacy-security/SKILL.mdsource content
Android Legacy Security Standards
Priority: P0
1. Secure Intents and Components
- Set
for all internal Activities/Services unless needed for deep links.android:exported="false" - Verify
before starting implicit intents.resolveActivity - Treat all incoming Intent extras as untrusted — validate all schema/data types.
See hardening examples for manifest and component restrictions.
2. Lock Down WebViews
- Default to
. UsejavaScriptEnabled = false
andWebViewClient
to restrict navigation.WebChromeClient - Disable
andallowFileAccess
to prevent local file theft via XSS.allowFileAccessFromFileURLs - If using
(API 17+), strictly limit exposed API surface.@JavascriptInterface
See hardening examples for WebView lockdown patterns.
3. Protect Storage and Files
- NEVER expose
URIs. Usefile://
to generateFileProvider
URIs with temporary permissions.content:// - Use
for auth tokens and PII. Never useEncryptedSharedPreferences
.MODE_WORLD_READABLE - Use
to disableNetworkSecurityConfig
and implement certificate pinning.cleartextTrafficPermitted
Anti-Patterns
- No Implicit Intents Internally: Use explicit intents with component class name.
- No MODE_WORLD_READABLE: Never use for SharedPreferences or files.