android-legacy-security

$npx mdskill add HoangNguyen0403/agent-skills-standard/android-legacy-security

- Set `android:exported="false"` for all internal Activities/Services unless needed for deep links. - Verify `resolveActivity` before starting implicit intents. - Treat all incoming Intent extras as untrusted — validate all schema/data types.

SKILL.md

.github/skills/android-legacy-securityView on GitHub ↗
---
name: android-legacy-security
description: Harden Intent handling, WebView configuration, and FileProvider access in Android apps. Use when securing Intent extras, configuring WebViews, or exposing files via FileProvider.
metadata:
  triggers:
    files:
    - '**/*Activity.kt'
    - '**/*WebView*.kt'
    - 'AndroidManifest.xml'
    keywords:
    - Intent
    - WebView
    - FileProvider
    - javaScriptEnabled
---
# Android Legacy Security Standards

## **Priority: P0**

## 1. Secure Intents and Components

- Set `android:exported="false"` for all internal Activities/Services unless needed for deep links.
- Verify `resolveActivity` before starting implicit intents.
- Treat all incoming Intent extras as untrusted — validate all schema/data types.

See [hardening examples](references/implementation.md) for manifest and component restrictions.

## 2. Lock Down WebViews

- Default to `javaScriptEnabled = false`. Use `WebViewClient` and `WebChromeClient` to restrict navigation.
- Disable `allowFileAccess` and `allowFileAccessFromFileURLs` to prevent local file theft via XSS.
- If using `@JavascriptInterface` (API 17+), strictly limit exposed API surface.

See [hardening examples](references/implementation.md) for WebView lockdown patterns.

## 3. Protect Storage and Files

- **NEVER expose `file://` URIs**. Use `FileProvider` to generate `content://` URIs with temporary permissions.
- Use `EncryptedSharedPreferences` for auth tokens and PII. Never use `MODE_WORLD_READABLE`.
- Use `NetworkSecurityConfig` to disable `cleartextTrafficPermitted` and implement certificate pinning.

## Anti-Patterns

- **No Implicit Intents Internally**: Use explicit intents with component class name.
- **No MODE_WORLD_READABLE**: Never use for SharedPreferences or files.

## References

- [Hardening Examples](references/implementation.md)

More from HoangNguyen0403/agent-skills-standard

SkillDescription
android-agp-upgradeUpgrade an Android project to Android Gradle Plugin (AGP) 9. Use when migrating to AGP 9, updating Gradle build files, migrating to built-in Kotlin, or adopting the new AGP DSL.
android-architectureApply Clean Architecture layering, modularization, and Unidirectional Data Flow in Android projects. Use when setting up project structure, placing code in layers, configuring feature/core modules, or implementing UDF patterns.
android-background-workImplement WorkManager and background processing correctly on Android. Use when creating Worker classes, scheduling tasks, choosing between WorkManager and Foreground Services, or setting up Hilt in workers.
android-composeBuild high-performance declarative UI with Jetpack Compose. Use when writing Composable functions, optimizing recomposition, hoisting state, or working with LazyColumn and side effects.
android-compose-migrationMigrate an Android XML View to Jetpack Compose following a structured 10-step workflow. Use when converting XML layouts to Compose, setting up Compose in an existing View-based project, or incrementally adopting Compose.
android-concurrencyWrite correct coroutine scopes, Flow collection, and dispatcher injection in Android. Use when writing suspend functions, choosing between StateFlow and SharedFlow, or injecting Dispatchers for testability.
android-deploymentConfigure release signing, R8 obfuscation, and App Bundle publishing for Android. Use when setting up signing configs, enabling minification, adding ProGuard keep rules, or preparing for Play Store submission.
android-design-systemEnforce Material Design 3 theming and design token usage in Jetpack Compose. Use when implementing M3 components, color schemes, typography, or design tokens.
android-diConfigure Hilt dependency injection with proper scoping, modules, and constructor injection in Android. Use when setting up Hilt DI, defining modules, or configuring component scoping.
android-edge-to-edgeMigrate a Jetpack Compose app to edge-to-edge display and fix system bar inset issues. Use when UI components are obscured by navigation/status bars, fixing IME insets, or enabling edge-to-edge for SDK 35+.