> android-security
Secure Data Encryption, Network Security, and Permissions on Android. Use when handling API keys, auth tokens, cleartext traffic, android:exported, EncryptedSharedPreferences, certificate pinning, or root detection — even if the user just asks 'is this secure'. (triggers: network_security_config.xml, AndroidManifest.xml, EncryptedSharedPreferences, cleartextTrafficPermitted, intent-filter, api key, token storage, certificate pinning, root detection, secure storage)
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/android-security?format=md"Android Security Standards
Priority: P0 (CRITICAL)
Implementation Guidelines
Data Storage
- Secrets: NEVER store API keys in code. Use
EncryptedSharedPreferencesfor sensitive local data (Tokens). - Keystore: Use Android Keystore System for cryptographic keys.
Network
- HTTPS: Enforce HTTPS via
network_security_config.xml(cleartextTrafficPermitted="false"). - Pinning: Consider Certificate Pinning for high-security apps.
Component Export
- Exported: Explicitly set
android:exported="false"for Activities/Receivers unless intended for external use.
Anti-Patterns
- No Sensitive Logs: Strip logs in Release builds.
- No Homebrew Root Detection: Use Play Integrity API instead.
- No Raw URL String Concatenation: Use
Uri.BuilderorHttpUrl(OkHttp) to prevent parameter injection.
References
- Setup Examples
- [common/common-security-standards] — shared OWASP baselines
- [android/android-legacy-security] — Intent, WebView, and FileProvider hardening
> related_skills --same-repo
> common-store-changelog
Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve
> golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
> common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
> common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)