Android Security Best Practices

When To Use

• Use this skill when the request is about: android security review, secret handling android app, exported component security android.
• Primary outcome: Apply Android app security guidance around secrets, storage, network trust, exported components, and least privilege.
• Read references/patterns.md when you need the attack-surface checklist or the storage/network/component decision matrix.
• Read references/scenarios.md for manifest, backup, WebView, and release-hardening review paths.
• Handoff skills when the scope expands:
• android-modernization-upgrade
• android-ci-cd-release-playstore

Workflow

1. Inventory the attack surface first: exported components, intent/deep link entry points, file sharing, WebView usage, local storage, logs, backups, and network trust config.
2. Remove avoidable risk before hardening details: prefer platform pickers and choosers, internal storage, server-issued short-lived tokens, and least-privilege permissions instead of shipping broad access or long-lived secrets.
3. Lock the remaining boundaries explicitly with android:exported, component permissions, FileProvider, networkSecurityConfig, debug-only trust anchors, and immutable PendingIntents.
4. Review sensitive surfaces that often regress in Android apps: WebView JavaScript bridges, backup/data extraction rules, cleartext exceptions, log redaction, and same-developer IPC assumptions.
5. Validate the release posture with reproducible checks, then document residual risks and whether backend enforcement or Play Integrity is advisory or blocking.