mobile-security
Android security patterns for secure storage, network security, input validation, and authentication.
Best use case
mobile-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Android security patterns for secure storage, network security, input validation, and authentication.
Teams using mobile-security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/mobile-security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How mobile-security Compares
| Feature / Agent | mobile-security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Android security patterns for secure storage, network security, input validation, and authentication.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Mobile Security Patterns
Security best practices for Android.
## Secure Storage
### EncryptedSharedPreferences
```kotlin
// Create encrypted preferences
private fun createSecurePrefs(context: Context): SharedPreferences {
val masterKey = MasterKey.Builder(context)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
.build()
return EncryptedSharedPreferences.create(
context,
"secure_prefs",
masterKey,
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)
}
// Usage
class TokenStorage(context: Context) {
private val prefs = createSecurePrefs(context)
var accessToken: String?
get() = prefs.getString("access_token", null)
set(value) = prefs.edit().putString("access_token", value).apply()
fun clear() = prefs.edit().clear().apply()
}
```
### Android Keystore
```kotlin
// Generate key in Keystore
fun generateSecretKey(alias: String) {
val keyGenerator = KeyGenerator.getInstance(
KeyProperties.KEY_ALGORITHM_AES,
"AndroidKeyStore"
)
keyGenerator.init(
KeyGenParameterSpec.Builder(alias,
KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT)
.setBlockModes(KeyProperties.BLOCK_MODE_GCM)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
.setUserAuthenticationRequired(true)
.setUserAuthenticationParameters(300, KeyProperties.AUTH_BIOMETRIC_STRONG)
.build()
)
keyGenerator.generateKey()
}
```
## Network Security
### Network Security Config
```xml
<!-- res/xml/network_security_config.xml -->
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="false">
<trust-anchors>
<certificates src="system"/>
</trust-anchors>
</base-config>
<!-- Debug only -->
<debug-overrides>
<trust-anchors>
<certificates src="user"/>
</trust-anchors>
</debug-overrides>
<!-- Certificate pinning -->
<domain-config>
<domain includeSubdomains="true">api.example.com</domain>
<pin-set expiration="2025-12-31">
<pin digest="SHA-256">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=</pin>
<pin digest="SHA-256">BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=</pin>
</pin-set>
</domain-config>
</network-security-config>
```
### Certificate Pinning (Ktor)
```kotlin
val client = HttpClient(OkHttp) {
engine {
config {
certificatePinner(
CertificatePinner.Builder()
.add("api.example.com", "sha256/AAAA...")
.add("api.example.com", "sha256/BBBB...") // Backup
.build()
)
}
}
}
```
## Safe Logging
```kotlin
// ❌ NEVER log sensitive data
Log.d("Auth", "Token: $token")
// ✅ Release-safe logging with Timber
class ReleaseTree : Timber.Tree() {
override fun log(priority: Int, tag: String?, message: String, t: Throwable?) {
if (priority >= Log.WARN) {
// Send to crash reporting
Crashlytics.log(priority, tag, message)
}
}
}
// In Application
if (BuildConfig.DEBUG) {
Timber.plant(Timber.DebugTree())
} else {
Timber.plant(ReleaseTree())
}
```
## Input Validation
```kotlin
// Validate before use
fun validateEmail(email: String): Result<String> {
return when {
email.isBlank() -> Result.failure(ValidationError.Empty)
!Patterns.EMAIL_ADDRESS.matcher(email).matches() ->
Result.failure(ValidationError.InvalidFormat)
email.length > 254 -> Result.failure(ValidationError.TooLong)
else -> Result.success(email)
}
}
// SQL injection prevention - use parameterized queries
@Query("SELECT * FROM users WHERE id = :userId")
suspend fun getUser(userId: String): User?
```
## Biometric Authentication
```kotlin
val biometricPrompt = BiometricPrompt(
activity,
executor,
object : BiometricPrompt.AuthenticationCallback() {
override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) {
val cipher = result.cryptoObject?.cipher
// Use cipher to decrypt sensitive data
}
}
)
val promptInfo = BiometricPrompt.PromptInfo.Builder()
.setTitle("Authenticate")
.setNegativeButtonText("Cancel")
.setAllowedAuthenticators(BiometricManager.Authenticators.BIOMETRIC_STRONG)
.build()
biometricPrompt.authenticate(promptInfo, BiometricPrompt.CryptoObject(cipher))
```
## ProGuard/R8 Security
```proguard
# R8 rules for security
-keepattributes SourceFile,LineNumberTable # For crash reports only
# Obfuscate sensitive classes
-repackageclasses 'a'
-allowaccessmodification
# Remove logging
-assumenosideeffects class android.util.Log {
public static *** d(...);
public static *** v(...);
public static *** i(...);
}
```
---
**Remember**: Security is not optional. Build it in from the start.Related Skills
security-auditor
Activates when user needs security review, vulnerability scanning, or secure coding guidance. Triggers on "security review", "find vulnerabilities", "is this secure", "check for injection", "security audit", "OWASP", "secure this code", or security-related questions.
security-audit
Comprehensive security auditing workflow covering web application testing, API security, penetration testing, vulnerability scanning, and security hardening.
security-audit-scanner
Automated security scanning for Vigil Guard v2.0.0. Use for OWASP Top 10 checks, TruffleHog secret detection, npm/pip vulnerability scanning, 3-branch service security, heuristics-service audit, and CI/CD security pipelines.
security-audit-example
Example security audit skill demonstrating how to audit code for security vulnerabilities. Use when the user asks to perform security reviews, check for vulnerabilities, or audit code security.
security-audit-agent
Performs comprehensive security audits of codebases, identifying vulnerabilities and security best practices
security-assessment
Execute threat modeling, vulnerability scanning, and security control validation. Use when relevant to the task.
security
Security Engineer and application security expert. Performs threat modeling, security architecture review, penetration testing, vulnerability assessment, and security compliance. Handles OWASP Top 10, authentication security, authorization, encryption, secrets management, HTTPS/TLS, CORS, CSRF, XSS, SQL injection prevention, secure coding practices, security audits, and compliance (GDPR, HIPAA, PCI-DSS, SOC 2). Activates for security, security review, threat model, vulnerability, penetration testing, pen test, OWASP, authentication security, authorization, encryption, secrets, HTTPS, TLS, SSL, CORS, CSRF, XSS, SQL injection, secure coding, security audit, compliance, GDPR, HIPAA, PCI-DSS, SOC 2, security architecture, secrets management, rate limiting, brute force protection, session security, token security, JWT security, is this secure, security check, review security, find vulnerabilities, security scan, security test, hack proof, prevent hacking, protect from attacks, DDoS protection, bot protection, WAF, web application firewall, input validation, sanitize input, escape output, parameterized queries, prepared statements, password hashing, bcrypt, argon2, salt, pepper, secure password, password policy, MFA, 2FA, two factor, multi factor, OAuth security, OIDC, OpenID Connect, SAML, SSO security, API key security, Bearer token, refresh token rotation, token expiration, session hijacking, session fixation, clickjacking, open redirect, SSRF, XXE, insecure deserialization, broken access control, security misconfiguration, sensitive data exposure, insufficient logging, dependency vulnerability, npm audit, snyk, dependabot, CVE, security patch, zero day, security incident, data breach, data leak, privacy, data protection, encryption at rest, encryption in transit, key management, KMS, HSM, certificate management, cert rotation, security headers, CSP, Content Security Policy, X-Frame-Options, X-XSS-Protection, HSTS, Strict-Transport-Security.
security-analysis
Security audit patterns including OWASP Top 10, secret scanning, and language-specific vulnerabilities.
reviewing-security
Executes security design and implementation reviews with threat modeling, OWASP-based checks, and risk-ranked remediation guidance. Activates when reviewing security, threat modeling, checking for vulnerabilities, auditing auth flows, performing OWASP reviews, or assessing security posture. Does not handle code quality or test coverage (code-reviewer), writing production code (backend-developer or frontend-developer), or infrastructure deployment (devops).
redis-security
Master Redis security - authentication, ACL, TLS encryption, network hardening, and production security best practices
QE Security Compliance
Security auditing, vulnerability scanning, and compliance validation for OWASP, SOC2, GDPR, and other standards.
program-security-basics
Baseline security checklist for Solana programs: authority checks, input validation, upgrade keys, unsafe patterns, and attack surfaces. Use for design reviews and pre-deploy audits.