- Encrypted Preferences - To avoid rooted devices reading the preference data.
- API keys or any sensitive information should not be stored in the front-end unless there is a protective mechanism to validate the access (like google json to validate maps and firebase db). Store the sensitive data in server side and let only valid users access the server to retrieve the api.
- Make sure to add validation in the backend / serverside as well. For example, verifying whether the password field is empty in both front-end and backend before letting user register.
- Use
exported = trueonly if you need the service / broadcast receiver to be called from an another application. For example a music player app with a background playback service, can export the service to give play / pause control to an external app. If we are using this feature, make sure to secure it by adding a custom permission and permission level as well.
Resources: