Top 3 most common Android Security rules
Android Security Rules
Don't save your API Keys as a constant in code because this makes it easy for people to reverse engineer your app and find them. Instead, save them in a local Gradle properties file and restrict them server-side as much as possible because you can't completely prevent reverse engineering.
Keep your dependencies UP-TO-DATE
Unless something else forces you to use an earlier version, you should usually update dependencies, which can help to fix vulnerabilities.
Do not save passwords and tokens in SharedPreferences; instead, use the encrypted SharedPreferences from the JetPack crypto library.