diff options
author | Andrew Solovay <asolovay@google.com> | 2015-01-20 15:47:31 -0800 |
---|---|---|
committer | Andrew Solovay <asolovay@google.com> | 2015-01-20 16:10:07 -0800 |
commit | f92dbe01154cf55737297460f43e493b991c7638 (patch) | |
tree | 0e2d497bd0451b70502f10bc23b4f1ab05a7fe2e /docs/html/training | |
parent | c987ca05010a8cc06572d5b04c93fb6404f8bf45 (diff) | |
download | frameworks_base-f92dbe01154cf55737297460f43e493b991c7638.zip frameworks_base-f92dbe01154cf55737297460f43e493b991c7638.tar.gz frameworks_base-f92dbe01154cf55737297460f43e493b991c7638.tar.bz2 |
docs: WebView security notes for apps on pre-K devices
Added paragraph describing security precautions for apps that use
WebView on devices running versions older than Android 4.4. See first
comment for doc stage location.
bug: 19075466
Change-Id: I69937d8dfc37ec1ba693f969500b9dc7404c4635
Diffstat (limited to 'docs/html/training')
-rw-r--r-- | docs/html/training/articles/security-tips.jd | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/docs/html/training/articles/security-tips.jd b/docs/html/training/articles/security-tips.jd index e05b44c..3215a0e 100644 --- a/docs/html/training/articles/security-tips.jd +++ b/docs/html/training/articles/security-tips.jd @@ -445,7 +445,17 @@ locally. Server-side headers like <code>no-cache</code> can also be used to indicate that an application should not cache particular content.</p> - +<p>Devices running platforms older than Android 4.4 (API level 19) +use a version of {@link android.webkit webkit} that has a number of security issues. +As a workaround, if your app is running on these devices, it +should confirm that {@link android.webkit.WebView} objects display only trusted +content. You should also use the updatable security {@link +java.security.Provider Provider} object to make sure your app isn’t exposed to +potential vulnerabilities in SSL, as described in <a +href="{@docRoot}training/articles/security-gms-provider.html">Updating Your +Security Provider to Protect Against SSL Exploits</a>. If your application must +render content from the open web, consider providing your own renderer so +you can keep it up to date with the latest security patches.</p> <h3 id="Credentials">Handling Credentials</h3> |