Update the documentation for content provider security.

Without this documentation fix, developers will not know that
apps on pre-Gingercomb devices will inadvertantly export their content
providers. With knowledge of the solid workaround, they can make their apps
secure.

Change-Id: I1f096aff19500cd3d3fd2955a9dec59d8e7c6a73

1 files changed, 13 insertions, 4 deletions

diff --git a/docs/html/guide/topics/manifest/provider-element.jd b/docs/html/guide/topics/manifest/provider-element.jd
index c80b207..bee87e6 100644
--- a/docs/html/guide/topics/manifest/provider-element.jd
+++ b/docs/html/guide/topics/manifest/provider-element.jd
@@ -96,10 +96,19 @@ If "{@code false}", the provider is available only to components of the
 same application or applications with the same user ID.  The default value
 is "{@code true}".
 
-<p>
-You can export a content provider but still limit access to it with the
-<code><a href="{@docRoot}guide/topics/manifest/provider-element.html#prmsn">permission</a></code> attribute.
-</p></dd> 
+<p>You can export a content provider but still limit access to it with the
+<code><a
+href="{@docRoot}guide/topics/manifest/provider-element.html#prmsn">permission</a></code>
+attribute. Note that due to a bug in versions of Android prior to {@link
+android.os.Build.VERSION_CODES#VERSION_GINGERBREAD} providers were exported
+even if {@code android:exported} were set to {@code false}. Therefore, for
+provider security on all devices, protect your provider with a
+signature-level permission. For information on defining a permission, see
+the <a
+href="{@docRoot}guide/topics/manifest/permission-element.html">permission
+element</a>.  For information on using the permission, see the <a
+href="{@docRoot}guide/topics/manifest/uses-permission-element.html">uses-permission
+element</a>.</p></dd>
 
 <dt><a name="gprmsn"></a>{@code android:grantUriPermissions}</dt>
 <dd>Whether or not those who ordinarily would not have permission to