From f92dbe01154cf55737297460f43e493b991c7638 Mon Sep 17 00:00:00 2001
From: Andrew Solovay <asolovay@google.com>
Date: Tue, 20 Jan 2015 15:47:31 -0800
Subject: docs: WebView security notes for apps on pre-K devices

Added paragraph describing security precautions for apps that use
WebView on devices running versions older than Android 4.4. See first
comment for doc stage location.

bug: 19075466
Change-Id: I69937d8dfc37ec1ba693f969500b9dc7404c4635
---
 docs/html/training/articles/security-tips.jd | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'docs/html/training')

diff --git a/docs/html/training/articles/security-tips.jd b/docs/html/training/articles/security-tips.jd
index e05b44c..3215a0e 100644
--- a/docs/html/training/articles/security-tips.jd
+++ b/docs/html/training/articles/security-tips.jd
@@ -445,7 +445,17 @@ locally. Server-side
 headers like <code>no-cache</code> can also be used to indicate that an application should
 not cache particular content.</p>
 
-
+<p>Devices running platforms older than Android 4.4 (API level 19)
+use a version of {@link android.webkit webkit} that has a number of security issues.
+As a workaround, if your app is running on these devices, it
+should confirm that {@link android.webkit.WebView} objects display only trusted
+content. You should also use the updatable security {@link
+java.security.Provider Provider} object to make sure your app isn’t exposed to
+potential vulnerabilities in SSL, as described in <a
+href="{@docRoot}training/articles/security-gms-provider.html">Updating Your
+Security Provider to Protect Against SSL Exploits</a>. If your application must
+render content from the open web, consider providing your own renderer so
+you can keep it up to date with the latest security patches.</p>
 
 
 <h3 id="Credentials">Handling Credentials</h3>
-- 
cgit v1.1