DO NOT MERGE Clarify the explanation of Android's security design.

Assert plainly that Dalvik is not a boundary.

Certificates are for distinction, not "fake trustworthiness through
verifying cheap identities".

Clarify that UID + GID are what the kernel bases its protection on, not PID.
This is a fuzzy distinction on Android since (apart from sharedUserId and
magical system processes) there is a 1:1 mapping from process <-> UID.  But
it's important to clarify what we mean.

Clarify up front about the staticness (staticity?) of permissions. It's
explained lower down, but experience shows people don't read that far down.
Get the rationale (bad UX --> bad security) right up top.

Change-Id: I403310668d7ba42e44239055cb480c086ef76cbc