cherrypick from klp-docs docs: security consideration for Android <4.2...

     * <ul>

     * <li> This method can be used to allow JavaScript to control the host

     * application. This is a powerful feature, but also presents a security

     * risk for applications targeted to API level

     * {@link android.os.Build.VERSION_CODES#JELLY_BEAN} or below, because

     * JavaScript could use reflection to access an

     * risk for apps targeting {@link android.os.Build.VERSION_CODES#JELLY_BEAN} or earlier.

     * Apps that target a version later than {@link android.os.Build.VERSION_CODES#JELLY_BEAN}

     * are still vulnerable if the app runs on a device running Android earlier than 4.2.

     * The most secure way to use this method is to target {@link android.os.Build.VERSION_CODES#JELLY_BEAN_MR1}

     * and to ensure the method is called only when running on Android 4.2 or later.

     * With these older versions, JavaScript could use reflection to access an

     * injected object's public fields. Use of this method in a WebView

     * containing untrusted content could allow an attacker to manipulate the

     * host application in unintended ways, executing Java code with the

     * method in a WebView which could contain untrusted content.</li>

     * <li> JavaScript interacts with Java object on a private, background

     * thread of this WebView. Care is therefore required to maintain thread

     * safety.</li>

     * safety.

     * </li>

     * <li> The Java object's fields are not accessible.</li>

     * </ul>

     *