Updated "Designing for Security" documentation (a15562f8) · Commits · e / os / android_frameworks_base

docs/html/guide/practices/security.jd

+10 −1

Original line number	Diff line number	Diff line
		@@ -552,7 +552,7 @@ the minimum functionality required by your application.</p>
		<p>If your application does not directly use JavaScript within a <code><a
		href="{@docRoot}reference/android/webkit/WebView.html">WebView</a></code>, do
		not call
		<a href="{@docRoot}reference/android/webkit/WebSettings.html#setJavaScriptEnabled(boolean)
		<a href="{@docRoot}reference/android/webkit/WebSettings.html#setJavaScriptEnabled(boolean)">
		<code>setJavaScriptEnabled()</code></a>. We have seen this method invoked
		in sample code that might be repurposed in production application -- so
		remove it if necessary. By default, <code><a
		@@ -686,6 +686,15 @@ with personal information. This topic is discussed in more detail in the <a
		href="http://android-developers.blogspot.com/2011/03/identifying-app-installatio
		ns.html">Android Developer Blog</a>.</p>

		<p>Application developers should be careful writing to on-device logs.
		In Android, logs are a shared resource, and are available
		to an application with the
		<a href="{@docRoot}reference/android/Manifest.permission.html#READ_LOGS">
		<code>READ_LOGS</code></a> permission. Even though the phone log data
		is temporary and erased on reboot, inappropriate logging of user information
		could inadvertently leak user data to other applications.</p>


		<h3>Handling Credentials</h3>

		<p>In general, we recommend minimizing the frequency of asking for user