Updated "Designing for Security" documentation
Change-Id: I1fe5b353d750695f75370ef31ae1b39e50159164
Signed-off-by: Adrian Ludwig <aludwig@google.com>
diff --git a/docs/html/guide/practices/security.jd b/docs/html/guide/practices/security.jd
index 5da7e98..476c301 100644
--- a/docs/html/guide/practices/security.jd
+++ b/docs/html/guide/practices/security.jd
@@ -552,7 +552,7 @@
<p>If your application does not directly use JavaScript within a <code><a
href="{@docRoot}reference/android/webkit/WebView.html">WebView</a></code>, do
not call
-<a href="{@docRoot}reference/android/webkit/WebSettings.html#setJavaScriptEnabled(boolean)
+<a href="{@docRoot}reference/android/webkit/WebSettings.html#setJavaScriptEnabled(boolean)">
<code>setJavaScriptEnabled()</code></a>. We have seen this method invoked
in sample code that might be repurposed in production application -- so
remove it if necessary. By default, <code><a
@@ -686,6 +686,15 @@
href="http://android-developers.blogspot.com/2011/03/identifying-app-installatio
ns.html">Android Developer Blog</a>.</p>
+<p>Application developers should be careful writing to on-device logs.
+In Android, logs are a shared resource, and are available
+to an application with the
+<a href="{@docRoot}reference/android/Manifest.permission.html#READ_LOGS">
+<code>READ_LOGS</code></a> permission. Even though the phone log data
+is temporary and erased on reboot, inappropriate logging of user information
+could inadvertently leak user data to other applications.</p>
+
+
<h3>Handling Credentials</h3>
<p>In general, we recommend minimizing the frequency of asking for user