@@ -284,22 +284,26 @@ public BinderChannelBuilder strictLifecycleManagement() {
284284 }
285285
286286 /**
287- * Checks server addresses against this channel's {@link SecurityPolicy} *before* connecting .
287+ * Checks servers against this channel's {@link SecurityPolicy} *before* binding .
288288 *
289289 * <p>Android users can be tricked into installing a malicious app with the same package name as a
290290 * legitimate server. That's why we don't send calls to a server until it has been authorized by
291- * an appropriate {@link SecurityPolicy}. But merely connecting to a malicious server can enable
292- * "keep-alive" and "background activity launch" attacks, even if that server is ultimately
293- * disallowed by the channel's security policy . Pre-authorization is even more important for
294- * security when the server's address isn't known in advance but rather resolved via target URI or
295- * discovered by other means.
291+ * an appropriate {@link SecurityPolicy}. But merely binding to a malicious server can enable
292+ * "keep-alive" and "background activity launch" attacks, even if security policy ultimately
293+ * causes the grpc connection to fail . Pre-authorization is especially important for security when
294+ * the server's address isn't known in advance but rather resolved via target URI or discovered by
295+ * other means.
296296 *
297- * <p>Pre-authorization is strongly recommended but it remains optional for now because of the
298- * small performance cost and because it precludes servers that proxy their "endpoint binder"
299- * through another (unauthorized) app (not recommended, but technically a behavior change).
297+ * <p>Note that, unlike ordinary authorization, pre-authorization is performed against the server
298+ * app's UID, not the UID of the server process. These can be different, most commonly due to
299+ * services that set `android:isolatedProcess=true`.
300+ *
301+ * <p>Pre-authorization is strongly recommended but it remains optional for now because of this
302+ * behavior change and the small performance cost.
300303 *
301304 * <p>The default value of this property is false but it will become true in a future release.
302- * Clients that require a particular behavior should configure it explicitly using this method.
305+ * Clients that require a particular behavior should configure it explicitly using this method
306+ * rather than relying on the default.
303307 */
304308 public BinderChannelBuilder preAuthorizeServers (boolean preAuthorize ) {
305309 transportFactoryBuilder .setPreAuthorizeServers (preAuthorize );
0 commit comments