docs: Recommend not using email address in payload string

See first comment for doc stage location. bug: 26492391 Change-Id: I72c159f1a7b71ff67c0d2c5b634dcc72d9150e6a
author: Andrew Solovay <asolovay@google.com> 2016-01-27 12:58:52 -0800
committer: Andrew Solovay <asolovay@google.com> 2016-02-01 11:06:01 -0800
commit: 74916a5682e3cc0918067a3e3d4fd09f7404af6f (patch)
tree: 40eb4c3ee5cc1d6513a2b953a7e4112ff442f3f4 /docs/html
parent: b3631e96b61ad3194dc946fefbb66dc513ed2324 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/docs/html/google/play/billing/billing_best_practices.jd b/docs/html/google/play/billing/billing_best_practices.jd
index 9476ffb71e23..70084b8abbcd 100644
--- a/docs/html/google/play/billing/billing_best_practices.jd
+++ b/docs/html/google/play/billing/billing_best_practices.jd
@@ -100,6 +100,12 @@ Google Play returns this string together with the purchase details.</p>
 made the purchase, so that you can later verify that this is a legitimate purchase by
 that user. For consumable items, you can use a randomly generated string, but for non-
 consumable items you should use a string that uniquely identifies the user.</p>
+
+<p class="note">
+  <strong>Note:</strong> Do not use the user's
+  email address in the payload string, since that address may change.
+</p>
+
 <p>When you get back the response from Google Play, make sure to verify that the
 developer payload string matches the token that you sent previously with the purchase
 request. As a further security precaution, you should perform the verification on your
author	Andrew Solovay <asolovay@google.com>	2016-01-27 12:58:52 -0800
committer	Andrew Solovay <asolovay@google.com>	2016-02-01 11:06:01 -0800
commit	74916a5682e3cc0918067a3e3d4fd09f7404af6f (patch)
tree	40eb4c3ee5cc1d6513a2b953a7e4112ff442f3f4 /docs/html
parent	b3631e96b61ad3194dc946fefbb66dc513ed2324 (diff)