He discovered vulnerabilities in early versions of Android. From the docs :
This is a powerful feature, but also poses a security risk to applications targeted at API level JELLY_BEAN or lower, because JavaScript can use reflection to access the declared public field object. Using this method in a WebView containing untrusted content may allow an attacker to manipulate the host application in unintended ways to execute Java code with host expression permissions. Use extreme caution when using this method in a WebView that may contain untrusted content.