Vulnerability Development mailing list archives
RE: JAVA more insecure than true compiled code?
From: "The Picard" <thepicard () rogers com>
Date: Fri, 5 Apr 2002 23:20:58 -0500
If the code is security-sensitive, then it should not reach an untrusted party in any form (machine language as resulted from compiled code or byte-code as resulted from Java). If you want to hide the code from others, use a client-server approach (such as through a web interface) and then the sensitive code will run on the server. The issue is no different than with other languages: you cannot trust what runs on the client (because it's outside your control). Whether it's compiled code, client-side scripting (like Javascript and VBScript) or a Java applet makes no difference. On the other hand, Java makes it easier to reverse-engineer the code. Decompilers have been around for years and it's a known design characteristic of the bytecode. It's less of a security issue (compiled programs have been cracked for years, after all) but more of an issue on protecting intellectual property. For a native Java product (which necessarily is given to the customer in bytecode), reverse engineering it is easier to potentially interested competitors. Decompiling can be made harder with code obfuscators and although not perfect, they raise the barrier of entry and casually interested people will probably give up. Quite a few of commercial Java applications use obfuscators. So, to answer your question, it's not a security flaw unless the language is misused. -----Original Message----- From: steven.sporen () za pwcglobal com [mailto:steven.sporen () za pwcglobal com] Sent: Friday, April 05, 2002 8:17 AM To: vuln-dev () securityfocus com Subject: JAVA more insecure than true compiled code? Hi, I was wondering what people's thoughts are regarding the security of code written in JAVA, I recently reverse engineered a product with a freely available JAVA decoder and found that it produced code with variable names imports etc, making it very easy to find out how it hung together. Could this be construed as a security flaw with JAVA? Thoughts comments are appreciated. Steven ---------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
Current thread:
- JAVA more insecure than true compiled code? steven.sporen (Apr 05)
- RE: JAVA more insecure than true compiled code? The Picard (Apr 07)
- Re: JAVA more insecure than true compiled code? -l0rt- (Apr 08)
- <Possible follow-ups>
- Re: JAVA more insecure than true compiled code? James Washer (Apr 05)
- Re: JAVA more insecure than true compiled code? Charles Bell at home (Apr 06)
- Re: JAVA more insecure than true compiled code? Hack Hawk (Apr 07)
- Re: JAVA more insecure than true compiled code? dirk . dussart (Apr 08)