mailing list archives
Re: Code Cracking in Java
From: "Frank O'Dwyer" <fod () littlecatZ com>
Date: Thu, 13 May 2004 09:29:06 +0100
Suresh Ponnusami wrote:
All said, .class files are very vulnerable
to attack due to their platform independent nature
It's been said already, but I think it's worth reinforcing the point
that this is not a problem peculiar to Java. There are people out there
who can convert compiled code back to C/C++ as fast as they can write.
There are also plenty of tools for debugging/patching code written in
just about any language. If you doubt this, try releasing some useful
commercial package with a registration check, and see how long it takes
before a version of that package with the registration check patched out
appears somewhere on the net.
and open architecture. (Oops! i might spark a debate
due to this statement!). But sadly, it is true.
Also, read the Java JVM vulnerabilities by LSD Group.
As others have mentioned, unless your clients are running in a
trustworthy environment (which for all practical purposes is never the
case), then the only worthwhile approach for dealing with this is to do
server side checks. This especially applies to authentication and
authorisation, which must be validated and maintained on the server,
rather than presuming the client has done some check. And yes, there is
plenty of code out there which does rely on the client to do it, e.g.
clients that retrieve the user's current Windows login identity and then
assert it to the server, which then blindly trusts it.
Frank O'Dwyer <fod () littlecatZ com>
Little cat Z Ltd http://www.littlecatZ.com/
Upcoming events: One day Information Risk Management Seminar - Lord's Cricket Ground London - May 26th 2004 -