Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I created a Java programm which works on the serverside to communicate with an Android-App over Sockets. Now I want to check wether it is secure to hacking. I also asked in the Security.SE forum but this is programming related. So what do I need to look for in my Java-program to make it heavy to be exploided?
The first thing to check would be the server it's running on. You can cerainly checkout the https://www.owasp.org/ website. It is always a good source of security threats. Then there are a lot of pentesting tools https://www.kali.org/ has many of them built in.
But the most important might be how you've designed your API, I mean you're not very specific about what you need to know but some rules that will certainly apply:
secure the communication
make sure id theft is as hard as possible
never store userpasswords yourself(use a tokenbased system like oauth)
Obfuscation via proguard makes the program harder to reverse engineer.
Obfuscation combined with Ahead-Of-Time Compilation
1) Obfuscate names and encrypt strings using the tools not relying on the application being delivered in bytecode form. Make sure to disable control/data flow obfuscations.
2) Compile the obfuscated application down to optimized native code.
see link
http://www.excelsior-usa.com/articles/java-obfuscators.html
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
So I'm currently reading the "Java A Beginners Guide 7th Edition" book. And the following sentences seemed to me that Applets could be used as virusis. Was this done?
An Applet is a special kind of Java program that is designed to be transmitted over the Internet and automatically executed inside a Java-compatible web browser.
The key feature of applets is that they execute locally...
To me it sounds like it wouldn't be hard to build in a virus into an Applet.
The problem with applets is that they run automatically when you load the page. They're also so complex (compared to html or javascript) it was just to complicated to be able to meaningfully secure them. Run Automatically + Complicated to Secure + Doesn't Update Automatically = impossible to completely secure.
Regular apps are far far more dangerous to your machine than applets were. But, they don't run automatically when you visit a web page.
Desktop apps written in languages (like C or C++) where you manipulate the memory with pointers and don't automatically bounds check arrays, are much harder to write securely. Languages (like Java or C#) that don't have pointers and do automatically bounds check arrays are easier to write secure apps in.
Java includes many safewards to prevent any ill behavior, but time after time, those security features were not enough because of different bugs or design problems.
As standalone apps they are as safe or risky as any other app. Just make sure to download your app from trusted sources.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
Is it possible to compile & run scala code dynamically within Java code.
It is possible to achieve a similar result with JS using mozilla rhino. But, I wonder if it is possible with scala?
Theoretically, yes. But you will need to do a lot of things:
ensure the user entered valid scala code
transfer that source code to the server
compile the scala code
run it from within your server (catch errors, deal with resource leaks, ...)
So, possible: yes. Reasonable: not so much.
Obviously: a lot of work
getting to a decent user experience: even more work (like: telling the user exactly where in his source code input your compilation step found a bug ... hard)
And of course: opens your system for a ton of attack vectors.
If you want your users to be able to run code on the backend server, one wonders: why don't they have admin access to that machine already, and are able to deploy there code right there on the server themselves?!
Sure, Scala has its REPL, and as that one comment pointing to an existing answer implies: it is definitely possible to do that.
But as said: we don't do things because we can, but because it makes sense doing it!
twitter util-eval library seems provide what I need, but it is discontinued.
Here is an old fork:
https://github.com/m3dev/twitter-util-eval
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 3 years ago.
Improve this question
Due to some policy constraint at our company, we cannot use any external Library. I couldn't find any way to do that in Java.
I can think of two ways to avoid using an external library:
Implement your own SSH File Transfer Protocol client using the standard SSLSocket class ad related classes. The specifications are linked from the Wikipedia page. A brief review of the spec suggests that the protocol is not that complicated.
Identify and install a command-line client for SFTP, then use Process and ProcessBuilder to run the client as an external process.
Before you undertake any significant coding work on this, I would advise you to estimate how much dev time it will take to code test and maintain the code. If it seems like a lot, document the estimates and take them to your line manager.
If you are faced with a significant amount of extra work, it may affect your ability to meet your deadlines. Your manager needs to know about that.
If your manager is faced with a large dev cost or schedule slippage, he or she may be prepared to argue for an exemption to this (IMO) crazy corporate policy.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I have a piece of java code I would like to run in my web browser and publish online. How can I do this without using applets? I have tried java vertx but I am not sure how to use it and there are no good tutorials online.
The short answer is you can't. Browsers don't "speak" Java natively, which is why applets required a plugin. As you probably know, Google is in the process of removing support for the plugin technology used by the Java plugin (NPAPI) and so soon Java won't work in Chrome at all (it already doesn't under Linux).
Your only real options are:
Provide a means of running it server-side, like http://ideone.com and various other "online" compilers do.
Translate it from Java to JavaScript (either manually or using a tool), which the browser can then run. But note that Java and JavaScript are not only markedly different languages despite a superficial similarity in syntax, but the standard environment for each is also quite different from the other.
How you do either of those is much too broad a question for SO.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I recently found out about Android Studio's decompiler and a few questions arose as I'm currently involved in an Android project. I just tried it and it generated near perfect code, surprisingly.
How good are Java decompilers nowadays? Are there protection mechanisms to prevent decompilation? Any security concerns to have in mind?
Best.
This questions is too broad. So I will split the questions and answers:
How good are Java decompilers nowadays?
Very good. You are likely to get readable classes back.
Are there protection mechanisms to prevent decompilation?
Yes, things like code obfuscators, or even other alternatives
Any security concerns to have in mind?
All security concerns are best kept in mind, depending on your application.
Against decompilers?
Not really, your code should be readable and still dont pose a threat to the system or its users. The best concept here would be the "white box" concept, in wich your code does not need to be hidden.
If you are handling something that should not be know, try executing it in a controlled enviromment, such as a controlled webservice.