security aspects specific to the Java programming language and libraries.
64
votes
15answers
15k views
Lessons learned and misconceptions regarding encryption and cryptology
Cryptology is such a broad subject that even experienced coders will almost always make mistakes the first few times around. However encryption is such an important topic, often we can't afford to ...
22
votes
6answers
301 views
How to keep an eye on upgrades, patches and security issues for used open-source libraries?
For a project with many open-source libraries as a part of it, I began to search for information source concerning all upgrades and security issues. The kind of sources I gathered are either ...
21
votes
3answers
2k views
Should I be disabling Java?
First it was Apple, now it's the US government...
U.S. urges users to disable Java; Apple disables some remotely
New malware exploiting Java 7 in Windows and Unix systems
How serious is this ...
17
votes
3answers
3k views
Deleting a Java Object securely
I know that in order to delete a Java object I should use character array instead of String, since I can safely erase (rewrite the character array with other data) its content. This seems not to be ...
13
votes
8answers
2k views
Any comprehensive solutions for binary code protection and anti-reverse-engineering?
Does anyone know of good products with comprehensive binary hardening and anti-reverse-engineering features? Or better, has anyone seen an independent review comparing products that perform these ...
9
votes
2answers
794 views
9
votes
1answer
337 views
Android Runtime Code Injection
I'm doing research for a static analysis tool to help detect malware in Android applications. I'm wondering if it is possible to perform code injection on Android without using a class loader. I ...
9
votes
1answer
530 views
HQL injection example
Our developers left a surprise in handling user login. Namely:
// java
List users = hibernate.find("from Users where username = '"+formUsername+"'";
if (users.length==0) { return BAD_USER; }
if ...
8
votes
5answers
2k views
How can I decrypt data with Java, without hard-coding the key?
I hope this is not a chicken-egg problem or reinventing the wheel but here goes.
I have a Java application that needs to access a password protected file (actually during the application startup).
The ...
8
votes
3answers
23k views
How can I export my private key from a Java Keytool keystore?
I would like to export my private key from a Java Keytool keystore, so I can use it with openssl. How can I do that?
8
votes
4answers
3k views
What's the standard way to encrypt a file with a public key in Java?
I'm writing a client app in Java that sends encrypted data back to the server. All clients have my RSA public key. Is there a standard way to encrypt a given file with it to send it back to the ...
8
votes
2answers
1k views
Will disabling the Java add-on in IE protect you from Java exploits?
Concerning the recent Java vulnerability (Should I be disabling Java?), the most common advise seems to be to disable Java plug-ins in the browser.
However, Heise Security suggests that, when it ...
8
votes
4answers
3k views
Any useful tools for Android source code review? [closed]
I'm wondering if anyone has some recommendations for Android source code review which is Java based. For example, reviewing an Android app for security issues. Bonus for being F/OSS.
Fortify seems ...
8
votes
4answers
365 views
What Checkstyle or Findbugs rules detect common vulnerabilities?
Looking for experience with both built in and custom checks.
I do not need references to commercial source code analysers.
8
votes
2answers
465 views
Why do some Java APIs bypass standard SecurityManager checks?
In Java, normally permission checks are handled by the SecurityManager. To prevent untrusted code from invoking privileged code and exploiting some bug in the privileged code, SecurityManager checks ...
