Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Source or Binary

From: ken at krvw.com (Kenneth Van Wyk)
Date: Wed, 29 Jul 2009 17:22:45 -0400
On Jul 29, 2009, at 4:17 PM, Brad Andrews wrote:

Realizing that java "binaries" hold a lot more is a mental shift  
that probably must be actively kept in mind.  Those with only Java  
experience may think it is obvious, but how many developers did not  
start with Java and have not purged this concept from their mind.


Fair enough, but understand too that a Java class file (like those in  
a typical jar file, which is just a fancy word for ZIP format) can be  
trivially decompiled into quite legible Java source.  Numerous open  
source Java decompilers (e.g., Jode, Jad) exist that make this  
extremely easy.

And FWIW, that's exactly how the Etisalat Blackberry software "update"  
was analyzed and proven to contain spyware last week.

Note that, there are many options to distributing these trivially  
decompiled class files...

Cheers,

Ken van Wyk


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2252 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20090729/55c99b15/attachment.bin
Previous By Date Next
Previous By Thread Next

Current thread: