On Jul 29, 2009, at 4:17 PM, Brad Andrews wrote:
Realizing that java "binaries" hold a lot more is a mental shift that probably must be actively kept in mind. Those with only Java experience may think it is obvious, but how many developers did not start with Java and have not purged this concept from their mind.
Fair enough, but understand too that a Java class file (like those in a typical jar file, which is just a fancy word for ZIP format) can be trivially decompiled into quite legible Java source. Numerous open source Java decompilers (e.g., Jode, Jad) exist that make this extremely easy.
And FWIW, that's exactly how the Etisalat Blackberry software "update" was analyzed and proven to contain spyware last week.
Note that, there are many options to distributing these trivially decompiled class files...
Cheers, Ken van Wyk
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
