Can a secret be hidden in a ‘safe’ java class offering access credentials?

by

No, it’s not safe from other Java code. Your secret could be retrieved from an instance of Safe like this:

Field field = safe.getClass().getDeclaredField("secret");
field.setAccessible(true);
String secret = (String) field.get(safe);

Update: If you control the loading of the other Java code that you want to hide the secret from you can probably use a custom SecurityManager or ClassLoader to prevent access to it. You need to control the environment that this runs in to work though, e.g. a server you restrict access to.

Your edited question however mentions that the code can run on any desktop or device. In that case there’s really nothing you can do to protect the secret from other processes that could do just about anything. Even if you encrypt it in memory another process can just intercept the key or even the plaintext secret as its passed around.

If you don’t control the environment that you need something to be secure in then you likely need to consider a different approach. Perhaps you can avoid storing the secret in memory altogether?

More Related Contents:

  1. What is the point of abstract classes, when you could just do an interface [duplicate]
  2. Convert structs in C++ to class in Java [closed]
  3. Java – class, get new array of objects
  4. How do I resolve ClassNotFoundException?
  5. Spring Security : Multiple HTTP Config not working
  6. What are classes, references, and objects?
  7. How can a class have a member of its own type, isn’t this infinite recursion?
  8. The connection between ‘System.out.println()’ and ‘toString()’ in Java
  9. Securing a password in a properties file [duplicate]
  10. Java – how to load different versions of the same class?
  11. Can I get all methods of a class?
  12. How to get the parent base class object super.getClass()
  13. How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections
  14. Why does JPasswordField.getPassword() create a String with the password in it?
  15. Java: Class.this
  16. java.security.AccessControlException: Access denied (java.io.FilePermission
  17. convert openSSH rsa key to javax.crypto.Cipher compatible format
  18. Advantage of Local Classes Java
  19. Android encryption
  20. Import a custom class in Java
  21. Synthetic Class in Java
  22. Cannot instantiate the type for class object (Java)
  23. JAAS for human beings
  24. How to prevent public methods from being called from specific classes
  25. When to move from Container managed security to alternatives like Apache Shiro, Spring Security?
  26. SSLContext initialization
  27. Why can a class not be defined as protected?
  28. Using a java class from Delphi
  29. How to check if class exists somewhere in package?
  30. How are the IV and authentication tag handled for “AES/GCM/NoPadding”?

Leave a Comment