Celebrating 25 years of Java: How to keep Java-based apps safe

What do Minecraft and the Mars Rover have in common?

Well, aside from the fact that they both let us explore new worlds, they also have a deep Java footprint.

Earlier this year, Java celebrated its 25th birthday. Since the language was born in 1995, it has influenced and shaped a whole host of projects. From being the language used to create one of the most popular video games of all time, to being the programming language of choice for expanding our knowledge of the red planet.

And many more besides.

One of the reasons for Java’s sustained success is its simplicity. Platform independent, it can run on almost any architecture and operating system.

But this simplicity also makes it an inviting target for bad actors.

Compared to 1995, we’re living in a much more uncertain world, with cyber threats evolving and maturing all the time. In order to be able to celebrate another successful quarter century of Java in 2045, we’ll have to be vigilant of this threat.

We'll have to protect java-based apps with a level of security worthy of the language’s unique influence on our world.

You only have to listen to this excellent Oracle Groundbreakers podcast episode to get a sense of how Java has changed people’s lives in the last 25 years.

The interviews with Java champions are revealing. They all mention the strong sense of community. And there’s clearly a confidence that Java can stay relevant for some time yet.

The Java language has evolved since 1995 but, as Venkat Subramaniam says in the same episode, Java hasn’t had the luxury of changing wholesale. That simply isn’t possible when millions rely on it every day. Instead, Java’s evolution has been pragmatic. Steady.

Write once, run anywhere. That was the famous tagline chosen by Sun Microsystems in 1995 to highlight Java’s cross-platform flexibility.

And it turns out that it was a pretty prescient line. Because the language really does run anywhere and everywhere. From old mainframe computers, to IBM. From innovative inventions, to software for the world’s biggest banks. And from big data, to IoT.

“Write once, run everywhere” helps to explain how Java is still going strong, 25 years on. But it also points to a threat that has the potential to grow in the coming years if it isn’t curbed.

As we said earlier, a key factor behind Java’s success is its simplicity.

Its code and API documentation are open source. It has a publicly-available virtual machine and bytecode specification. And compared to other virtual machines or native code, its instructions are relatively easy to understand.

This helps to explain why the language’s reach is so vast. Why it’s created such a huge, supportive community across the globe. But not everybody who’s attracted to Java’s simplicity has good intentions.

Bad actors look at Java’s simplicity as an opportunity. Its openness can leave companies’ critical intellectual property vulnerable to reverse engineering, manipulation, and theft.

There’s not a lot of effort required for hackers to do this. In fact, there are many free and commercial decompilers on the market for them to choose from.

It’s also easy for them to process and make changes to the bytecode using common tools. And because Java apps typically only have around 200 instructions - around half as many as a native app - it takes bad actors less time to crack the code. Once they do, they can reverse engineer it easily.

Java apps are used so extensively that almost every industry is at risk from these attacks. There are open source libraries in the public sector, in automation, and in finance and taxation.

Businesses across these industries rely on Java code. But they also rely on keeping their sensitive information, algorithms, and intellectual property safe.

Fortunately, there are ways for them to do just that while embracing Java.

Java allows users to add a digital certificate to each class within the JAR archive, which acts as a check that the original files haven’t been modified. But on its own, this isn’t enough to protect companies from IP theft and tampering.

What’s needed is a holistic approach to security that uses code protection and virtualization, content protection, and integrity control.

Code protection and virtualization hides the method calls and logic within Java-based apps. Ideally, it should use a combination of hide access and string encryption features to make sure that hackers aren’t able to decompile the code stored in the app.

Content protection is all about encrypting the resources inside the app. The best kind of resource encryption is transparent and uses strong cryptography to prevent bad actors from locating and accessing valuable assets.

This means that hackers aren’t able to tamper with the app by injecting malicious code. It means that they can’t access the end user’s sensitive information, like passwords or account numbers. And it means they can’t disable a licensing subsystem.

Using a combination of these three protective measures keeps user data and company IP safe. It allows people to do their essential work without worrying about attacks.

Another way to mitigate some of the risks of bytecode decompilation is to make use of Graal VM. It helps applications to run faster and allows developers to compile their app in a compact, native image format. But for optimum security it should be used alongside the measures listed above.

From the very first years under Sun Microsystems, to Oracle’s careful stewardship during the last decade, the Java language has changed the world around us.

25 years on from its inception, we now live in a world of constant change. A world where technology evolves on almost a daily basis.

Java forms an essential part of this evolving technology. But cyber threats are moving at the same fast pace. And the simplicity that makes Java so special can also leave it open to attacks.

If we make sure that we protect Java-based apps, then we can look forward to the language being a big part of our lives for many more years to come.