Java applet code review

Attackers Reverse Engineer Client


 * 1) All clients can be reverse engineered, monitored, and modified
 * 2) All encryption keys and mechanisms are not secrets
 * 3) All intellectual property (algorithms, data) is disclosed

Attackers Create Malicious Client, Server, or Proxy


 * 1) Tamper with requests and responses
 * 2) Spoof a legitimate client or server application

Attackers Target Rich Client Application Itself


 * 1) Clients can be abused - especially if they are "listening"
 * 2) All forms of input corruption (injection, overflow, etc.) can be used
 * 3) Spoofed server can be set up

Attackers Target Server Application Vulnerabilities


 * 1) All typical server application issues are possible. See Java_server_%28J2EE%29_code_review

Client Security Considerations


 * 1) Mutual authentication over SSL
 * 2) Access control is not possible on client
 * 3) Input validation
 * 4) Interpreter use
 * 5) Error handling and logging
 * 6) Intrusion detection
 * 7) Encryption
 * 8) Protecting information is not possible on client
 * 9) For secure communications
 * 10) For secure storage
 * 11) Jar Signing