Application Design

The structure of your application affects the kind of attacks that can be made against it. In this section, I’ll discuss security considerations in standalone applications as well as traditional client/server architectures. The section ends with a discussion of the pros and cons of using a web browser as your application’s client platform.


A self-contained application has all of its logic in one place. In Java, this means that all of the .class files it uses are on one machine.

A self-contained application that does not make network connections has limited security requirements. The only threat in this type of application is that someone will steal its data. There are two ways this can happen, excluding more exotic surveillance techniques:

  • Someone will gain physical control of your computer and use it to steal your application’s data.

  • Someone will gain virtual control of your computer and use it to steal your application’s data.

If you are concerned about data theft, you can encrypt your data before storing it on disk. This way, even if someone steals the data files, it will be hard to get any useful information out of them without your encryption key. The encryption key should not be stored on the computer, unless it is protected in some way. The PBE class, presented in Chapter 7, allows you to protect an encryption key with a passphrase. If you are lucky enough to have smart cards in your system, the smart card is a good place to store a key. If you ...

Get Java Cryptography now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.