The structure of your application affects the kind of attacks that can be made against it. In this section, I’ll discuss security considerations in standalone applications as well as traditional client/server architectures. The section ends with a discussion of the pros and cons of using a web browser as your application’s client platform.
A self-contained application has all of its logic in one place. In Java, this means that all of the .class files it uses are on one machine.
A self-contained application that does not make network connections has limited security requirements. The only threat in this type of application is that someone will steal its data. There are two ways this can happen, excluding more exotic surveillance techniques:
Someone will gain physical control of your computer and use it to steal your application’s data.
Someone will gain virtual control of your computer and use it to steal your application’s data.
If you are concerned about data theft, you can encrypt your data
before storing it on disk. This way, even if someone steals the data
files, it will be hard to get any useful information out of them
without your encryption key. The encryption key should not be stored
on the computer, unless it is protected in some way. The
PBE class, presented in Chapter 7, allows you to protect an encryption key with a passphrase. If you are lucky enough to have smart cards in your system, the smart card is a good place to store a key. If you ...