Sorry, you need to enable JavaScript to visit this website.

How to turn a jar into a spy

Submitted on Thu, 08.08.2019 - 12:28

Most software for accessing the IBM i makes use of third party libraries. Most of them are open source and could easily be replaced by modified versions.

 


Countermeasures:

  • Software should perform an integrity check on all external libraries.
  • Java byte code should be obfuscated.

Account information stored in an eclipse secure.storage should be encrypted by itself (what I found to be the case with the software modules I tested).

If these conditions are not met then passwords should not be saved when using third party software.


 

Youtube Video: IBM i (AS/400, iSeries) Security 3 - Jarfiles

Description: How to make jt400 hand out stored user profile information before any connection attempt takes place.