Most software for accessing the IBM i makes use of third party libraries. Most of them are open source and could easily be replaced by modified versions.
Countermeasures:
- Software should perform an integrity check on all external libraries.
- Java byte code should be obfuscated.
Account information stored in an eclipse secure.storage should be encrypted by itself (what I found to be the case with the software modules I tested).
If these conditions are not met then passwords should not be saved when using third party software.
Youtube Video: IBM i (AS/400, iSeries) Security 3 - Jarfiles
Description: How to make jt400 hand out stored user profile information before any connection attempt takes place.