In C# or Java, even though we mark methods as private, they still can be accessed using reflection, or dynamically loading the class. Of course we have to know the method name to get hold of it - still, I was wondering how safe is an application which is meant to secure a private database, bank account, etc. that can still be hacked using reflection. M开发者_运维百科y question here is why is the Java Reflection API allowed to access the variables/methods even though they are private?
Even if reflection didn't exist, getting data from within a virtual machine would be pretty trivial for a determined hacker. The existence of reflection is an acknowledgement from the creators of these languages that a) it's extraordinarily convenient in some special cases and b) private methods by no means ensure security. Instead, to secure private data such as bank account information, further means of indirection should be used, such as storing the data in a remote database and providing a query mechanism with an aggressive ACL.
精彩评论