Description
Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.
The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature.
Modes of Introduction:
– Implementation
Likelihood of Exploit: Medium
Related Weaknesses
Consequences
Confidentiality: Read Application Data
Any data in a Java package can be accessed outside of the Java framework if the package is distributed.
Integrity: Modify Application Data
The data in a Java class can be modified by anyone outside of the Java framework if the packages is distributed.
Potential Mitigations
Phase: Architecture and Design, Implementation
Description:
Data should be private static and final whenever possible. This will assure that your code is protected by instantiating early, preventing access and tampering.