What are common Java desktop app exploits?

I know about common web exploits, like SQL injection, script injection, stealing cookies, etc. However, I don't know too much about security issues around desktop Java apps. What are good resources for learning more about this?

Specifically, I'm talking about Java apps that run on the desktop of PCs or Macs (not applets or servers).

Some issues that I can imagine for Java apps would be changing registry settings, installing rootkits, keystroke logging, messing with the file system, etc. Aside from the last one, I have no idea how one would go about doing it or if it's even possible, so I don't have a sense of how easy to implement and thus potentially dangerous it is. Also, if I understood how it was done, I could understand what if anything could protect against it.

I feel like the file system could do a lot of damage, either by deleting files, stealing data, changing settings for programs that store settings files, etc. I have heard that Java has a sandbox mode, but I'm not sure how that works in terms of running a program in sandbox mode, or how a program would know it's in sandbox mo开发者_StackOverflowde.

What are some good resources for learning about this?

Java is immune to many things that a C programmer would face (buffer overflows are a big example). Firstly, make sure you obfuscate your code if you're moving it around in a jar, since java decompilation is very easily done.

Also, make sure you write code so that it isn't possible to compile a class with your application (which may be distributed as a jar) as a library. This gives rise to lots of issues such as keyloggers and such.

Next, this may sound stupid, but, it has happened in the past, if you are saving login info, MAKE SURE ITS NOT READABLE BY ANYONE BUT YOUR APPLICATION!

Guard against packet sniffers by encrypting data if you are connecting to a server with your application.

EDIT: I completely agree with the open source idea. If you can, open source your code. It'll save you a ton of trouble.

This is a question of attack surface. You have to ask your self: How can an attacker influence this application? In a web application its clear, GET and POST variables. In a desktop application that doesn't use the network there can be zero attack surface. A desktop application could be useful to an attacker if it runs with elevated privileges and an attacker with lower privileges could influence this application to gain its rights.

A malicious application written in Java that deletes files IS NOT AN EXPLOIT. Its just uninteresting malware. Here is a large list of exploits.

To be honest the majority of applications you write for school have no concept on security. Your writing a linked list implementation or some simple CLI application.