Java

Russ8611 writes, 

Hello Androidcentral! I was just curious if any of you guys feel like reporting on the Java vulnerability and let us know how it affects Android as a platform. I know most people say they don't need Java on their computers, but isn't Java needed by Android, especially by developers? Thanks!!!

That's a nasty mess, isn't it?

Java means a few different things, depending on how you're talking about it. The Java that's in the news with a heck of an exploit floating around is the Java that you install to your computer as an application  platform. Almost every desktop operating system can run programs built for Java, because Java is a platform that runs inside and on top of your operating system. It sounds a bit confusing, but think of it as a virtual machine that can run code built and compiled a certain way. There's more to the Java platform than the virtual machine, but most people will never need any of it and have no idea that it's even installed.

We install Java on our computers so we can run programs. Some of those programs can originate on the web. Remember, this isn't JavaScript that runs inside the browser, this is code that will start up that virtual machine we talked about earlier. That's where things got sticky over the weekend. The component that runs as a browser plugin was exploited. Since Java is cross-platform, that means Windows, OSX, and Linux distributions could be affected.

But not Android. It's immune to the recent security issues.

Android doesn't use Java in the browser, and the Java-esque software in the OS is different and not affected.  Thankfully, our Android devices are immune. But you bring up a good point about developers. To use most of the Android development tools or to build Android from source, you need the entire Java platform installed on your computer. Most people will be using Oracle's Java, which means most people developing for Android were vulnerable.

I say were vulnerable, because Oracle has patched the exploit as of late Sunday evening. Remember, we don't have to do anything for our Android devices, but anyone using Java should head over to Oracle's Java site and get the updated version. For more information be sure to read Oracle's security alert about the exploit and patch.

Have a question you need answered? (Preferably about Android, but we're flexible.) Hit up our Contact Page to get in touch!

 
There are 28 comments

marisdaman says:

Good to know

kstoutdog says:

Not sure what they're payin you Jerry H... but it's not enough...
Love the credibility and sheer genius you offer to this site

Incitatus says:

Sent by Jerry's "other" account. :)

MERCDROID says:

lol

abtxpress says:

I have been java free since I think October. I've not run into any problems not having it.

Suntan says:

Then you obviously don't have any programs that need it to run.

Your usage doesn't mean anything for those of us that do need to run it.

-Suntan

Ratnok says:

For those of us who don't know (non-techies) - "Java" is the problem. "JavaScript" is not. Android can enable JavaScript and that is not covered in the warnings. Android does not use "Java" proper. Android has nothing to worry about, and if you have not downloaded "Java" to your computer, you're cool there too. You can leave the JavaScript "On" and you'll be fine.

Java- The animation, interactive features, timers, and other enhancements on webpages are sometimes provided by a software program known as Java. -BAD-

JavaScript-JavaScript is a software technology that allows some buttons, online forms, and other webpage content to work properly. Disabling JavaScript can cause many sites not to work properly. -GOOD-

Disable/Uninstall Java
Leave JavaScript alone

dazweeja says:

I think disabling is the better option if you are worried about this vulnerability. I still see a lot of websites using Java. For instance, when you book tickets to movies, flights or sporting events, a lot of those seat selection tools are written in Java.

Convert2 says:

Stated above: "Almost every desktop operating system can run programs built for Java, because Java is a platform that runs inside and on top of your operating system. It sounds a bit confusing, but think of it" - now what follows should make the previous sentence easier to understand, but the following sentence would have everyone except a techie scratching their head -> "as a virtual machine that can run code built and complied a certain way." That should be "compiled," no?

Synycalwon says:

Good info. As to Java on PC's, if you don't need it at a minimum disable it in your browser. But better yet uninstall it! It's one less attack surface the bad guys can exploit (part of a defense in depth security approach). :)

DWR_31 says:

Does Chrome OS use JAVA?
I only ask because this exploit seems to be browser based and it was stated in the post that Android isn't affected. But, Chrome OS isn't Android.

kinster02 says:

No, Chrome OS does not run Java.

The alert indicates that the java platform itself is also not vulnerable. It says: " These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications." So for example, if you were running the eclipse IDE, you would not be affected by this vulnerability. This vulnerability is isolated to the java plugin running within most browsers today. This plugin should be disabled on your PC's browsers, until you get the fix. This vulnerability could manifests itself, for example, as a java applet embedded in a web page's content. If you go to that malicious web site with your PC's browser, you could be at risk. As the author points out, since the stock browser within android does not have this plugin, android is not vulnerable.

Jayshmay says:

Jerry! Your very knowledgeable!

bigbroimc says:

Jerry I enjoy reading your articles. They are intelligent, witty and you don't take a sides (most of the time).

You remind me of my childhood friends dad who worked at Intel. This guy could deliver a 4 hour talk on how the Bios worked when all you asked for was what does Bios stand for (Basic Input-Output System).

Anyways keep up the awesome work.

mcleodglen says:

This is one of the reason's I stay away from Android, I have a Windows Phone and I love it. Java has a history of unreliable.

kombatkarl says:

So, obviously you didn't read the article.

C0deM0nkey says:

Read the article?
He doesn't even have time to finish his sentences..

baldypal says:

I'm sorry ... did you say you don't use Android b/c of Java's potential security flaws. But you use WINDOWS instead? Hello Pot, I see you met Kettle!

MERCDROID says:

Someone's lost. They're missing you at the "I hate Google" rally over at Windows Phone Central lol

Ratnok says:

If the Android browser doesn't use Java, then can someone please explain why Chrome for Android has a Content Setting "Enable JavaScript?"

estranger says:

To add to the confusion, JavaScript and Java are two different things..

spock123 says:

Lol are u serious?

Ratnok says:

I absolutely was serious- and thanks for NOT answering a question. Without your help, I found out that the issue is "Java" not "Javascript." Those of us who are not computer nerds (read- 99% of the population) wouldn't know that. I realized that I don't even have Java installed on my computer.

yetisnack says:

Before you go getting all surly calling people names ("computer nerds") the answer to Java vs. Javascript was included in the article. Read before posting and avoid future 'Are you serious' comments.

Synycalwon says:

Exactly! Not sure what it is, but I've been seeing more and more people fail at basic reading comprehension (online and at work). :(

How can I get abode flash player for my android phone