In the past few weeks I used JavaSnoop RC6 to assess a privileged applet application that had it’s own secure message protocol on top of mutually-authenticated HTTPS. Kind of a tough nut to crack, even with JavaSnoop. This assessment exposed a number of performance issues, bugs, and necessary features that were just plain missing.

After probably 100 hours of development and testing, I’m releasing the final JavaSnoop 1.0! On top of everything already available in RC6, there’s a few new cool things:

After 6 release candidates, roughly a thousand bugs fixed, dozens of improvements and features added, I finally think the tool is ready for general availability. It’s had over a thousand downloads, which is much higher than I would have thought after a few months; it’s kind of a niche tool in a niche space. People are using it for things I didn’t anticipate, though – things like malware analysis and game hacking. More important than that, it’s unquestionably the best tool for hacking Java business applications.

No more betas or release candidates. Thanks to the following folks for bug reports, feedback, discussions and inspiration:

  • Hubert Seiwert, NGS
  • Marcin Wielgoszewski, GDS
  • @planetlevel, @_fishman_, @cykyc, Mike Fauzy, Dave Wichers, all from @aspectsecurity
  • Stephen de Vries, Corsaire
To download, visit the Google Code project page.

If you want to know what the hell JavaSnoop is, my BlackHat talk is online:

Happy hacking.