Why is Cryptomator written in Java? Isn't Java insecure?


About Java

Yes, JRE installations have indeed opened certain doors for malware. That is why you should not use the Java browser plugin, for example. That said, the Java programming language itself isn’t more vulnerable than any other language:

How is Cryptomator different?

Even though huge parts of Cryptomator are written in Java, you do not need you to install a Java Runtime Environment (JRE) because the relevant parts are bundled with the installer.

This means that, other than a system-wide JRE installation, malware (or third party applications) are unable to start a Java process with the components bundled within Cryptomator because there is no executable Java binary included.

Benefits of using Java

The Java platform is one of the most widespread technologies and thus very well tested and mature. It is used by the biggest tech companies around the world who build products around it that need to be highly available and robust.

As Java is a managed language, it has a higher isolation level than low-level languages that can mess up memory management and leak sensitive information and are susceptible to memory tampering.

These properties make the Cryptomator source code easier to test and audit by professionals as certain types of vulnerabilities just don’t apply.