How does Java strings being immutable increase security?

A very common practice in writing class libraries is storing the parameters passed into your API, say, in a constructor, like this:

public class MyApi {
    final String myUrl;
    public MyApi(String urlString) {
        // Verify that urlString points to an approved server
        if (!checkApprovedUrl(urlString)) throw new IllegalArgumentException();
        myUrl = urlString;
    }
}

Were String mutable, this would lead to a subtle exploit: an attacker would pass a good URL, wait for a few microseconds, and then set the URL to point to an attack site.

Since storing without copying is a reasonably common practice, and because strings are among the most commonly used data types, leaving strings mutable would open up many APIs that are not written yet open to a serious security problem. Making strings immutable closes this particular security hole for all APIs, including the ones that are not written yet.


Immutable strings are required for the SecurityManager concept to work. dasbklinkenlight is already on the right track with his answer, but mutable strings would break the sandbox concept entirely.

For example, when you do a new FileInputStream("foo"); to read a file, the API implementation will internally do among others:

  • invoke the security manager's checkRead method with "foo" as an argument and throw an exception if the check fails
  • use operating system calls to actually open the file if the security check passed

If the invoker is able to modify the string between these two steps, the security check may succeed for one file, while actually a different file will be opened.