Recently the security team on my project released a secure code guidelines document, designed to be used as part of our code reviews. The first thing that struck me was an item that said “Do not use Inner classes”. I thought this seemed like a very heavy handed and sweeping statement. Inner classes are good if used correctly right?, but i did a bit of googling and found this, quoted here for convenience.

Rule 5: Don’t Use Inner Classes

Some Java language books say that
inner classes can only be accessed by
the outer classes that enclose them.
This is not true. Java byte code has
no concept of inner classes, so inner
classes are translated by the compiler
into ordinary classes that happen to
be accessible to any code in the same
package. And Rule 4 says not to depend
on package scope for protection.

But wait, it gets worse. An inner
class gets access to the fields of the
enclosing outer class, even if these
fields are declared private. And the
inner class is translated into a
separate class. In order to allow this
separate class access to the fields of
the outer class, the compiler silently
changes these fields from private to
package scope! It’s bad enough that
the inner class is exposed, but it’s
even worse that the compiler is
silently overruling your decision to
make some fields private. Don’t use
inner classes if you can help it.
(Ironically, the new Java 2
doPrivileged() API usage guidelines
suggest that you use an inner class to
write privileged code. That’s one
reason we don’t like the
doPrivileged() API.)

My questions are

1. Does this behaviour still exist in java 5 / 6?
2. Is this actually a security risk, given that any class, other than the outer and inner classes, that tried to access the outer class’ private members would not compile?
3. Does it pose enough of a security risk to warant the ‘guideline’ ‘Do not use inner classes’?