Are private methods really safe?

Solution 1:

It depends on what you mean by "safe". If you're running with a security manager that allows this sort of thing, then yes, you can do all kinds of nasty things with reflection. But then in that kind of environment the library can probably just be modified to make the method public anyway.

Access control is effectively "advisory" in an environment like that - you're effectively trusting the code to play nicely. If you don't trust the code you're running, you should use a more restrictive security manager.

Solution 2:

Access modifiers have nothing to do with security. In fact you can and should look at access modifiers as the reverse of security -- it is not to protect your data or algorithims, it is to protect people from the requirement to know about your data and algorithims. This is why the default modifier is package -- if they are working on the package they probably already need to know.

Along with the knowledge of the data and the methods of your code, comes the responibility to know when and how to use it. You don't put private on your inIt method to keep someone from finding out about it, you do so because (a) they aren't going to know that you only call that after foo and only if bar = 3.1415 and (b) because it does them no good to know about it.

Access modifers can be summed up in a simple phrase "TMI, dude, I so didn't need to know that".