Interfaces are used to group together all the methods that a class promises to publicly expose. The implementing classes are obliged to provide concrete implementations for all these methods. Interfaces are a necessary ingredient of the public API and once released, it can be very hard to fix any flaws without breaking any code that implements the older version. The security specific repercussions include the following:
In this noncompliant code example, an interface User is frozen with two methods authenticate() and subscribe(). Sometime later, the providers release a free service that does not rely on authentication. 
| 
public interface User {
  boolean authenticate(String username, char[] password);
  void subscribe(int noOfDays);
  void freeService(); // introduced after the class is publicly released
}
 | 
The addition of the freeService() method, unfortunately, breaks all the client code that implements the interface. Moreover, the implementers who wish to use only freeService have to face the onus of also providing the other two methods which pollute the API, for reasons discussed earlier.
An alternative idea is to prefer abstract classes for dealing with constant evolution, but this comes at the cost of flexibility that interfaces offer (a class may implement multiple interfaces but extend only one class). One notable pattern is for the provider to distribute an abstract skeletal class that implements the evolving interface. The skeletal class can selectively implement a few methods and force the extending classes to provide concrete implementations of the others. If a new method is added to the interface, the skeletal class can provide a non-abstract default implementation that the extending class can optionally override. 
| 
public interface User {
  boolean authenticate(String username, char[] password);
  void subscribe(int noOfDays);
  void freeService(); // Introduced after the API is publicly released
}
abstract class SkeletalUser implements User {
  public abstract boolean authenticate(String username, char[] password);
  public abstract void subscribe(int noOfDays);
  public void freeService() { 
    // Added later, provide implementation and re-release class 
  }
}
class Client extends SkeletalUser {
  // Implements authenticate() and subscribe(), not freeService()
}
 | 
Although useful, this pattern may be insecure because a provider who is unaware of the extending class's code, may choose an implementation that introduces security weaknesses in the client API.
A better design strategy is to anticipate the future evolution of the service. The core functionality should be implemented in the User interface and in this case, only the premium service may be required to extend from it. To avail of the new free service, an existing class may then choose to simply implement the new interface FreeUser or just completely ignore it.
| 
public interface User {
  boolean authenticate(String username, char[] password);
}
public interface PremiumUser extends User {
  void subscribe(int noOfDays);
}
public interface FreeUser {
  void freeService();
}
 | 
Another compliant solution is to throw an exception from within the new, freeService() method defined in the implementing subclass. 
| 
class Client implements User {
  public void freeService() {
    throw new AbstractMethodError();
  } 
}
 | 
Although allowable, a less flexible compliant solution is to delegate the implementation of the method to subclasses of the client's core interface implementing class.
| 
abstract class Client implements User  {
  public abstract void freeService(); // Delegate implementation of new method to subclasses
  // Other concrete implementations
}
 | 
Failing to publish stable, flaw-free interfaces can break the contracts of the implementing classes, pollute the client API and possibly introduce security weaknesses in the implementing classes.
| Guideline | Severity | Likelihood | Remediation Cost | Priority | Level | 
|---|---|---|---|---|---|
| MSC09-J | low | probable | high | P2 | L3 | 
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
| \[[Bloch 2008|AA. Bibliography#Bloch 08]\] Item 18: "Prefer interfaces to abstract classes" | 
DCL13-J. Avoid cyclic dependencies between packages 49. Miscellaneous (MSC) MSC10-J. Limit the lifetime of sensitive data