can anyone explain his point?

How does Java string being immutable increase security? A very common practice in writing class libraries is storing the parameters passed into your API, say, in a constructor, like this: public class MyApi { final String myUrl; public MyApi(String urlString) { // Verify that urlString points to an approved server if (!checkApprovedUrl(urlString)) throw new IllegalArgumentException(); myUrl = urlString; } } Were String mutable, this would lead to a subtle exploit: an attacker would pass a good URL, wait for a few microseconds, and then set the URL to point to an attack site. Since storing without copying is a reasonably common practice, and because strings are among the most commonly used data types, leaving strings mutable would open up many APIs that are not written yet open to a serious security problem. Making strings immutable closes this particular security hole for all APIs, including the ones that are not written yet.