Say I have

private void ThisIsMySecurityMethodPleaseLookHERE() {
//security stuff
}

In my program, but that method is called nowhere in any of the actually executed code. Does it get compiled to bytecode? Or does the Java compiler recognize that fact and filter it out? I know it would never make it PAST bytecode, since it is not truly called.

I ask because I know Java is notoriously easy to decompile. would all of my unused methods also be present when they decompile one of my .class files?

I assume that this is not the case, since, were it the case, every java file would have bloat code to hide the real code, and be passed through an obfuscator.

I'm just trying to think of methods other than obfuscation to resist the casual hacker.

Why assume anything? Use javap -c to see what's in the byte code.

Given that the compiler can't know whether the private method might be called by reflection, I'd expect it to still be present, personally.

I'm not sure what you mean by this:

I assume that this is not the case, since, were it the case, every java file would have bloat code to hide the real code, and be passed through an obfuscator.

I would hope that most developers would realise that security through obscurity is little protection at all - but also that the true value of the code itself is usually in the design etc, rather than just the implementation. So no, don't include sensitive information in your classes - but equally don't get too paranoid. You need to weigh up the costs of trying to defeat attackers with the cost of them "winning". That balance will depend on the code involved - and also the kind of attack you're trying to guard against.

The private method will actually make it to byte code. Maybe even assembly code. You have to think of all these methods get translated to routines. So for any private method that is not being used there will still be a routine in byte code block.

On a different note, there are tools out there that clean this stuff up and remove excessive code/classes that are not being used. If that is the case then, yes you don't have them in the decompiled code.