aspose file tools*
The moose likes Security and the fly likes Java source files security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Java source files security" Watch "Java source files security" New topic
Author

Java source files security

Himanshu Rawat
Ranch Hand

Joined: Nov 27, 2005
Posts: 141
Hi,

Problem description is like this.

One Java source file is used to generate license key with some combination and another Java source file is used to validate the same generated license key.

Now, if i use Java decompiler, i can easily generate the source file from class file. Let say, if it goes to some customer, customer can use decompiler to decompile the validate Java file and can easily break the license key!!

How can i avoid that? How can i make class files more secure?

Please guys help me out!!


rawat
SCJP 1.4
Pavan Kumar Srinivasan
Greenhorn

Joined: Sep 17, 2008
Posts: 27
Use java Bytecode Obfuscators to prevent the user from understanding the decompiled code.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42286
    
  64
In addition to using an obfuscator you can use an algorithmic key instead of some string that is directly embedded in the source (and thus easily detected). Write a method that checks a key for validity, and make the algorithm as obscure as possible, thus preventing someone from just looking at it to figure out what does or does not make a valid key.

Note, though, that this will only slow down a determined attacker from circumventing any restrictions. Class files can be reengineered; you can only make it harder, you can't prevent it completely.


Ping & DNS - my free Android networking tools app
Ilja Preuss
author
Sheriff

Joined: Jul 11, 2001
Posts: 14112
You can use an asymmetric cryptography algorithm: http://en.wikipedia.org/wiki/Public-key_cryptography

Those algorithms make it virtually impossible to re-engineer the key just from knowing the algorithm used to verify it.


The soul is dyed the color of its thoughts. Think only on those things that are in line with your principles and can bear the light of day. The content of your character is your choice. Day by day, what you do is who you become. Your integrity is your destiny - it is the light that guides your way. - Heraclitus
James Sabre
Ranch Hand

Joined: Sep 07, 2004
Posts: 781

Originally posted by Ilja Preuss:
You can use an asymmetric cryptography algorithm: http://en.wikipedia.org/wiki/Public-key_cryptography

Those algorithms make it virtually impossible to re-engineer the key just from knowing the algorithm used to verify it.


Although this may make it "virtually impossible to re-engineer the key", having decompiled the code that does the license check using the decompiled source it is almost trivial to make the routine that checks for a valid license to return 'true' (or whatever it needs to return). Compiling the modified license checker and replace the original in the jar is then trivial.


Retired horse trader.
 Note: double-underline links may be advertisements automatically added by this site and are probably not endorsed by me.
Ilja Preuss
author
Sheriff

Joined: Jul 11, 2001
Posts: 14112
Originally posted by James Sabre:


Although this may make it "virtually impossible to re-engineer the key", having decompiled the code that does the license check using the decompiled source it is almost trivial to make the routine that checks for a valid license to return 'true' (or whatever it needs to return). Compiling the modified license checker and replace the original in the jar is then trivial.


Not if you sign the jar file.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42286
    
  64
Originally posted by Ilja Preuss:
Not if you sign the jar file.

As I understand it, the question is what an attacker might do with an application's jar file once he has it in his hand. James is correct that nothing prevents the bad guy from patching any licensing restrictions out of the binary. The reconstituted jar file is now unsigned (or at least not signed using the original key). But what practical difference does that make to the running of the application? Can an application check whether the jar file it's in was signed by a particular key/user? And if so, couldn't I patch that check out of the code as well?
Ilja Preuss
author
Sheriff

Joined: Jul 11, 2001
Posts: 14112
Mhh, good questions, no good answers from me...
greg stark
Ranch Hand

Joined: Aug 10, 2006
Posts: 220
I concur with Pavan's answer and Ulf's analyses. An open-source obfuscator is available at http://proguard.sourceforge.net/.


Nice to meet you.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42286
    
  64
ProGuard is cool; it's what I use when I have a need for obfuscation.
 
wood burning stoves
 
subject: Java source files security