This week's book giveaways are in the Refactoring and Agile forums.
We're giving away four copies each of Re-engineering Legacy Software and Docker in Action and have the authors on-line!
See this thread and this one for details.
Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Java source files security

 
Himanshu Rawat
Ranch Hand
Posts: 141
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Problem description is like this.

One Java source file is used to generate license key with some combination and another Java source file is used to validate the same generated license key.

Now, if i use Java decompiler, i can easily generate the source file from class file. Let say, if it goes to some customer, customer can use decompiler to decompile the validate Java file and can easily break the license key!!

How can i avoid that? How can i make class files more secure?

Please guys help me out!!
 
Pavan Kumar Srinivasan
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Use java Bytecode Obfuscators to prevent the user from understanding the decompiled code.
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In addition to using an obfuscator you can use an algorithmic key instead of some string that is directly embedded in the source (and thus easily detected). Write a method that checks a key for validity, and make the algorithm as obscure as possible, thus preventing someone from just looking at it to figure out what does or does not make a valid key.

Note, though, that this will only slow down a determined attacker from circumventing any restrictions. Class files can be reengineered; you can only make it harder, you can't prevent it completely.
 
Ilja Preuss
author
Sheriff
Posts: 14112
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can use an asymmetric cryptography algorithm: http://en.wikipedia.org/wiki/Public-key_cryptography

Those algorithms make it virtually impossible to re-engineer the key just from knowing the algorithm used to verify it.
 
James Sabre
Ranch Hand
Posts: 781
Java Netbeans IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Ilja Preuss:
You can use an asymmetric cryptography algorithm: http://en.wikipedia.org/wiki/Public-key_cryptography

Those algorithms make it virtually impossible to re-engineer the key just from knowing the algorithm used to verify it.


Although this may make it "virtually impossible to re-engineer the key", having decompiled the code that does the license check using the decompiled source it is almost trivial to make the routine that checks for a valid license to return 'true' (or whatever it needs to return). Compiling the modified license checker and replace the original in the jar is then trivial.
 
Ilja Preuss
author
Sheriff
Posts: 14112
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by James Sabre:


Although this may make it "virtually impossible to re-engineer the key", having decompiled the code that does the license check using the decompiled source it is almost trivial to make the routine that checks for a valid license to return 'true' (or whatever it needs to return). Compiling the modified license checker and replace the original in the jar is then trivial.


Not if you sign the jar file.
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Ilja Preuss:
Not if you sign the jar file.

As I understand it, the question is what an attacker might do with an application's jar file once he has it in his hand. James is correct that nothing prevents the bad guy from patching any licensing restrictions out of the binary. The reconstituted jar file is now unsigned (or at least not signed using the original key). But what practical difference does that make to the running of the application? Can an application check whether the jar file it's in was signed by a particular key/user? And if so, couldn't I patch that check out of the code as well?
 
Ilja Preuss
author
Sheriff
Posts: 14112
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Mhh, good questions, no good answers from me...
 
greg stark
Ranch Hand
Posts: 220
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I concur with Pavan's answer and Ulf's analyses. An open-source obfuscator is available at http://proguard.sourceforge.net/.
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ProGuard is cool; it's what I use when I have a need for obfuscation.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic