I am just concerned with security for java classes.For example someone could just use our distributed jar files, extract them and decompile them using tools such as dj java decompiler. Is there any way to prevent it from happening?
A topic discussed at length in many places. Java is compiled into a well-documented intermediate bytecode language. Anyone with knowledge of the bytecode (which is everyone, since it's public) can decompile your Java applications. Technically no code is "secure" - even native code can be decompiled, but it's an awful lot harder to do that than with Java, where everything is machine-independent and precise, and carries all the metadata about datatypes with it (unlike C++ compiled code which can be told to strip it all away).
Many people have tried, and failed, to find clever ways to encrypt their classes. But fundamentally it just doesn't work with the classloader; for reasons why see Cracking Java byte-code encryption.
The best you can do is obfuscate your code - i.e. make it as difficult as possible for people to read what is decompiled. There are many tools available to do this. Essentially they all do what C++ does and make the metadata extremely difficult for humans to read while still be intelligible to machines. Then it doesn't become worth the effort to decompile it.
Charles Lyons (SCJP 1.4, April 2003; SCJP 5, Dec 2006; SCWCD 1.4b, April 2004)
Author of OCEJWCD Study Companion for Oracle Exam 1Z0-899 (ISBN 0955160340 / AmazonAmazon UK )
At the beginning I made a choice among .net, Java and Delphi.. and I choosed Java.. By this respect, I mean the software security issue, is there a better choice? Especially for a software-house? Which languages are more safe against decompilation?
Joined: Mar 27, 2003
.NET suffers exactly the same problem because it is compiled into the intermediate language (CIL) on the CLR. This is just the same as Java. Never programmed Delphi, so I can't advise you there. Native code (assembly, or compiled C/C++) is always going to be the most difficult to decompile because it's the lowest level - how would you follow a complex program containing a load of CPU instructions to move things around the registers?! But then you're severely platform dependent and have to port your code...
The question really is: how important is it that your program is secure? Even a savvy computer user isn't going to know how, let alone bother, to decompile an application. Only hackers interested in developing a crack for any licensing you invent will take on the challenge. Then you have to ask how likely that really is..?
BTW, on Linux you could try the GCJ compiler - it can compile most Java code into a native executable with only an extra library to link at runtime. It generally gives smaller executables with lower memory consumption too.
Most companies find code obfuscation is sufficient (Google for it) as their products target a limited market who aren't programmers so don't know how to reverse engineer, let alone care!
Joined: Jun 25, 2008
Thank you for your time Charles, that was really useful. I think as time advances more and more companies would take the issue more seriously to incorporate in-built security mechanisms into the platform itself.