aspose file tools*
The moose likes Security and the fly likes Is security needed for applets/client side? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Is security needed for applets/client side?" Watch "Is security needed for applets/client side?" New topic
Author

Is security needed for applets/client side?

Jay Orsaw
Ranch Hand

Joined: Jun 14, 2011
Posts: 356

I'm doing an applet for someone who also wants it to be downloadable to a client, and also a mobile app. He talks about security so I wanted to know if I would need it.. Normally I see security being used for client-server stuff and stuff that goes through the web. So basically I want to know if it's possible to decode a Jar. It's honestly nothing ridiculously important, so I don't know why he's crazy about it, it's not like something for a super huge company,, but I am curious if we need any extra protection. I will sign the Jar and such but I don't know if anything extra is needed.
Greg Charles
Sheriff

Joined: Oct 01, 2001
Posts: 2861
    
  11

Signing the JAR just gives protection against an attacker substituting a bogus version of your applet that could be dangerous to the client. It doesn't protect communications between the client and server, if there is any. It seems if the customer is interested in security, they should have some idea of what they want to secure, though I've worked with plenty of customers who didn't. They just wanted to be able to check off the "Secure" box on their project plan.
Jay Orsaw
Ranch Hand

Joined: Jun 14, 2011
Posts: 356

Greg Charles wrote:Signing the JAR just gives protection against an attacker substituting a bogus version of your applet that could be dangerous to the client. It doesn't protect communications between the client and server, if there is any. It seems if the customer is interested in security, they should have some idea of what they want to secure, though I've worked with plenty of customers who didn't. They just wanted to be able to check off the "Secure" box on their project plan.


He doesn't want anyone to get into my code. I don't think that anyone can via a Jar, that's why I asked if there was a way to decode it somehow. I would assume Jar files are encrypted via the JVM and the build program I use, but I'm not sure the full jist of it. I think all that's needed is to sign it, unless you have any other thoughts?
Greg Charles
Sheriff

Joined: Oct 01, 2001
Posts: 2861
    
  11

Oh, I get it. Unfortunately, yes, the clients could pretty easily decompile your Java classes, even from a signed jar. Have a look at our Applets FAQ.
Jay Orsaw
Ranch Hand

Joined: Jun 14, 2011
Posts: 356

Greg Charles wrote:Oh, I get it. Unfortunately, yes, the clients could pretty easily decompile your Java classes, even from a signed jar. Have a look at our Applets FAQ.


Humph... Well that stinks... Which would you recommend? #3 seems liek a good choice, #1 seems like all it's doing is renaming stuff.

Now this is for applets, or also includes client side code....? I'm sure there has to be a really safe method, or no one would ever use java for an application in fear of having issues with hackers? I doubt I'm going to run into someone who knows what they are doing, but who knows, I want to be safe, especially since this is work for someone else....
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18907
    
    8

The problem is easily solved by not caring whether people can see your code.

I mean, really. What could anybody possibly gain by seeing your code? And in case that sounds like a rhetorical question, it isn't. Seriously. What harm would it do if your applet code were published on the web for everybody to look at?
Jay Orsaw
Ranch Hand

Joined: Jun 14, 2011
Posts: 356

Paul Clapham wrote:The problem is easily solved by not caring whether people can see your code.

I mean, really. What could anybody possibly gain by seeing your code? And in case that sounds like a rhetorical question, it isn't. Seriously. What harm would it do if your applet code were published on the web for everybody to look at?


I don't care too much personally(Even though I rather not have my code out there), this is what my employer asks.... It's not a super crazy program anyways(So I have a less care about it), so it's not like I'm losing anything, it's just what he wants.... I'm assuming it's more for his competition to not be able to look at it....

Also if they opened the Jar could they get rid of my certificate? I guess it doesn't matter since they could just redo the code themselves, but just curious :).



However this is a concern since I want to put a professional program in a webpage so that people can try the demo of it before buying it. I did read something about applets accessing Applications in that Link. I will care very much if this code is available.....


This brings me back to my first question, what is the security of Java Applications and how does it differ from an Applet since they would both be Jars, or the other program would be an EXE I guess?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42612
    
  65
Security is in an extremely broad field. Keeping your app's code protected is only a tiny part of it. As Greg said, unless you provide a much more specific definition of what security means to you, this question can't be answered.


Ping & DNS - my free Android networking tools app
Jay Orsaw
Ranch Hand

Joined: Jun 14, 2011
Posts: 356

Ulf Dittmer wrote:Security is in an extremely broad field. Keeping your app's code protected is only a tiny part of it. As Greg said, unless you provide a much more specific definition of what security means to you, this question can't be answered.


Well since I'm not going to be getting data from a server(I don't think at this point anyway) the only thing I would want secure is that my code doesn't get out there, and that it cannot be messed with on the site, which I have mentioned in previous posts. Signing as mentioned above would help with the applet being switched and knowing that it's mine, however I want to protect my code. I'm not sure why anyone wouldn't want to in any case.

So my overall question is again how do I protect my code from being viewed? From the link provided it seems like it cannot really be done, but why is that? Is it the same for desktop applications and server applications as well? Sounds pretty stupid that anyone can access the code.... Why would anyone use Java if their code is viewable to the outside world?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42612
    
  65
The difference for server applications is that the code never gets into anyone's hands, so there's nothing to protect. Java code that's out there on the client can not be protected completely, which is what that FAQ page tries to explain. At some point the unprotected clas file smust be available to the JVM, and at that point a sufficiently motivated attacker can get at it and try decompilation. If you have code that absolutely, postively must not get into anyone's, then you need to run that code on the server and access it via a REST call or some such mechanism (and hope that your server admins are trustworthy).
Jay Orsaw
Ranch Hand

Joined: Jun 14, 2011
Posts: 356

Ulf Dittmer wrote:The difference for server applications is that the code never gets into anyone's hands, so there's nothing to protect. Java code that's out there on the client can not be protected completely, which is what that FAQ page tries to explain. At some point the unprotected clas file smust be available to the JVM, and at that point a sufficiently motivated attacker can get at it and try decompilation. If you have code that absolutely, postively must not get into anyone's, then you need to run that code on the server and access it via a REST call or some such mechanism (and hope that your server admins are trustworthy).



I see so only if someone knows what they are doing and can access what's running in the JVM. How hard is that to do though? This means any program run by java via the client side is at risk, seems like a reason people wouldn't use Java for client side....? Which method would you recommend besides doing a client-server application?

Seems like these would be good choices
download the class files in your code as binary data using your own ClassLoader
encrypt the bytes you send (for some details see this thread)

I could also use 4 or 5, but I doubt anyone with extreme knowledge will try to get their hands on the code. I and my employer just want to make sure that it's not accessible in an easy way, nor would I think ANYONE would want their code out there, that they do for any company.

Also I thought that server code had the issue of being hijacked midway, thus the need for SSL and other sorts of encryption?


Also a server or servlet? Sorry I'm new to server stuff, so would I need to do anything additional? I have a server that I normally put my code on for safe storage purposes, so calling it from there wouldn't be a big deal if it's not super complicated and in depth.

I appreciate all the help sir!
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18907
    
    8

Jay Orsaw wrote:This means any program run by java via the client side is at risk, seems like a reason people wouldn't use Java for client side....?


Well, yeah, there's been a lot of things in the news recently in which people have been able to hack the JVMs in the browser and make them do insecure things. And yeah, there's a lot of people suggesting that you shouldn't have Java on your machine at all. But these are real insecure things, i.e. things which can cause harm to the client machine. That's what Java security is all about.

I doubt anyone with extreme knowledge will try to get their hands on the code. I and my employer just want to make sure that it's not accessible in an easy way, nor would I think ANYONE would want their code out there, that they do for any company.


I doubt that too, but I also doubt that your code is worth the trouble. I've written applets which are distributed to the public. Sure, the Java code in those applets is company property, but anybody who decompiles them isn't going to find any deep dark corporate secrets.

And that's the point that I think Ulf has been trying to make: Don't put code with corporate secrets out there where people can access it. But on the other hand, don't assume that every line of code you write needs to be protected.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42612
    
  65
Jay Orsaw wrote:This means any program run by java via the client side is at risk, seems like a reason people wouldn't use Java for client side....?

A combination of obfuscation and online license check seems to work for those few commercial Java apps that do exist.

Also I thought that server code had the issue of being hijacked midway, thus the need for SSL and other sorts of encryption?

SSL protects the data while in transmission. The code never leaves the server.

Also a server or servlet? Sorry I'm new to server stuff, so would I need to do anything additional? I have a server that I normally put my code on for safe storage purposes, so calling it from there wouldn't be a big deal if it's not super complicated and in depth.

By "server" I mean an active server-side component (like PHP, JSP or ASP). So that's different from the file server that you're thinking of.
Jay Orsaw
Ranch Hand

Joined: Jun 14, 2011
Posts: 356

Ulf Dittmer wrote:
Jay Orsaw wrote:This means any program run by java via the client side is at risk, seems like a reason people wouldn't use Java for client side....?

A combination of obfuscation and online license check seems to work for those few commercial Java apps that do exist.


So obfuscation works really good? From looking at the description it said that it gets rid of some methods and changes names of things etc...? Doesn't seem like the code is changed much...

Also what about the

download the class files in your code as binary data using your own ClassLoader
encrypt the bytes you send (for some details see this thread)

??

Also a server or servlet? Sorry I'm new to server stuff, so would I need to do anything additional? I have a server that I normally put my code on for safe storage purposes, so calling it from there wouldn't be a big deal if it's not super complicated and in depth.
By "server" I mean an active server-side component (like PHP, JSP or ASP). So that's different from the file server that you're thinking of.


Gotcha thanks.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42612
    
  65
Jay Orsaw wrote:
Also what about the

download the class files in your code as binary data using your own ClassLoader
encrypt the bytes you send (for some details see this thread)

??

I'm not sure if commercial Java products use that. I'd consider it, although it, too, can be circumvented by someone who's really motivated.
Jay Orsaw
Ranch Hand

Joined: Jun 14, 2011
Posts: 356

Ulf Dittmer wrote:
Jay Orsaw wrote:
Also what about the

download the class files in your code as binary data using your own ClassLoader
encrypt the bytes you send (for some details see this thread)

??

I'm not sure if commercial Java products use that. I'd consider it, although it, too, can be circumvented by someone who's really motivated.



I just want something that isn't going to make access easy, and isn't going to take a ton of time(if any really do that long at all)... I might want to think about the JSP route since I think the knowledge gained by learning it can be used elsewhere; however it might be good to learn all of this stuff....
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Is security needed for applets/client side?