aspose file tools*
The moose likes Security and the fly likes How to protect yourself from someone decompiling your code? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "How to protect yourself from someone decompiling your code?" Watch "How to protect yourself from someone decompiling your code?" New topic
Author

How to protect yourself from someone decompiling your code?

Jay Orsaw
Ranch Hand

Joined: Jun 14, 2011
Posts: 356

Hello all!

So I was just chatting with someone about an app they were making and another person said they were able to de-compile it easily(this was VB). So I was curious and went out to search for Java Decompilers, and to my displeasure, I found a Java decompiler that can decompile class files, as well as Jar files... It even had a Drag and Drop to which I tried out some code and yeah exactly correct..

This isnt' good IMO.... So how do we get around this? I know there were some mentioning of things in the Applet Security page, but how do we protect ourselves? I'm new to security and such in general, so any tips or leads to places I can find would be appreciated....

ALso I didn't want to post th decompiler in here, just in case it's not allowed, but if someone's interested, and it's okay with the rules, I will post it..


Thanks all!

~JO
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18570
    
    8

Don't give them the code if you don't want it decompiled.
Jay Orsaw
Ranch Hand

Joined: Jun 14, 2011
Posts: 356

Paul Clapham wrote:Don't give them the code if you don't want it decompiled.


yes, I've read up something SAAS(software as a service) and it seems like if you host your code on a server, then it's not really available to the public(unless going through the JVM)? So that means any client side code can be easily decompiled? I also read a lot about custom class loaders and obfuscation?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61201
    
  66

SAAS is just a fancy name for a web application.

What it comes down to, if they have the class file, it can be decompiled. Simple as that.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Jay Orsaw
Ranch Hand

Joined: Jun 14, 2011
Posts: 356

Bear Bibeault wrote:SAAS is just a fancy name for a web application.

What it comes down to, if they have the class file, it can be decompiled. Simple as that.


I understand that, but what about the client side programs that are made in Java like Maple for math, or a game like Minecraft? Is it because they are .EXE's?

Also again does that mean that we should always use a server to store the code?
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18570
    
    8

No, it means that the people who distributed those Java classes weren't concerned about people decompiling their code.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4655
    
    5

Jay Orsaw wrote:This isnt' good IMO.... So how do we get around this?

Your opinion is simply incorrect. Its not a bug, its a feature. You can't get around it. Its not a problem, as others have said.

I will grant that its easier to decompile Java byte code into something that looks like decent Java source code than it is with other languages. Its more work in some other languages, but its always possible. You can do it with any language, even C. If the binary has debugging information and symbol tables, you can even get back the variable names that the original programmer used.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61201
    
  66

Jay Orsaw wrote:Also again does that mean that we should always use a server to store the code?

Not sure exactly what you mean by that. Why would you give out the code?
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4655
    
    5

This has nothing to do with security as most people use it.

Consider encryption, which is often proposed as a "solution" to this. Sure, its easy to encipher any file, any binary or object code. Then you transfer it to the user, and what do they do with it? They can't run it, execute it, or link it with other code -- its enciphered. So if you want your customer to be able to use your software, you have to give them the cipher key. They then decipher the file and copy the deciphered output. Then they can forget your key and your cipher, because they have the clear-text version of your code.

You can start an arms race, say decipher your binary into memory, but that only requires the user to copy the binary out of memory into a file. Realize, the code is executing on the customer's machine, not yours. You have no control over that machine. You have no control over who has admin/root privs, or even what operating system is running on it.

Security normally means letting good guys in, and keeping bad guys out. Or allowing good guys to see stuff and keeping bad guys from seeing it.

Cryptography is a great tool to handle data that is in transit over a hostile environment between two trusted places. Been so in wartime when the network was a guy on a horse. You protect the message as it travels, not when its in the general's tent at the other end.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4655
    
    5

Jay Orsaw wrote:Also again does that mean that we should always use a server to store the code?


Not "store" but execute. You execute the code on a server you trust.
You never let it be executed somewhere you don't trust.
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18570
    
    8

Frankly, in most cases it makes no difference whether users can see your code or not. It's possible that you might have proprietary algorithms built into it, but chances are that it's just ordinary code which isn't doing anything special at all.

For example I'm working on a Swing application which maintains a database of data in a certain technical field. The code which does that is just code which manipulates a database, no more than that. Sure, you can tell from the code how the database is structured, but you can deduce that just by watching how the application works. And that information doesn't get you anything useful anyway, the value is the data contained in the database. So if I were distributing this application for sale (which I'm not) I wouldn't care in the least that it could be decompiled.

So in my opinion, automatically assuming that allowing people to see your source code is a security problem is quite misguided. In most cases I suspect the worst consequence would be embarrassment that crappy code was displayed for the world to see.

 
 
subject: How to protect yourself from someone decompiling your code?