So I was just chatting with someone about an app they were making and another person said they were able to de-compile it easily(this was VB). So I was curious and went out to search for Java Decompilers, and to my displeasure, I found a Java decompiler that can decompile class files, as well as Jar files... It even had a Drag and Drop to which I tried out some code and yeah exactly correct..
This isnt' good IMO.... So how do we get around this? I know there were some mentioning of things in the Applet Security page, but how do we protect ourselves? I'm new to security and such in general, so any tips or leads to places I can find would be appreciated....
ALso I didn't want to post th decompiler in here, just in case it's not allowed, but if someone's interested, and it's okay with the rules, I will post it..
Paul Clapham wrote:Don't give them the code if you don't want it decompiled.
yes, I've read up something SAAS(software as a service) and it seems like if you host your code on a server, then it's not really available to the public(unless going through the JVM)? So that means any client side code can be easily decompiled? I also read a lot about custom class loaders and obfuscation?
Jay Orsaw wrote:This isnt' good IMO.... So how do we get around this?
Your opinion is simply incorrect. Its not a bug, its a feature. You can't get around it. Its not a problem, as others have said.
I will grant that its easier to decompile Java byte code into something that looks like decent Java source code than it is with other languages. Its more work in some other languages, but its always possible. You can do it with any language, even C. If the binary has debugging information and symbol tables, you can even get back the variable names that the original programmer used.
This has nothing to do with security as most people use it.
Consider encryption, which is often proposed as a "solution" to this. Sure, its easy to encipher any file, any binary or object code. Then you transfer it to the user, and what do they do with it? They can't run it, execute it, or link it with other code -- its enciphered. So if you want your customer to be able to use your software, you have to give them the cipher key. They then decipher the file and copy the deciphered output. Then they can forget your key and your cipher, because they have the clear-text version of your code.
You can start an arms race, say decipher your binary into memory, but that only requires the user to copy the binary out of memory into a file. Realize, the code is executing on the customer's machine, not yours. You have no control over that machine. You have no control over who has admin/root privs, or even what operating system is running on it.
Security normally means letting good guys in, and keeping bad guys out. Or allowing good guys to see stuff and keeping bad guys from seeing it.
Cryptography is a great tool to handle data that is in transit over a hostile environment between two trusted places. Been so in wartime when the network was a guy on a horse. You protect the message as it travels, not when its in the general's tent at the other end.
Frankly, in most cases it makes no difference whether users can see your code or not. It's possible that you might have proprietary algorithms built into it, but chances are that it's just ordinary code which isn't doing anything special at all.
For example I'm working on a Swing application which maintains a database of data in a certain technical field. The code which does that is just code which manipulates a database, no more than that. Sure, you can tell from the code how the database is structured, but you can deduce that just by watching how the application works. And that information doesn't get you anything useful anyway, the value is the data contained in the database. So if I were distributing this application for sale (which I'm not) I wouldn't care in the least that it could be decompiled.
So in my opinion, automatically assuming that allowing people to see your source code is a security problem is quite misguided. In most cases I suspect the worst consequence would be embarrassment that crappy code was displayed for the world to see.