• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Tim Cooke
  • Jeanne Boyarsky
  • Liutauras Vilda
Sheriffs:
  • Frank Carver
  • Henry Wong
  • Ron McLeod
Saloon Keepers:
  • Tim Moores
  • Frits Walraven
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Piet Souris
  • Himai Minh

How to secure my java class files

 
Ranch Hand
Posts: 202
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, How can I secure my java class files from being decompiled to the java source file.Please don't suggest for obfuscators,I've already tired them,but that doesn't work.I want an utility that just displays the content of the jar file that contains the class files but unable to open the contents,such as "winzip", that prompts for a password,when a zip file is created with a password.Please do reply positively,for my applications can be altered,recompiled & spoil my application.
Happy middling with java.
Netharam
 
mister krabs
Posts: 13974
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OK, so then how does the Loader open the jar file to get the class files out?
 
Wanderer
Posts: 18671
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'd suggest that what you need is... a better obfuscator. What did you use? Do others here have any particular recommendations for what's currently "state of the art" here?
[ April 27, 2002: Message edited by: Jim Yingst ]
 
Sheriff
Posts: 4313
Android IntelliJ IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you're worried about someone getting hold of your code -- and finding out how you do something -- patent it!
 
Bartender
Posts: 2205
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ultimate security is possible at the expense of flexibility. If you want a truly secure jar file, I would suggest you write your own secure classloader. You could encrypt your jar file with triple-DES using say a 1024 bit key. The key becomes the weak link. You would have to have physical security over the key. The best solution is for you to memorize it and never write it down. Also, it helps to never be kidnapped and tortured into revealing this key.
Once you have encrypted your jar file with your key, you don't tell anyone the key. That way, no one can decrypt your jar file. This is the safest possible way to protect your jar file.
If you want people to actually use your jarfile, you've already opened yourself to the possibility of a security breach. Anyone you give the key to will have to be as responsible as you in not writing it down or getting kidnapped.
To access the classes in your secure jar file, your classloader would have to prompt for the key before any classes were loaded. So at startup, your user would enter the key for the file, and your classloader could decrypt your jar file based on this key. Of course, if the user forgets the key or types it in wrong, your classes will be decrypted into garbage, and your app won't run.
Also, if you distribute your key widely to many people, you've completely bypassed any possible effective security you might have on your jar file, and you might as well just go for a decent obfuscator at that point.
[ April 27, 2002: Message edited by: Rob Ross ]
 
Ranch Hand
Posts: 1365
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What about both obfuscating and encrypting the java class files and using a native launcher program to do something sneaky. Of course you'll also want the .jar digitally signed to prevent tampering.
To make things worse, every copy of the software will randomly generate a license L, which the user has to email to you so you can apply a message digest algorithm which is verified at startup.
Or maybe every time it loads it notifies your server, which will authenticate it with a zero-knowledge proof algorithm.
And install software that allows you to hear through the computer's microphone and see through any cameras attached.
If the computer time zone is that of a high-piracy area, install a keylogger for extra protection.
I'm sorry, I think I've gotten a little carried away. Just ignore everything but the first paragraph.
 
netharam ram
Ranch Hand
Posts: 202
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, I used mocha source obfuscator,but was not satisfactory.Can u suggest for a better one, that could stop others spoiling my creations?
Happy middling with java
Netharam: mad :
[ April 28, 2002: Message edited by: netharam ram ]
 
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi netharam ram
I am thinking of another way to protect your source code without encryption of your jar file.
How about using an application server to run your java application ? (just like Websphere, EA Server etc..)
You can use servlet mapping to hide your actual class name,run and web server with another machine
After making some minor setting, I think you source/class can be only access with your full control.
 
netharam ram
Ranch Hand
Posts: 202
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I want to distribute my applications to many no. of users i.e thro' CD's.So I should restrict the client to use websphere & so on.This doesn't sound better.Is there any other way to just safe-gaurd my class files from being decompiled to their sources?Please reply this positively.
Happy middling with java.
Netharam.: mad :
 
Sheriff
Posts: 7023
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Just out of curiousity, have you ever actually had the experience of having your class files decompiled by someone else, then changed, and then this somehow affecting you?
 
Ranch Hand
Posts: 63
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I can decompile any java class files from All of big company, Such as SUN, IBM, Oracle etc. I think You may try digital sign every single class file, write a your own custom classloader and save your public key into a C or C++ class which will be called by java using Java Native Interface. or you can get digital certificate from Verisign. make Native application launcher for different platforms, it will check certificate as well from publuc well-known CA. Ultimately, you have no way to 100% protect your byte code(java class and .Net MSIL byte code).
If anyone knows a such good utility that can protected your byte code from decompiling, please post it here, I will try to hack it down. Basicly, I like a OPEN SOURCE WITH PATENT idea.
 
David Weitzman
Ranch Hand
Posts: 1365
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sunny, I'm pretty busy this week but I'll try to make something difficult to decompile soon (I've never tried this before, but think security through obscurity is better than it gets credit for). Do you use Windows? That's the only platform I can compile C for.
 
netharam ram
Ranch Hand
Posts: 202
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes I'm using windows.My current application basically works in windows.I have experienced this in my education center,where my friends use to decompile my class files & alter it so that it loses it's perfection then compile it back to class files.When I run it the next time I get messed up.Moreover when I'm distributing an application I shouldn't allow the user to decompile my class file & alter it,for I lose control over the application designed & the goal totally fails.So please tell me of a simpler way to perform this.
Happy middling with java.
Netharam.
 
Thomas Paul
mister krabs
Posts: 13974
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The fact is that anything that can be loaded by the ClassLoader is going to be able to be decompiled. And the more you try to obscure your class file, the slower it will be when running. If it is really that important then compile it into a .exe.
 
David Weitzman
Ranch Hand
Posts: 1365
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My idea is basically to put an unadultered JAR file inside an .exe that reads, decrypts (nothing fancy here -- something like RC4 on the whole jar), and runs the it. The .exe would have further quirks to discourage interpretation (no strings in plaintext, store the crypto key in an obscure place, etc.). The key would not be someplace were it could be found by tracking disk access of course (it might be the hash code of something else).
This would all be done with the expectation that the user will never figure out where the code is, nor how to inject something of his own.
If by some chance he does, he'll be so discouraged to see obfuscated bytecode that he'll promptly commit ritual suicide.
The end result is fast execution (but slow startup), strong security (not in the mathmatical sense, but in the sense that you would have to be very skilled, very bored, and very unemployed to find the time to crack it), and as a bonus you have the opportunity to assign a cute little icon to the executable file.
 
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Make your own .exe that initally calls some zipper
requiring passwd, which opens up jar in the temp area and then calls jre, when it exists from jre, delete the jar you had left in the temp area.
 
Ranch Hand
Posts: 148
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you use jikes is it still as easily decompiled? I'm just curious, I don't really care if someone decompiles my .class files.
 
Ranch Hand
Posts: 2937
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you are *really* worried about someone decompiling your class files, you could just compile your java source to the native OS .exe. I think VisualCafe Enterprize does it, but there are also some free tools that do .class->.exe compilation. You lose the portability, of course.
Eugene Kononov.
 
Thomas Paul
mister krabs
Posts: 13974
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yopu have to watch out though. Some of the .exe creators merely attach an interpreter to the .class file to turn it into an executable.
 
netharam ram
Ranch Hand
Posts: 202
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,Thomas could u mention me some of them?
 
Thomas Paul
mister krabs
Posts: 13974
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't use them so I can't give you specific names. Read the specs for any product that you are interested in.
 
Ranch Hand
Posts: 144
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In the past I've used the DashO Pro obfuscator by PreEmtive Solutions http://www.preemptive.com/ I was quite happy with their product.
 
A timing clock, fuse wire, high explosives and a tiny ad:
the value of filler advertising in 2021
https://coderanch.com/t/730886/filler-advertising
reply
    Bookmark Topic Watch Topic
  • New Topic