Hi, How can I secure my java class files from being decompiled to the java source file.Please don't suggest for obfuscators,I've already tired them,but that doesn't work.I want an utility that just displays the content of the jar file that contains the class files but unable to open the contents,such as "winzip", that prompts for a password,when a zip file is created with a password.Please do reply positively,for my applications can be altered,recompiled & spoil my application. Happy middling with java. Netharam
I'd suggest that what you need is... a better obfuscator. What did you use? Do others here have any particular recommendations for what's currently "state of the art" here? [ April 27, 2002: Message edited by: Jim Yingst ]
Ultimate security is possible at the expense of flexibility. If you want a truly secure jar file, I would suggest you write your own secure classloader. You could encrypt your jar file with triple-DES using say a 1024 bit key. The key becomes the weak link. You would have to have physical security over the key. The best solution is for you to memorize it and never write it down. Also, it helps to never be kidnapped and tortured into revealing this key. Once you have encrypted your jar file with your key, you don't tell anyone the key. That way, no one can decrypt your jar file. This is the safest possible way to protect your jar file. If you want people to actually use your jarfile, you've already opened yourself to the possibility of a security breach. Anyone you give the key to will have to be as responsible as you in not writing it down or getting kidnapped. To access the classes in your secure jar file, your classloader would have to prompt for the key before any classes were loaded. So at startup, your user would enter the key for the file, and your classloader could decrypt your jar file based on this key. Of course, if the user forgets the key or types it in wrong, your classes will be decrypted into garbage, and your app won't run. Also, if you distribute your key widely to many people, you've completely bypassed any possible effective security you might have on your jar file, and you might as well just go for a decent obfuscator at that point. [ April 27, 2002: Message edited by: Rob Ross ]
What about both obfuscating and encrypting the java class files and using a native launcher program to do something sneaky. Of course you'll also want the .jar digitally signed to prevent tampering. To make things worse, every copy of the software will randomly generate a license L, which the user has to email to you so you can apply a message digest algorithm which is verified at startup. Or maybe every time it loads it notifies your server, which will authenticate it with a zero-knowledge proof algorithm. And install software that allows you to hear through the computer's microphone and see through any cameras attached. If the computer time zone is that of a high-piracy area, install a keylogger for extra protection. I'm sorry, I think I've gotten a little carried away. Just ignore everything but the first paragraph.
Hi, I used mocha source obfuscator,but was not satisfactory.Can u suggest for a better one, that could stop others spoiling my creations? Happy middling with java Netharam: mad : [ April 28, 2002: Message edited by: netharam ram ]
Hi netharam ram I am thinking of another way to protect your source code without encryption of your jar file. How about using an application server to run your java application ? (just like Websphere, EA Server etc..) You can use servlet mapping to hide your actual class name,run and web server with another machine After making some minor setting, I think you source/class can be only access with your full control.
I want to distribute my applications to many no. of users i.e thro' CD's.So I should restrict the client to use websphere & so on.This doesn't sound better.Is there any other way to just safe-gaurd my class files from being decompiled to their sources?Please reply this positively. Happy middling with java. Netharam.: mad :
I can decompile any java class files from All of big company, Such as SUN, IBM, Oracle etc. I think You may try digital sign every single class file, write a your own custom classloader and save your public key into a C or C++ class which will be called by java using Java Native Interface. or you can get digital certificate from Verisign. make Native application launcher for different platforms, it will check certificate as well from publuc well-known CA. Ultimately, you have no way to 100% protect your byte code(java class and .Net MSIL byte code). If anyone knows a such good utility that can protected your byte code from decompiling, please post it here, I will try to hack it down. Basicly, I like a OPEN SOURCE WITH PATENT idea.
If I am rich, I will spend more.<p>IBM 486 (OOAD & UML) & 141 (XML) passed<br />Oracle 1Z0-007 passed<br />MCSD MCDBA MCSE <br />SCJP SCSSA<br />CCNA CNA A+
Sunny, I'm pretty busy this week but I'll try to make something difficult to decompile soon (I've never tried this before, but think security through obscurity is better than it gets credit for). Do you use Windows? That's the only platform I can compile C for.
Yes I'm using windows.My current application basically works in windows.I have experienced this in my education center,where my friends use to decompile my class files & alter it so that it loses it's perfection then compile it back to class files.When I run it the next time I get messed up.Moreover when I'm distributing an application I shouldn't allow the user to decompile my class file & alter it,for I lose control over the application designed & the goal totally fails.So please tell me of a simpler way to perform this. Happy middling with java. Netharam.
The fact is that anything that can be loaded by the ClassLoader is going to be able to be decompiled. And the more you try to obscure your class file, the slower it will be when running. If it is really that important then compile it into a .exe.
My idea is basically to put an unadultered JAR file inside an .exe that reads, decrypts (nothing fancy here -- something like RC4 on the whole jar), and runs the it. The .exe would have further quirks to discourage interpretation (no strings in plaintext, store the crypto key in an obscure place, etc.). The key would not be someplace were it could be found by tracking disk access of course (it might be the hash code of something else). This would all be done with the expectation that the user will never figure out where the code is, nor how to inject something of his own. If by some chance he does, he'll be so discouraged to see obfuscated bytecode that he'll promptly commit ritual suicide. The end result is fast execution (but slow startup), strong security (not in the mathmatical sense, but in the sense that you would have to be very skilled, very bored, and very unemployed to find the time to crack it), and as a bonus you have the opportunity to assign a cute little icon to the executable file.
If you are *really* worried about someone decompiling your class files, you could just compile your java source to the native OS .exe. I think VisualCafe Enterprize does it, but there are also some free tools that do .class->.exe compilation. You lose the portability, of course. Eugene Kononov.