Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to lock compiled Java classes to prevent decompilation?

How do I lock compiled Java classes to prevent decompilation?

I know this must be very well discussed topic on the Internet, but I could not come to any conclusion after referring them.

Many people do suggest obfuscator, but they just do renaming of classes, methods, and fields with tough-to-remember character sequences but what about sensitive constant values?

For example, you have developed the encryption and decryption component based on a password based encryption technique. Now in this case, any average Java person can use JAD to decompile the class file and easily retrieve the password value (defined as constant) as well as salt and in turn can decrypt the data by writing small independent program!

Or should such sensitive components be built in native code (for example, VC++) and call them via JNI?

like image 609
jatanp Avatar asked Sep 08 '08 09:09

jatanp


People also ask

How do you prevent jar decompilation?

The best way to stop your jar from being decompiled is to give users no reason to want to. Obfuscation is just a bandaid. In fact, some people will probably reverse it just for the challenge if it's famous enough.

How do I protect my Java code from reverse engineering?

Code obfuscation is currently one of the best methods for protecting Java code from reverse engineering. Obfuscation renders software unintelligible but still functionally equivalent to the original code. It also makes programs more difficult to understand, so that it is more resistant to reverse engineering.

How do I protect my Java application?

You can try the Java Protector. It is a better way than obfuscation.It makes a Native ClassLoader by modifying the source of OpenJDK, could encrypt the classes that you want to protect by AES and parse them in their custom-JRE. You can publish your software with the JRE and distribute your software safety.


1 Answers

Some of the more advanced Java bytecode obfuscators do much more than just class name mangling. Zelix KlassMaster, for example, can also scramble your code flow in a way that makes it really hard to follow and works as an excellent code optimizer...

Also many of the obfuscators are also able to scramble your string constants and remove unused code.

Another possible solution (not necessarily excluding the obfuscation) is to use encrypted JAR files and a custom classloader that does the decryption (preferably using native runtime library).

Third (and possibly offering the strongest protection) is to use native ahead of time compilers like GCC or Excelsior JET, for example, that compile your Java code directly to a platform specific native binary.

In any case You've got to remember that as the saying goes in Estonian "Locks are for animals". Meaning that every bit of code is available (loaded into memory) during the runtime and given enough skill, determination and motivation, people can and will decompile, unscramble and hack your code... Your job is simply to make the process as uncomfortable as you can and still keep the thing working...

like image 125
Roland Tepp Avatar answered Sep 30 '22 12:09

Roland Tepp