How to protect Java codes against decompiler? [closed]

Question

As we know , there are a lot of java decompiler tools which can convert .class to .java file.

Therefore,we need to protect our .java files against decompiler. I know this is a big topic,and maybe there is no ending.

Usually, there are two ways : obfuscator and customized classloader.

Is there any mature solution or open source framework, which combined those two ways ?

Another aspect is related with exe4j, which package jars to exe file,seems like it can protect java codes , because what we can see is exe file instead of jars or class files. But indeed, when it runs, it decompose all jars files into temporary directories, that means it is easy to get class files for decompiler. So any considerations for protecting java codes from the aspect of exe4j ?

Thanks for your comments and suggests.

Updating

Thanks everyone for your suggest or experience share. That is helpful to me. To make a conclusion, I will give up any obfuscator or customized classloader with encryption things. Because finally Java codes can be disclosed before clever hackers.

I will remove some core codes during compiler time using tricks like "#ifdef" in C language. In Java, static and final boolean class variable can be used to do the same job. Then the compilered class file will not contain need-protected java codes.

Answer 1

1. You can use an obfuscator, like ProGard or Ygard, but it is not too complex to decrypt strings and rename classes, fields and methods.
2. You can encrypt your classes with a private key, and use a custom classloader to decrypt your classes with a public key before loading into memory, but it is not too complex to modify the classloader to save onto a disc all the classes loaded.
3. You can try crash decompilers. JAD is one of the best decompilers but if you add corrupted entries in the constant pools, all products powered by JAD crash. However, some decompilers are still working.

The only way to protect your software, is to deploy it in a SaaS/PaaS.

But keep one's head: most people use a decompiler because they have a technical problem and the documentation is poor or nonexistent. Write a good documentation and use a solid EULA is the better solution.

Answer 2

You can't protect the class files from a decompiler and from malicious users. However the output of the decompiler may not be valid java.

The best method is to document your API (assuming this is available for your customers to use) and application very very well. And have your support personnel be able to resolve API and application issues. Then your customers will have no reason to want to use a decompiler to explore why things are not working correctly.