Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it worth to obfuscate java web application? [closed]

Is it worth to obfuscate java web application? and why?

like image 627
janetsmith Avatar asked Sep 14 '09 02:09

janetsmith


People also ask

Does obfuscation affect performance?

Name obfuscation does not affect the performance and should always be used. You can virtualize methods that are not computationally intensive. Otherwise, control flow obfuscation should be used.

Should you obfuscate your code?

It's essential to hide business logic and code to make it harder for attackers to gain access and start debugging and tampering with your app. (They often repackage an application with malicious code.) 3. Code obfuscation can drastically reduce file size, and download times can be reduced drastically as well.

Can obfuscated code be decompiled?

Code obfuscation is the process of making applications difficult or impossible to decompile or disassemble, and the retrieved application code more difficult for humans to parse.

Can you obfuscate Java?

Bytecode Obfuscation is the process of modifying Java bytecode (executable or library) so that it is much harder to read and understand for a hacker but remains fully functional. Almost all code can be reverse-engineered with enough skill, time and effort.


2 Answers

No. The code is stored on the server where external users (hopefully) don't have access to it. You may want to obfuscate the JavaScript if you feel it's worth the (minimal) IP protection.

The best thing is so make sure your server security is up to scratch and you don't have open access to your application directories (which shouldn't happen anyway).

like image 138
Luke Schafer Avatar answered Nov 03 '22 00:11

Luke Schafer


IMO, no.

There are two main use-cases for obfuscation:

  1. to protect access control "secrets" (e.g. passwords) embedded in the code, and
  2. to protect against someone stealing your "intellectual property".

The problem is that obfuscation only foils half-hearted attempts at reverse engineering. A serious attempt will always succeed. It is really not that hard to decompile an obfuscated JAR file, and there are lots of tools around for doing it.

For the use-cases above, better alternatives to obfuscation are:

  1. just don't embed secrets in the code, and
  2. one or both of the following:
    • secure your webservers so that hackers cannot get at the code, and
    • don't ship the code that you consider to be valuable IP, or if you do, then only ship code to people who have signed a legally binding contract / license agreement that guards your IP rights.
like image 33
Stephen C Avatar answered Nov 03 '22 02:11

Stephen C