Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Java Client .class File Protection

Tags:

java

security

I am in the requirements phase of building a Java EE application that will most likely run on a GlassFish/JBoss backend (doesn't matter for now). I know I shouldn't be thinking about architecture at requirements time, but one can't help but start to imagine how the components would all snap together :-)

Here are some hard, non-flexible requirements on the client-side:
(1) The client application will be a Swing box
(2) The client is free to download, but will use a subscription model (thus requiring a login mechanism with server-side authentication/authorization, etc.)
(3) Yes, Java is the best platform solution for the problem at hand for reasons outside the scope of this post
(4) The client-side .class files need safeguarding against decompiling

That last (4th) requirement is the basis of this post.

I'm not really worried about someone actually decompiling and getting at my source code: in the end, it's just Swing controls driven by some lightweight business logic.

I'm worried about a scenario where someone decompiles my code, modifies it to exploit/attack the server, re-compiles, and fires it up.

I've envisioned all sorts of nasty solutions, but didn't know if this was a common problem with a common solution for Java EE developers. Any thoughts?

Not interested in "code obfuscation" techniques!

Thanks for any input!

like image 266
Eugie Avatar asked Jan 06 '11 18:01

Eugie

2 Answers

You must assume that the code WILL be decompiled and WILL be used to exploit/attack the server.

Only trust what the server is doing.

like image 52
Guillaume Avatar answered Sep 20 '22 03:09

Guillaume

I'm here to bring you the bad news. You cannot stop this.

I dug into this deeply one time. At the lowest levels in the JVM the Classloader must get an unencrypted byte stream that is the class file. You cannot change that short of replacing the JVM with your own code. Furthermore, there is a hook there that allows the byte stream to be viewed (copied, etc.). No matter what you do at higher levels, the JVM will always get to this point and allow access to your class file. Once the class file is obtained it can be decompiled. Obfuscation techniques and tools can slow that down or make it difficult, but they also cannot stop it.

I would strongly suggest that you protect your server using tried and true security methods. Don't embed the secret sauce in something you give to the client. They will get at it somehow if they are determined enough.

like image 35
rfeak Avatar answered Sep 22 '22 03:09

rfeak
Sign in to Comment

Related questions

How to distribute java project built in Eclipse?
regarding garbage collection.Why do we need to call System.gc();?
Iterating bits of a char
What is the event dispatching thread?
Code Migration from JDK 1.5 to 1.6
How do I get the Source IP of a SOAP requesting client machine?
How do I correct feature envy in this case?
Java equivalent of python's String lstrip()?
why use Heap Memory in Java
Connecting and playing with Cassandra in Java
How to differentiate between logout and session expired?
Unable to highlight text/variable in eclipse [duplicate]
Maven won't deploy dependencies
How to dynamically compute a list of colors?
Generate Primary key without using Database
How to refactor legacy code effectively and efficiently? [duplicate]
Wicket: Get URL from browser
Unterminated string constant
How to test if JDBC driver is installed correctly and if the DB can be connected?
UTF-8 encoding problem with servlet and apache HttpClient

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!