I am in the requirements phase of building a Java EE application that will most likely run on a GlassFish/JBoss backend (doesn't matter for now). I know I shouldn't be thinking about architecture at requirements time, but one can't help but start to imagine how the components would all snap together :-)
Here are some hard, non-flexible requirements on the client-side:
(1) The client application will be a Swing box
(2) The client is free to download, but will use a subscription model (thus requiring a login mechanism with server-side authentication/authorization, etc.)
(3) Yes, Java is the best platform solution for the problem at hand for reasons outside the scope of this post
(4) The client-side .class files need safeguarding against decompiling
That last (4th) requirement is the basis of this post.
I'm not really worried about someone actually decompiling and getting at my source code: in the end, it's just Swing controls driven by some lightweight business logic.
I'm worried about a scenario where someone decompiles my code, modifies it to exploit/attack the server, re-compiles, and fires it up.
I've envisioned all sorts of nasty solutions, but didn't know if this was a common problem with a common solution for Java EE developers. Any thoughts?
Not interested in "code obfuscation" techniques!
Thanks for any input!
You must assume that the code WILL be decompiled and WILL be used to exploit/attack the server.
Only trust what the server is doing.
I'm here to bring you the bad news. You cannot stop this.
I dug into this deeply one time. At the lowest levels in the JVM the Classloader must get an unencrypted byte stream that is the class file. You cannot change that short of replacing the JVM with your own code. Furthermore, there is a hook there that allows the byte stream to be viewed (copied, etc.). No matter what you do at higher levels, the JVM will always get to this point and allow access to your class file. Once the class file is obtained it can be decompiled. Obfuscation techniques and tools can slow that down or make it difficult, but they also cannot stop it.
I would strongly suggest that you protect your server using tried and true security methods. Don't embed the secret sauce in something you give to the client. They will get at it somehow if they are determined enough.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With