Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What can done to secure jar files besides obfuscation?

I'm concerned about the security of Java executables. They offer little protection against decompilation. With tools like Java Decompiler even a kid can decompile the class files to get the original code.

Apart from code obfuscation what can be done to protect a class file? Is the Encrypted Class Loader still a myth?

like image 316
rainbower Avatar asked Sep 06 '11 18:09

rainbower


2 Answers

In a previous company we had such questions, mainly driven by management paranoia.

First of all, you have to understand that absolute security is only a myth: As long as your program is run on untrusted hardware, it can be decompiled, no matter what language you use. The only thing you can change is the cost of an attacker to understand your software/algorithm/data.

Concerning obfuscation: it can be considered a first level of protection, as it makes the Java code totally unreadable. Good obfuscators like ProGuard use forbidden characters in variables/methods names, preventing execution of decompiled code. Now, one can consider it a good enough security measure, as decompiling code is not as simple as running Jad or other decompilers and having perfectly working Java code. However, it is possible to understand most of the algorithms exposed in such code (as readable code is very different from compilable code).

Additional security measures include:

  • Running sensitive code on a server by using some kind of web-service to send results and grab results (using REST/SOAP/YouNameIt)
  • Loading sensitive code from a remote server using HTTPS and (maybe) additional security layers.

From those two security measures, I would honestly choose the first. Indeed, the second can be subverted by typical HTTPS attacks (man in the middle, logging proxies, and so on, ...), and has the major inconvenience of putting the code on untrusted hardware, which makes it possibly borrowable from there.

like image 104
Riduidel Avatar answered Sep 22 '22 02:09

Riduidel


Basically, there are four things you can do with your bytecode to protect it against Java decompilers:

  • obfuscation
  • software encryption
  • hardware encryption
  • native compilation

all covered in my article Protect Your Java Code - Through Obfuscators And Beyond

like image 28
Dmitry Leskov Avatar answered Sep 23 '22 02:09

Dmitry Leskov