9

One can easily extract the .jar file and see source code. I want to protect the source code from being seen. One possible answer is to password protect the file like we do it for zip files.

But, if the password is known, then the source code can be easily seen.

Are there any ways of hiding the source code and still have it be able to run? Something similar to what a .exe does in Windows. This should run in both windows as well as Linux environment.

durron597
  • 31,968
  • 17
  • 99
  • 158
AGEM
  • 217
  • 2
  • 5
  • 12
  • 4
    I assume you mean that the `class` files can be decompiled and not that you are actually shipping source code with your Jar file... – MadProgrammer Jan 24 '13 at 01:28
  • What is your purpose? To discourage casual viewers? Or to protect your proprietary algorithms to the best extent possible? – thkala Jan 24 '13 at 01:32

5 Answers5

5

Have a look at ProGuard, it's a popular obfuscator for java. As for packaging your java program as windows executable, this post might help you: How can I convert my Java program to an .exe file?

Community
  • 1
  • 1
gerrytan
  • 40,313
  • 9
  • 84
  • 99
  • Simple .exe packaging is plainly visible under HEX editor. Packaging + encryption does not prevent people from attaching a debugger and pick the code out. – nhahtdh Jan 24 '13 at 01:43
  • Then don't handout your jar / exe to users, run it in the cloud. Packaging jar into exe and stuffs are dinosaur age – gerrytan Jan 24 '13 at 03:53
  • @nhahtdh: proguard also does true obfuscation. It changes the names of methods and so on so that they do not help the reverse engineer. – President James K. Polk Jan 24 '13 at 12:49
5

What you want to search for is "java obfuscation". There are lots of tools to help with this, but it is a losing battle if the people who want your code really want it. If this is a serious problem you should write in C++.

Peter Wooster
  • 6,009
  • 2
  • 27
  • 39
  • 4
    Of course, if people *really* want your code, C++ is only a slightly larger deterrent .. –  Jan 24 '13 at 01:40
  • 1
    Managed C++ is really just C# and not much different than Java. Real compiled C++ can be disassembled or decompiled, but the result isn't always that useful. In the end if you have your hands on the object, given enough time you can reverse engineer it. If you really want to hide an algorithm, you run it an a server and don't hand out object code. – Peter Wooster Jan 24 '13 at 01:46
  • 9
    Or you could just write it in Perl, And hand out the source. often even the author can't decode that after a week or two :) – Peter Wooster Jan 24 '13 at 01:49
  • @PeterWooster - while Perl is not my favourite language, it is certainly readable if you are disciplined about how you write it, or if you have sufficient Perl experience. As demonstrated by this question: http://stackoverflow.com/questions/1885800/how-can-i-obfuscate-my-perl-script-to-make-it-difficult-to-reverse-engineer – Stephen C Jan 24 '13 at 06:56
  • @stephenc you did see the :) I assume. I like Perl and APL which is even more prone to being a write-only language. – Peter Wooster Jan 24 '13 at 12:53
  • I did see that you intended it as a joke. But that particular joke is not funny after you've seen heard / seen it hundreds of times. Especially since you have included a backhanded insult to Perl programmers by implying that can't write readable code. – Stephen C Jan 24 '13 at 14:47
  • @stephanc Sorry, no insult was intended to Perl programmers, I used to be one. I wrote a whole movie database in Perl and HTML in 1996. In the process I learned how to write regular expressions. I still have a copy of the Camel Book on my bookshelf and refer to regualarly to figure out the Regulr Expression subtleties. And of course you can code unreadable code in any language, just as you can code readable code. I've seen nice cool Python programs spoiled by 100+ character Regex statements that leave no hint as to what they do. – Peter Wooster Jan 24 '13 at 15:01
5

One can easily extract the .jar file and see the source code.

Strictly speaking, that is not true. Unless you've actually included the source code files in the JAR, someone cannot see the original source code. But they can (typically) decompile the ".class" files in your JAR file to Java source code that is functionally equivalent to your original source code.

As other answers have stated, you can make it harder for someone trying to reverse engineer your code; e.g. by using an obfuscator, or custom classloader that decrypts code that is stored in encrypted form in your JAR file. But nothing you can do is sufficient to prevent a determined hacker from defeating your measures. NOTHING.

The only practical way to protect your code against reverse engineering is to not release it. Or use software licensing or other legal means to achieve your ends.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • From what I have seen (actually some very simple case, so do correct me if it does not apply for complicated case) Java code --> byte code does not do much optimization, so the decompiled code is very similar to the original Java code. – nhahtdh Jan 24 '13 at 08:27
  • 1
    That is correct. But it is not the same. It is not **the** source code. – Stephen C Jan 24 '13 at 09:30
3

If you intend to simply discourage casual viewers then any of the many code obfuscation tools for Java would probably be of help. It will mess the bytecode enough to make your algorithms less obvious.

If, on the other hand, you need "absolute" protection, any encryption/obfuscation tool would be useless - if your computer can run it then a determined and knowledgeable attacker would be able to eventually figure out how your code works.

A couple of possible solutions:

  • Use a client/server architecture to run the proprietary parts on computers that you own, so that you do not have to include the more interesting part of your code in your client application. Naturally this solution is not always feasible for a variety of reasons.

  • Hire a couple of lawyers that specialize in Intellectual Property issues and patent your algorithms. In my opinion this is far batter an alternative than trying to force a technical solution on a non-technical problem...

thkala
  • 84,049
  • 23
  • 157
  • 201
0

Search for "java obfuscation". There are lots of tools to help with this, but if someone is really hell bent on retrieving source code you cannot stop him. To implement security related stuff you should write code in C++ then create dynamic library (.dll for windows and .so for linux ) and use java jni to use them.

on windows you can use mingw for compiling code.

have a look at this https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaNativeInterface.html

Dheeraj Sachan
  • 3,965
  • 2
  • 17
  • 18