4

Any class file can be decompiled to original Java source code relatively easily.

Does this mean that the source code of any Java program, unless encrypted in some way, is relatively easily available to anyone who has the final program?

If so, then isn't this a problem for major companies that don't want their trade secrets or their work available to anyone?

Paul Roub
  • 36,322
  • 27
  • 84
  • 93
Aviv Cohn
  • 15,543
  • 25
  • 68
  • 131
  • 2
    just because you're able to decompile it, doesn't mean you're allowed to do so. it depends on the software license and your local laws. – oschlueter Mar 15 '14 at 23:50
  • @oschlueter But this still creates a problem for major companies that can't have their code available to anyone, right? – Aviv Cohn Mar 15 '14 at 23:53
  • 1
    Even if it's encrypted, the program has to decrypt itself somehow, and anyone reverse engineering the program can generally decrypt it the same way. – user2357112 Mar 15 '14 at 23:53
  • @user2357112 So isn't this a problem for major companies? Is there a way to solve this? – Aviv Cohn Mar 15 '14 at 23:54
  • 1
    @Prog There is no way to fully prevent reverse engineering of client side code. The solution is to make it not worth the effort. But "commerical secrets" are highly overrated anyway. – Antimony Mar 16 '14 at 00:52

1 Answers1

7

Open source refers to license. You can have the source code of a non-open source program, for example.

Generally speaking, no, your original source code is not available to anyone - you can easily use methods such as obfuscation and encryption if you are concerned about this. Check out this question.

However Java bytecode can be reverse engineered to Java source code. You can take a look here to get more information: http://resources.infosecinstitute.com/java-bytecode-reverse-engineering.

If so, then isn't this a problem for major companies that don't want their trade secrets or their work available to anyone?

Why would it be? Java is usually running on the server side, where you can't even access the bytecode. If you're creating a desktop application you're just as likely to have it reverse engineered as pirated, I'd wager.

In essence it's possible to get the source code from bytecode, but you can prevent that, and it's usually not a big deal.

Community
  • 1
  • 1
corazza
  • 31,222
  • 37
  • 115
  • 186
  • 1
    Right, changed the title – Aviv Cohn Mar 15 '14 at 23:50
  • *"Java bytecode cannot be perfectly reverse engineered to its original form, but it is possible."*. Seems like it's relatively easily possible using a decompiler, isn't it? And doesn't it create a problem for major companies? – Aviv Cohn Mar 15 '14 at 23:51
  • Thanks for the answer. Is machine code created by compiling C++ source code for example, also as 'easily' reverse engineered to the original source code, like Java is? – Aviv Cohn Mar 16 '14 at 00:00
  • 2
    @Prog, a decompiler can give you valid Java source code, but it's not the *original* source code. Decompiled code lacks the original comments (since they're not present in the bytecode), and obfuscation can turn all the class, method, and variable names into meaningless nonsense. This makes it very difficult for anyone to read and understand the decompiled code. – Wyzard Mar 16 '14 at 00:01
  • @Prog it's definitely not that easy. Java bytecode format is very neat, organized, and you're guaranteed many things. Usually one class per file. C++ has a lot of libraries linked in a very platform-specific way - different compilers generate different code, there are multiple ways of compiling and organizing the instructions, etc... Also, there are many compiled languages too! *It can be difficult to even detect the original language,* how would it not be difficult to get the source code? – corazza Mar 16 '14 at 00:03
  • @Wyzard So basically, when using obfuscation and some encrypting tools, one is able to make his/her program difficult to reverse engineer back to source code - but it will always be possible, and relatively easy compared to for example C++. – Aviv Cohn Mar 16 '14 at 00:04
  • Relevant question about detecting the language from binary: http://stackoverflow.com/questions/1704202/determine-source-language-from-a-binary. – corazza Mar 16 '14 at 00:04
  • 3
    @Prog, easier than reverse-engineering native code, yes. In fact, it's often not difficult to read and understand a method's raw bytecode instructions when displayed in mnemonic form (basically the JVM's equivalent of assembly language), without having to decompile it into Java source code. (But there's a big difference between deciphering individual methods and understanding the "big picture" of how all the classes and methods fit together.) – Wyzard Mar 16 '14 at 00:16
  • 1
    Encryption doesn't really have anything to do with obfuscation. All it does is add an extra step before you can dump the code. – Antimony Mar 16 '14 at 00:50
  • 1
    Also note that even with obfuscation (at least the popular ones) it's still much easier to reverse engineer Java than native code. And people routinely RE native applications. It's all about how motivated people are to RE your product. – Antimony Mar 16 '14 at 00:54