0

I have a java SE application that will be distributed as a jar file. The application will take some of your identity information (like cell no., email) and give you credit points for actions you have performed. Each action can be performed only once. See the below code.

protected void setActionPerformed(boolean status){
    actionPerformed = status;
}

What if some java programmer decompiles the jar file, modify the source and replace the class file after doing this.

protected void setActionPerformed(boolean status){
    actionPerformed = Boolean.FALSE;
}

In this case, she can perform the same action multiple times.

This process of decompiling the jar file and replacing the class file after modification is possible because I have done it in the past (to resolve a bug in a jar library used by my webapp hence the question)

I believe there has to be some way to prevent this. How would my application know that the jar has been tampered with. What would be the ideal way of achieving this?

Please note that this question is not regarding "How to prevent decompilation of jar files?" It clearly says that decompiling is possible, but what after that?

Yasin
  • 1,906
  • 1
  • 21
  • 37
  • SAAS...No choice, Obfuscation...it will make my life difficult. Dont you think so? – Yasin Jul 05 '14 at 07:44
  • no http://stackoverflow.com/questions/2537568/best-java-obfuscator – jmj Jul 05 '14 at 07:45
  • 1
    *"I believe there has to be some way to prevent this."* I (used to) believe in the Tooth Fairy. – Stephen C Jul 05 '14 at 07:56
  • @StephenC, I am not interested in preventing decompilation of jar files. I have clearly stated that it is possible, but I am asking what after that? – Yasin Jul 05 '14 at 12:22
  • 1
    You can sign the JAR so that the user knows it's been modified. Provided, of course, the user checks to be sure it's still signed. – Hot Licks Jul 05 '14 at 12:30
  • The answer remains the same. You can neither prevent compilation of the modifed program, nor its execution. Specifically, the modified application can not reliably detect the JAR has been tampered with, because the code that detects this may have been tampered with, too ... – meriton Jul 05 '14 at 12:30
  • @Yasin - And I have stated that it is NOT possible. No matter what you believe. So what happens after that it moot. The best you can do with obfuscation, or any other kind of protection on a application that you distribute is to **slow down** the bad guys. SAAS is the only practical solution. – Stephen C Jul 06 '14 at 01:59
  • @HotLicks - and provided that the bad guy doesn't 1) disable the warning by hacking the user's platform, or 2) use "social engineering" to get the user to disregard it. – Stephen C Jul 06 '14 at 02:03
  • @StephenC - Like I said, the user needs to know to check. There's not really any good way to tell the user to do this, unfortunately. And if the user's platform has already been hacked then this whole discussion is moot. – Hot Licks Jul 06 '14 at 02:27
  • (One could have an arrangement where the user must go online to your site to register the app or some such, and during that interaction the file could be checked. Of course, the bad guy could circumvent this and have the app go to his site instead, or just pretend to be online.) – Hot Licks Jul 06 '14 at 02:29
  • 1
    If A is solution for B and A is solution for C that does not necessarily mean that both B and C are exactly similar. What I believe that such questions should be kept alive so that some other guy like me knows that like the decompilation prevention problem, this problem does not have any solution. And by the way, is this problem duplicate of the other one just because both of them does not have solution? Anyways rest is up to the moderators. I wish there was someone to moderate the moderators. – Yasin Jul 07 '14 at 03:28
  • I just need to convert the jar to .exe. This obviously affects Platform independency feature of java but it does not matter in my case. Atleast I got something. – Yasin Jul 07 '14 at 12:01

0 Answers0