Best Java obfuscator?

Question

I am developing a security software and want to obfuscate my java code so it will become impossible to reverse engineer. What is the most reliable java obfuscator ?

I had some colleagues who created some heavily obfuscated code. But that was not their intention. — Steve McLeod, Mar 29 '10 at 11:53
@Mnementh: it is enough to make reverse engineering prohibitively expensive for your particular app. — Dmitry Leskov, Apr 08 '10 at 06:05
@Robert Harvey: Not sure why did you thought this question was not constructive. It is related to programming and in my opinion it is as good question as any other programming questions — Xinus, Jul 11 '13 at 01:23

score 110 · Accepted Answer · answered Mar 29 '10 at 11:50

110

First, you really need to keep in mind that it's never impossible to reverse-engineer something. Everything is hackable. A smart developer using a smart IDE can already get far enough.

Well, you can find here a list. ProGuard is pretty good. I've used it myself, but only to "minify" Java code.

answered Mar 29 '10 at 11:50

BalusC

1,082,665
372
3,610
3,555

1

@BalusC: So what tool do you use to obfuscate java code? you do obfuscate your java code, dont' you? – Thinhbk Jun 22 '12 at 10:15
@Thinhbk Obfuscation makes it harder to get useful stack traces. – Thorbjørn Ravn Andersen Apr 16 '15 at 14:22
@ThorbjørnRavnAndersen: Agree. IMO, obfuscation will make stack traces become mostly useless. In that case, I'm using some trick with the log msg, which can help. – Thinhbk Apr 17 '15 at 00:07
3

@Thinhbk Proguard generates a map to translate obfucated stack traces back to the original code. Otherwise, as you said, stack traces would become useless (but who gets uncaught exceptions anyway... ;-)) – Matthieu Jan 05 '16 at 11:44
@Matthieu: Is it possible to translate stack trace backed to original code automatically? It would be great, and new for me. I just know translate back manually can be difficult if the code base is huge. – Thinhbk Jan 06 '16 at 08:06
@Thinhbk [it seems so](http://proguard.sourceforge.net/manual/retrace/examples.html) – Matthieu Jan 06 '16 at 08:28
@Matthieu: Yeah, great to know this useful stuff. – Thinhbk Jan 06 '16 at 08:33
@Matthieu You still need the stack traces in case of something unexpected - caught or not. – Thorbjørn Ravn Andersen Jul 12 '17 at 18:28

Thorbjørn Ravn Andersen · Answer 2 · 2022-10-09T09:25:12.993

41

If a computer can run it, a sufficiently motivated human can reverse-engineer it.

edited Oct 09 '22 at 09:25

answered Mar 29 '10 at 12:48

Thorbjørn Ravn Andersen

73,784
33
194
347

3

How many people can read obfuscated code and understand the logic? I have lots of engineer friend and they can't do that. Only John Nash can do this ;) – kodmanyagha Jun 24 '17 at 13:00
5

@kodmanyagha If they were motivated enough they would learn it. It is not hard. – Thorbjørn Ravn Andersen Jun 25 '17 at 02:03
2

In mathematical sense, it is possible to run without a way to reverse-engineer it. This is what homomorphic encryption is about, but there are quite a few obstacles that need to be solved to make it practically usable on computer software as opposed to SaaS. We are moving there slowly. Seminal works of Gentry on fully homomorphic encryption and "mathematical jigsaw puzzles" by Amit Sahai et al. made a huge leap in that direction. There is just one missing element (which I call a "barrier function") that would make the whole scheme feasible. What's impossible now will be possible in the future. – ogggre Nov 06 '19 at 21:58
@kodmanyagha if the motivation is strong enough, a human being can read and analyze through any obfuscated code. Someone even wrote a program that read Java/Javasript grammer and rename all the variables to be more readable name and then re-read the modified source. I don't think obfuscation can really protect the codes. – Scott Chu Feb 20 '21 at 06:42

score 30 · Answer 3 · edited Jul 17 '19 at 00:29

30

Check out my article Protect Your Java Code - Through Obfuscators And Beyond [Archived] for a discussion of obfuscation vs three other ways to make the reverse engineering of your apps more expensive, and a collection of links to tools and further reading materials.

edited Jul 17 '19 at 00:29

PLG

448
5
21

answered Apr 08 '10 at 05:58

Dmitry Leskov

3,233
1
20
17

1

This is what I actually need. I want to write PHP obfuscator for my projects. The logic is same everywhere. Thanks... – kodmanyagha Jun 24 '17 at 12:58
1

Cool and extensive article about Java obfuscation and Software collection. – m3nda Nov 19 '17 at 08:57

score 15 · Answer 4 · answered Mar 29 '10 at 11:53

15

I think that Proguard is the best. It is also possible to integrate it with your IDE (for example NetBeans). However, consider that if you obfuscate your code it could be difficult to track problems in your logs..

answered Mar 29 '10 at 11:53

andrew0007

1,265
4
18
32

6

+1 for "consider that if you obfuscate your code it could be difficult to track problems in your logs". Just when you thought that debugging was hard enough... – Adam Paynter Mar 29 '10 at 11:58
7

A good obfuscator that change names and line number information should produce a log with which to reverse the process. This way at least stack traces remain useful for obfuscated binaries. – Joachim Sauer Mar 29 '10 at 12:06
4

ProGuard creates such reverse files for debugging. :-) – Malax Mar 29 '10 at 14:22

score 11 · Answer 5 · answered Mar 29 '10 at 12:30

11

As said elsewhere on here, proguard is good, but what might not be known is that there is also a third-party maven plugin for it here http://pyx4me.com/pyx4me-maven-plugins/proguard-maven-plugin/...I've used them both together and they're very good.

answered Mar 29 '10 at 12:30

James B

3,692
1
25
34

score 10 · Answer 6 · answered Mar 29 '10 at 11:49

10

I used Allatori and it did its job pretty well.

answered Mar 29 '10 at 11:49

thelost

6,638
4
28
44

score 8 · Answer 7 · answered Apr 09 '10 at 11:46

8

It is true that it is always possible to reverse engineer some code, just like it is impossible to protect a house in order so nobody can ever steal from it. That does not keep me from locking the door, though. Actually, I am not in the java world, I use BitHelmet for .net.

answered Apr 09 '10 at 11:46

Daniel Dolz

2,403
1
18
23

7

+1 to bring you back to net 0. This answer is not unhelpful. – HaloWebMaster Jun 05 '13 at 20:39

score 7 · Answer 8 · answered Mar 29 '10 at 11:56

7

I used to work with Klassmaster in my previous company and it works really well and can integrate pretty good with build systems (maven support is excellent). But it's not free though.

answered Mar 29 '10 at 11:56

Anoop

1,307
1
14
27

score 6 · Answer 9 · answered Mar 29 '10 at 14:19

6

We've had much better luck encrypting the jars rather than obfuscating. We use Classguard.

answered Mar 29 '10 at 14:19

wfg4

197
10

7

If you have not read "Cracking Java byte-code encryption" (http://www.javaworld.com/javaworld/javaqa/2003-05/01-qa-0509-jcrypt.html) by Vladimir Roubtsov, you may wish to do that now. – Dmitry Leskov Apr 08 '10 at 06:00
1

The link does not working anymore. – Ali Bigdeli May 13 '22 at 17:17

score 6 · Answer 10 · answered Sep 02 '11 at 20:51

6

I don't know for sure if the solution is safe, but about the ClassGuard solution, it's interesting to read the article and the comment at: http://www.javaworld.com/community/?q=node/1604#comment-12296

answered Sep 02 '11 at 20:51

Renato

826
9
9

And another alternative that also uses native code instead of defineClass is [JarCrypt](http://www.componio.com/products/jinstaller/jarcryp/) – Renato Sep 02 '11 at 21:28
An article teaching how to crack [ClassGuard](http://zenofx.com/classguard/): http://setrst.blogspot.com/2010/04/classguard-unguarded.html. I just don't know if this still works on the latest version. – Renato Sep 02 '11 at 21:40
Bot links are not working anymore. – Ali Bigdeli May 13 '22 at 17:16

Best Java obfuscator?

10 Answers10

Linked

Related