1

Possible Duplicate:
Best Java obfuscator ?

Well, I'm planning on releasing a Jar into the world but would prefer if the code was not readably available to anyone with a Java Decompiler as I want to control access to the program with usernames / auth codes etc.

After some Googling I haven't found any software to do this for me, so I was wondering what steps to take from here; if anyone can point me at any software or information on methodologies of obfuscation I would be grateful.

Cheers again Stack Overflow.

Community
  • 1
  • 1
Waltzy
  • 1,113
  • 4
  • 14
  • 31

3 Answers3

1

There are many obfuscators around, ProGuard is one well known example. Try searching for "java obfuscator", google finds enough hits on that.

unbeli
  • 29,501
  • 5
  • 55
  • 57
1

It's not possible to prevent someone from decompiling your code. You can obfuscate it, but that's the best you can do.

The good news for you?

Nobody wants your code. It's probably not worth decompiling.

If companies like BEA don't prevent such a thing with WebLogic, I can't see why yours requires it. Release your JAR and sleep at night.

duffymo
  • 305,152
  • 44
  • 369
  • 561
1

Do not forget to encrypt the passwords using a hash algorithm. I would not rely on the obfuscator to protect the passwords.

And you can then probably skip the obfuscator all together as it will provide little, if any, additional protection.

Thorbjørn Ravn Andersen
  • 73,784
  • 33
  • 194
  • 347
Peter Tillemans
  • 34,983
  • 11
  • 83
  • 114
  • 1
    "And you can then probably skip the obfuscator all together as it will provide little, if any additonal protection." - exactly. – duffymo May 31 '10 at 13:28
  • there is a class that returns hashes, I really just wanted to protect that. – Waltzy May 31 '10 at 13:30
  • 1
    What Peter is saying is that if your application is designed correctly, and the hashes are one-directional or require a secret not stored in the application, then you won't need to hide your code to protect security. Obfuscation does not offer any significant protection in itself. Think of all the open source programs, like MySQL, that offer security but also open code and yet are still considered very secure. This is the reason why. – Elliot May 31 '10 at 13:35
  • 2
    only reliable way is to host that class yourself and let the client query it over the 'net. – Thorbjørn Ravn Andersen May 31 '10 at 13:35
  • @Thorbjørn Ravn Andersen, this is interesting, can you point me to some more information on how this is achieved? – Waltzy May 31 '10 at 13:40
  • 1
    You are right, hashing is not encryption. However you find the MessageDigest which computes the hashes in the crypto package. see http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html#MDEx for an example using sha-1. There is no need to protect this as it is a one-way function, i.e. you cannot (in reasonable time) go from the hash to the plain text. – Peter Tillemans May 31 '10 at 13:48
  • 1
    Have a look at web services (which for your purpose is basically remote method calls over http). You will need a java capable web server - the Google Application Engine will do nicely. – Thorbjørn Ravn Andersen May 31 '10 at 18:51