16

I'm looking for a good Java obfuscator.

I've done initial research into the following Java obfuscators: proguard, yguard, retroguard, dasho, allatori, jshrink, smokescreen, jobfuscate, marvin, jbco, jode, javaguard, jarg, joga, cafebabe, donquixote, mwobfu, bbmug, zelix klassmaster, sandmark, jcloak, thicket, blufuscator, and java code protector.

I tried proguard and it has a really nice GUI, seems really stable, and seems to be the most popular, but it seemed to not like some enumeration on a referenced jar file (not within the code I was trying to obfuscate) which was weird. Yguard seems to require some interaction with ant, which I didn't know too much about.

What is a good java obfuscator? It doesn't need to be free, it just needs to work well and be easy to use.

jbu
  • 15,831
  • 29
  • 82
  • 105

6 Answers6

20

I use ProGuard heavily for all my release builds and I have found it is excellent. I can't recommend it enough!

I have encountered obscure bugs caused by it's optimizations on several occasions and I now disable optimizations across the board - haven't had a problem caused by ProGuard since. Though, to be fair, these were all quite some versions ago - YMMV.

I used to use the GUI only to get a config started, and then I resort to editing the text config myself, which is really very simple to do. These days I do the config by hand.

I have quite complex projects all of which involve dynamic loading and reflection. I also heavily use reflection for a callback implementation. ProGuard has coped with these very well.

EDIT: We also use DashO Pro for one of our products - I looked into it for packaging the products I am responsible for and concluded that it's configuration was too convoluted and complex; also integrating it into the build script seemed like a bit of a pain. But again, to be fair, this was circa 2001... so it might be better in current versions.

Lawrence Dol
  • 63,018
  • 25
  • 139
  • 189
11

A good collection of links to free and commercial tools is given in this arcticle

"Protect Your Java Code - Through Obfuscators And Beyond"

The author also discusses the strong and weak points of bytecode obfuscation

3

What is the issue with ProGuard ? (which is recommended both by this question and this one).

There is a section of troubleshooting about enumerator, but they seem to be taken into account just fine.

However, Obfuscation breaks some attempts at reflection, even though modern obfuscators can detect and to some extend adjust usages of reflection in the code they're obfuscating.

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • The issue is that the application uses code in an external jar, and I've "kept" the files that use enumeration in my own jar code, but at run time I'm still getting problems inside the external jar's code that relates to enumeration. I've followed the proguard troubleshooting the best I could. – jbu Nov 21 '08 at 23:40
  • Do you have the error messages that Proguard generates ? – VonC Nov 21 '08 at 23:49
  • yes, I posted it as an answer in this thread – jbu Nov 22 '08 at 00:15
  • hi VonC, I have trouble using proguard. I have 3 class files which I am packaging into one jar(with manifest). Now when I issue command : java -jar myjar.jar @myjar.pro I expect an output jar like myjar_out.jar stated in myjar.pro. But, that command runs the jar instead of creating a output jar. – Real Red. Jul 06 '09 at 05:33
  • 1
    According to http://proguard.sourceforge.net/manual/usage.html , aren't you supposed to type `java -jar proguard.jar @myjar.pro`? Because I can confirm that `java -jar myjar.jar ...` will execute the main class found in myjar.jar. – VonC Jul 06 '09 at 06:13
  • Oh yes...my bad...what was I thinking...:-). Thanks. – Real Red. Jul 06 '09 at 06:33
2

I used Zelix Klassmaster in a commercial application for several years and found it to be excellent. I threw quite a few resources at the obfuscated code, and was not able to "break" it. It's pricey, but good.

I only stopped using it when my version got old enough that the upgrade cost was significant. My needs had changed and I didn't really need to obfuscate the classes anymore. However, if the need arises again, I'd pay for it and use it in a flash.

Cheers,

-Richard

Huntrods
  • 2,561
  • 3
  • 22
  • 29
  • I use this a long time ago too. It is very good. Additionally IntellJ Idea plugin is available. http://blogs.jetbrains.com/idea/2006/08/analyzing-external-stack-traces/ – OscarRyz Feb 06 '09 at 20:50
1

I use and suggest Zelix - 100% - very solid and robust protection

j0k
  • 22,600
  • 28
  • 79
  • 90
Ron Warshawsky
  • 314
  • 2
  • 11
  • is it possible to obfuscate double quote string also ? we are using proguard currently in android studio.but, some limitations are there. thats why, we are searching for other tool dexguard commercial,klassmaster. – harikrishnan Feb 22 '18 at 10:53
1

We are using Zelix Klassmaster for couple years and I can recommend it.

FoxyBOA
  • 5,788
  • 8
  • 48
  • 82
  • agree with you. see also: http://stackoverflow.com/a/26717791/2132826 – taitelman Nov 06 '14 at 05:38
  • is it possible to obfuscate double quote string also ? we are using proguard currently in android studio.but, some limitations are there. thats why, we are searching for other tool dexguard commercial,klassmaster. – harikrishnan Feb 22 '18 at 10:54
  • Yes, AFAIK. Never met any issues with double quoted strings. – FoxyBOA Feb 22 '18 at 12:02