The title is essentially the question. Does anyone know of a way to deploy a Java program in a format that is not reverse-engineer-able? I know how to convert my application into an executable jar, but I want to make sure that the code cannot be reverse engineered, or at least, not easily.
Obfuscation of the source code doesn't count... it makes it harder to understand the code, but does not hide it.
Any suggestions?
You could obfuscate your jar file with YGuard (http://www.yworks.com/en/products_yguard_about.htm)
It doesn't obfuscate your source code, but the compiled classes, so there is no problem about maintaining the code later.
If you want to hide some string you could encrypt it, making it harder to get it trought looking at the source code (even betther if you obfuscate the jar file)
I'm tempted to ask why you'd want to do this, but I'll leave that alone...
The problem I see is that the JVM, like the CLR, needs to be able to intrepert you code in order to JIT compile and run it. You can make it more "complex" but given that the spec for bytecode is rather well documented, and exists at a much higher level than something like the x86 assembler spec, it's unlikely you can "hide" the process-flow, since it's got to be there for the program to work in the first place.
You're writing in a language that has introspection as part of the core language. It generates .class files whose specs are widely known (thus enabling other vendors to produce clean-room implementations of Java compilers and interpreters). This means there are publicly-available decompilers. All it takes is a few google searches, and you have some java code that does the same thing as yours. Just without the comments, and some of the variable names (but the function names stay the same).
Really, obfuscation is about all you can get (though the decompiled code will already be slightly obfuscated). Without going to C or some other fully-compiled language, anyway.
If you know which platforms you are targeting, get something that compiles your Java into native code, such as Excelsior JET or GCJ.
Short of that, you're never going to be able to hide the source code, since the user always has your bytecode and can Jad it.
It can't be done.
Anything that can be compiled can be de-compiled. The very best you can do is obfuscate the hell out of it.
That being said, there is some interesting stuff happening in Quantum Cryptography. Essentially, any attempt to read the message changes it. I don't know if this could be applied to source code or not.
The short answer is "No, it does not exist".
Reverse engeneering is a process that does not imply to look at the code at all. It's basically trying to understand the underlaying mechanisms and then mimic them. For example, that's how JScript appears from MS labs, by copying Netscape's JavaScript behaviour, without having access to the code. The copy was so perfect that even the bugs where copied.
Don't use an interpreted language? What are you trying to protect anyway? If it's valuable enough, anything can be reverse engineered. The chances of someone caring enough to reverse engineer most projects is minimal. Obfuscation provides at least a minimal hurdle.
Ensure that your IP is protected via other mechanisms. Particularly for security code, it's important that people be able to inspect implementations, so that the security is in the algorithm, not in the source.
Once I've completed the program, I would still have access to the original source, so maintaining the application would not be the problem. If the application is distributed, I would not want any of the users to be able to decompile it. Obfuscation does not achieve this as the users would still be able to decompile it, and while they would have difficulty following the action flows, they would be able to see the code, and potentially take information out of it.
What I'm concerned about is if there is any information in the code relating to remote access. There is a host to which the application connects using a user-id and password provided by the user. Is there a way to hide the host's address from the user, if that address is located inside the source code?
Elie, The user can use other tools to know where your program is connecting to, a simple netstat would do.
Even if you compile the code into native machine language, there are all sorts of programs that let you essentially decompile it into assembly language and follow the process flow (OlyDbg, IDA Pro).
Make it into a web service. Then you are the only one that can see the source code.
With anything interpreted at some point it has to be processed "in the clear". The string would show up clear as day once the code is run through JAD. You could deploy an encryption key with your app or do a basic ceasar cipher to encrypt the host connect info and decrypt at runtime...
But at some point during processing the host connection information must be put in the clear in order for your app to connect to the host...
So you could statically hide it, but you can't hide it during runtime if they running a debugger
This is impossible. The CPU will have to execute your program, i.e. your program must be in a format that a CPU can understand. CPUs are much dumber than humans. Ergo, if a CPU can understand your program, a human can.
it can not be done. this is not a java problem any language that can be compiled can be decompiled for java its just easier. What you are trying to do is, show some a picture without actually showing them. it is not possible. You also can not hide your host even if you hide at the application level someone can still grap it via wireshark or any other sniffer.