obfuscating java web applications

views:

110

answers:

obfuscating java web applications

From what I understand, obfuscating a java web application will just make it a little harder to read your application, but reverse engineering is still possible.

My goal is just to make it very difficult to read, and not be able to decompile and run (not sure if that's possible, I guess it will still run just with ugly variable names??)

So variable names like:

String username = "asdfsadf";

will become

String aw34Asdf234jkasdjl_asdf2343 = "asdfsdaf";

Is this correct:

public classes and variables will remain unchanged
ONLY private strings/classes/methods can be renamed
string encrytion can be used for some sensitive string data like encryption keys etc.

Really my goal is so that someone can't just decompile and release the code.

+1 A:

The problem here is that the code needs to be in proper java syntax when you compile it. So no matter what obfustication you applied, if I have access to even just the bytecode I can figure out a way to reconstruct the source.

(http://www.program-transformation.org/Transform/JavaDecompilers#Java_Bytecode_Decompilers)

What you would need to do is keep the proprietary part of the software in such a place that your pirates would not be able to see it. As far as I am aware, that is the ONLY way to avoid hijacking your software.

piggles 2010-01-05 03:58:08

+1 A:

There are plenty of good Java obfuscators which will do what you say, and much more. Here are some from google:

Although these will make it much more difficult to read the decompiled code (and some decompilers will refuse to even try), keep in mind that it is always possible for someone to reverse-engineer the code if they have the binary, and are knowledgeable and patient enough.

BlueRaja - Danny Pflughoeft 2010-01-05 03:58:32

Just to reiterate, the reversed engineered source would still be obfuscated.

Jeff Storey 2010-01-05 04:05:46

The decompiled code would be obfuscated; *reverse engineered* usually refers to code that is decompiled 'by hand,' which would simply be harder to do with obfuscated bytecode.

BlueRaja - Danny Pflughoeft 2010-01-05 04:19:08

You cannot prevent java code from being decompiled and run. Even if it is obfuscated, there may be people out there that are still able to figure out what your code is doing, despite the obfuscation. Everything you publish can be reverse engineered.

There exist even much stronger efforts in other languages to prevent decompiling and debugging, disk copy protection solutions for example, and even they get reverse engineered and hacked frequently.

If you don't want people to reverse engineer your code, let it run server side only, don't publish it and try to harden the server as much as possible.

Sylar 2010-01-05 08:33:46

"Everything you publish can be reverse engineered" -- Correct. The point is what's the cost of reverse engineering.

2010-07-02 20:27:53

+1 A:

Web applications run server side. Clients will not see the code unless you mess things up.

Thorbjørn Ravn Andersen 2010-07-02 20:27:44

ansaurus

tags:

views:

answers:

obfuscating java web applications

related questions