views:

133

answers:

3

Possible Duplicate:
Best Java obfuscator ?

Well, I'm planning on releasing a Jar into the world but would prefer if the code was not readably available to anyone with a Java Decompiler as I want to control access to the program with usernames / auth codes etc.

After some Googling I haven't found any software to do this for me, so I was wondering what steps to take from here; if anyone can point me at any software or information on methodologies of obfuscation I would be grateful.

Cheers again Stack Overflow.

+1  A: 

There are many obfuscators around, ProGuard is one well known example. Try searching for "java obfuscator", google finds enough hits on that.

unbeli
A: 

It's not possible to prevent someone from decompiling your code. You can obfuscate it, but that's the best you can do.

The good news for you?

Nobody wants your code. It's probably not worth decompiling.

If companies like BEA don't prevent such a thing with WebLogic, I can't see why yours requires it. Release your JAR and sleep at night.

duffymo
You are confusing the word "uninformed" with "experienced".
Thorbjørn Ravn Andersen
I think he's being a bit tongue in cheek; and he's right! Most people's security comes from "no one's looking". But really, things like WebLogic are covered for the same reasons as my earlier comment.
Kurucu
Third party code is worth decompiling, however, if it has bugs so you can figure out how to avoid triggering the bugs...
Thorbjørn Ravn Andersen
All code has bugs, so "if" is incorrect. And I doubt that this would be valuable for any substantial code base.
duffymo
+2  A: 

Do not forget to encrypt the passwords using a hash algorithm. I would not rely on the obfuscator to protect the passwords.

And you can then probably skip the obfuscator all together as it will provide little, if any, additional protection.

Peter Tillemans
"And you can then probably skip the obfuscator all together as it will provide little, if any additonal protection." - exactly.
duffymo
there is a class that returns hashes, I really just wanted to protect that.
Waltzy
What Peter is saying is that if your application is designed correctly, and the hashes are one-directional or require a secret not stored in the application, then you won't need to hide your code to protect security. Obfuscation does not offer any significant protection in itself. Think of all the open source programs, like MySQL, that offer security but also open code and yet are still considered very secure. This is the reason why.
Kurucu
only reliable way is to host that class yourself and let the client query it over the 'net.
Thorbjørn Ravn Andersen
@Thorbjørn Ravn Andersen, this is interesting, can you point me to some more information on how this is achieved?
Waltzy
hashing != encryption
Jesper
You are right, hashing is not encryption. However you find the MessageDigest which computes the hashes in the crypto package.see http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html#MDEx for an example using sha-1. There is no need to protect this as it is a one-way function, i.e. you cannot (in reasonable time) go from the hash to the plain text.
Peter Tillemans
Have a look at web services (which for your purpose is basically remote method calls over http). You will need a java capable web server - the Google Application Engine will do nicely.
Thorbjørn Ravn Andersen