What is the best way to go about obfuscating Java code?

views:

133

answers:

+1 Q:

What is the best way to go about obfuscating Java code?

Possible Duplicate:
Best Java obfuscator ?

Well, I'm planning on releasing a Jar into the world but would prefer if the code was not readably available to anyone with a Java Decompiler as I want to control access to the program with usernames / auth codes etc.

After some Googling I haven't found any software to do this for me, so I was wondering what steps to take from here; if anyone can point me at any software or information on methodologies of obfuscation I would be grateful.

Cheers again Stack Overflow.

+1 A:

There are many obfuscators around, ProGuard is one well known example. Try searching for "java obfuscator", google finds enough hits on that.

unbeli 2010-05-31 13:24:55

It's not possible to prevent someone from decompiling your code. You can obfuscate it, but that's the best you can do.

The good news for you?

Nobody wants your code. It's probably not worth decompiling.

If companies like BEA don't prevent such a thing with WebLogic, I can't see why yours requires it. Release your JAR and sleep at night.

duffymo 2010-05-31 13:26:27

You are confusing the word "uninformed" with "experienced".

Thorbjørn Ravn Andersen 2010-05-31 13:32:45

I think he's being a bit tongue in cheek; and he's right! Most people's security comes from "no one's looking". But really, things like WebLogic are covered for the same reasons as my earlier comment.

Kurucu 2010-05-31 13:36:06

Third party code is worth decompiling, however, if it has bugs so you can figure out how to avoid triggering the bugs...

Thorbjørn Ravn Andersen 2010-06-03 06:22:18

All code has bugs, so "if" is incorrect. And I doubt that this would be valuable for any substantial code base.

duffymo 2010-06-03 09:46:52

+2 A:

Do not forget to encrypt the passwords using a hash algorithm. I would not rely on the obfuscator to protect the passwords.

And you can then probably skip the obfuscator all together as it will provide little, if any, additional protection.

Peter Tillemans 2010-05-31 13:26:38

"And you can then probably skip the obfuscator all together as it will provide little, if any additonal protection." - exactly.

duffymo 2010-05-31 13:28:58

there is a class that returns hashes, I really just wanted to protect that.

Waltzy 2010-05-31 13:30:32

What Peter is saying is that if your application is designed correctly, and the hashes are one-directional or require a secret not stored in the application, then you won't need to hide your code to protect security. Obfuscation does not offer any significant protection in itself. Think of all the open source programs, like MySQL, that offer security but also open code and yet are still considered very secure. This is the reason why.

Kurucu 2010-05-31 13:35:00

only reliable way is to host that class yourself and let the client query it over the 'net.

Thorbjørn Ravn Andersen 2010-05-31 13:35:03

@Thorbjørn Ravn Andersen, this is interesting, can you point me to some more information on how this is achieved?

Waltzy 2010-05-31 13:40:57

hashing != encryption

Jesper 2010-05-31 13:41:56

You are right, hashing is not encryption. However you find the MessageDigest which computes the hashes in the crypto package.see http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html#MDEx for an example using sha-1. There is no need to protect this as it is a one-way function, i.e. you cannot (in reasonable time) go from the hash to the plain text.

Peter Tillemans 2010-05-31 13:48:45

Have a look at web services (which for your purpose is basically remote method calls over http). You will need a java capable web server - the Google Application Engine will do nicely.

Thorbjørn Ravn Andersen 2010-05-31 18:51:01

ansaurus

tags:

views:

answers:

What is the best way to go about obfuscating Java code?

related questions