Obfuscating Jar files with other Jar files embedded

views:

803

answers:

Obfuscating Jar files with other Jar files embedded

So figure we have a Jar file with our Java application, and it has inside of it the Jar files for the libraries it depends of, a the jdbc or any other third party jar.

How do you proceed to obfuscate it with free software? I mean, obfuscate your code and leave the Jars untouched.

I tried with Proguard, to no avail. Even the author told me at the sourceforge forums it wasn't possible.

But you can do it manually with an ugly hack involving the renaming of the jar to zip and mangling with the inner data, so, why wouldn't a software be able to do it?

Presumably, you have some sort of build script in place to compile your source, package it with the other jars (One-Jar/Fat Jar/etc.), and build your jar.

You should be able to insert the obfuscation task between the compilation and packaging.

If your obfuscation tool of choice will only take a jar input, you should be able to compile, jar, and obfuscate your code independently. After that, have your script unjar the obfuscated file and do your packaging.

James Van Huis 2009-05-04 14:50:18

Don't waste your time. Anyone can decompile your obfuscated code, the only thing you're going to do is frustrate your legitimate users who want to debug problems with your software.

Obfuscation is a technical solution (and a poor one at that) to a legal problem.

Kevin 2009-05-04 16:16:41

If the sole purpose is to protect your IP you have a point here, but try and remember that obfuscation had some other benefits. If the footprint of the jar is important obfuscation often makes it smaller or and most will perform more compression.

willcodejavaforfood 2009-05-04 16:21:15

I doubt the footprint of the jar is a concern since he is packaging unobfuscated jars inside of other jars.

Kevin 2009-05-04 16:26:16

This is somewhat true, but there is a question of effort. An unobfuscated jar will look almost identical to the original source code when decompiled. A well obfuscated jar will not decompile very well, and will require significantly more effort to extract working source code. This is not optimal, but it is certainly better than nothing to deter the casual attacker.

James Van Huis 2009-05-04 16:35:10

Will obfuscated jars produce usable stack traces in case of problems?

Thorbjørn Ravn Andersen 2009-05-05 06:17:14

Obfuscated code will produce stack traces with the obfuscated package/class/method names. Fortunately, most obfuscators contain a stack trace de-obfuscation tool.

James Van Huis 2009-05-05 14:28:06

Obfuscating is a waste of time. You know it, I know it. Now, go tell the bosses. :D

Saiyine 2009-05-06 10:02:13

@Saiyine: I really don't think so. You just have to have all the stakeholders in your project realize that it is not a 100% secure solution. Just because your door's lock can be picked does not mean that you should give up and leave your doors unlocked.

James Van Huis 2009-05-06 17:09:41

You can create a single jar from multiple jars using Jar Jar Links. Then you process the result with ProGuard.

RobbieV 2009-05-04 20:52:41

What a terrible name, but it'll check it anyway.

Saiyine 2009-05-06 10:00:51

ansaurus

tags:

views:

answers:

Obfuscating Jar files with other Jar files embedded

related questions