views:

1228

answers:

2

I'm very new to obfuscation and don't have a lot of experience with ant. Come someone provide me a way to obfuscate a regular Java application with ProGuard (or any other open source obfuscator). Currently I'm using NetBeans 6.5.1, and only see the obfuscation ability if I create a JAVA ME, and not a Java Application like I have. I've looked at http://wiki.netbeans.org/DevFaqModuleObfuscation, but don't understand what they're saying.

Thanks for any input.

+2  A: 

The FAQ you point to is for obfuscating NetBeans modules. This is quite a complicated use case, so I will assume that it is not the regular application you are interested in.

Very briefly: the obfuscation process changes the names of classes, methods and fields to make it more difficult to reverse engineer your application.

This causes some issues:

  • the JVM requires your application to have a public static void main( String args[] ) in a public class, so you must tell proguard not to change this name
  • if you are using any sort of introspection, you have to protect the relevant names from being changed
  • other cases, as explained in the manual

Additionally, proguard strips out unused code. If you have any classes that are used but not referenced directly, you have to -keep them as well.

The proguard documentation includes an example of how to obfuscate a simple application. Here is the example explained (with some less confusing names):

-injars       application.jar        # obfuscate all the classes in the named jars
-outjars      obfuscated.jar         # save all the obfuscated classes to the named jar
-libraryjars  <java.home>/lib/rt.jar # these are all the libraries that the application uses
-printmapping obfuscation.map        # save a file linking the original names to the obfuscated ones
                                     # this helps understanding stack traces from the obfuscated application

# we need to keep our main class and the application entry point
-keep public class com.mycompany.Application {
    public static void main(java.lang.String[]);
}

Unless you specify -dontshrink, proguard will remove any code not kept or not referenced from any kept code. So in the above configuration, any code not referenced (indirectly) by the main method will be removed.

Proguard includes an Ant task that can be used to integrate with the NetBeans workflow. I would suggest experimenting manually first though, without Ant, as that takes one of the complicating factors out of the process. Build your application jar with NetBeans and then try to obfuscate with the above configuration (fleshed out if necessary). Make sure to test the obfuscated application, as innumerable things can go awry. Once you have a working proguard configuration, try adding an Ant task to your build file to automate the obfuscation process within NetBeans.

jackrabbit
Thanks for the help but I'm getting the followingWarning: javax.swing.JDialog: can't find superclass or interface javax.swing.TransferHandler$HasGetTransferHandlerWarning: javax.swing.JWindow: can't find superclass or interface javax.swing.TransferHandler$HasGetTransferHandlerWarning: javax.swing.JComponent: can't find superclass or interface javax.swing.TransferHandler$HasGetTransferHandlerWarning: javax.swing.JFrame: can't find superclass or interface javax.swing.TransferHandler$HasGetTransferHandlerI included rt.jar which has TransferHandler$HasGetTransferHandler.class. Any ideas?
Jon
It's in the manual: `-dontskipnonpubliclibraryclasses`: http://proguard.sourceforge.net/manual/troubleshooting.html#unresolvedclass
jackrabbit
A: 

Hi there.

Another solution than -dontskipnonpubliclibraryclasses is to use the same JDK for running proguard as you used for compiling the code in the JAR file.

For example, instead of java -jar ../proguard3.8/lib/proguard.jar

use /usr/local/jdk1.5.0/bin/java -jar ../proguard3.8/lib/proguard.jar

Jacob

Jacob Nordfalk