JAVA -> JAR protection (anti-hacker protection)

[b4u]

Hi,

How can I make a jar package, in a way that people can't uncompress, de-compile, change code, compile again, repack and run their own versions of my original code?

I have some security packs that I would like to "protect" in some way.

Is it possible?

Thanks

 

[znaps]

I think obfuscating the code, and signing the jar file with a certificate from Thawte or Verisign is all you can do.

 

[Kilrsat]

You can obfuscate it, but that really only makes it more difficult to actually use the code when decompiling. Your classes end up named A, B, C, etc. with the methods renamed to aa, bb, cc, etc.

But other than changing names, and some slight reorganization of code (in-lining simple methods, unrolling basic for loops) the logic behind the code is the same. A determined person could still do it.

Signing the packages would be a way to detect tampering if someone tried to reassmble your jar file and just slip it in the program, but offers no protection against people extracting classes from the package.

There are a few other ways to make it difficult to accomplish (the encrypted class loader idea), but no way to make it impossible.

Standard security procedure is that an outside person should be able to have the source, know the algorithms used, but still not gain access to the protected item. Perhaps you need to rethink your approach.

 

[Nothinman]

I think obfuscating the code, and signing the jar file with a certificate from Thawte or Verisign is all you can do.

Signing the jar file won't help because if they can decompile the classes and change them, they can just remove the signature check as well.

 

[znaps]

Yup, I know. Basically, assuming the OP does not want to get into overly advanced methods, there is nothing he can do to prevent people modifying his code. I added the JAR signing info because it's worth knowing the existing methods that people use to verify a codebase's authenticity.