Protect JAR

Is there a way to password protect a jar, or prevent someone from extracting the class files?

If any has any other suggestions on how to distribute a double-clickable java program, where the code will be secure, I welcome those as well?

Thanks.
AverageJoezAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CEHJCommented:
Make it a zip file?
0
objectsCommented:
A jar file is a zip so you can use the password protection facility available to the zip.
But doing this will make it unusable by the standard class loader.

You could include the jar in a password protected zip that the user can then extract before running.

But really there is no secure way to do what you want to achieve without writing your own classloader and even then its not totally secure.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
doronbCommented:
My wife just said: "Don't drop'em!"  However, more seriously, look for obfuscators and other products that have some sort of compression as well.  I have written my own classloader to handle JAR compression... Without my JAR-booter the JAR files I encrypt and compress are unreadable, but there's so much work that goes into this process that I'd advise against doing it yourself.

If you want, I can give you some hints about how to write such a ClassLoader, however, you should know that there is no way to actually prevent someone from getting your class files.

Even .exe code is never secure as you can disassemble it and sometimes even reconstruct it at the source-level!

Good luck,
Doron Barak
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

girionisCommented:
> Even .exe code is never secure as you can disassemble it and sometimes even reconstruct
>it at the source-level!

  I do not think it's possible but if you say so you probably know more. Do you have any links I could read?
0
CEHJCommented:
>>  I do not think it's possible

It certainly is ;-)

You can't protect your classes whether or not you use custom classloaders - there is no JVM that I know of that accepts encrypted bytecode, so as it goes into the JVM as normal bytecode, you can just debug into it and record it.
0
girionisCommented:
> It certainly is ;-)

  Any references?
0
CEHJCommented:
If you're running Windows, you've already got a command line decompiler of sorts - it's called 'debug' ;-)
0
jimmackCommented:
If you want *some* level of protection to deter people from reverse engineering your code, then you could use a code obfuscator.  This won't stop the determined hackers, but does make things more difficult.

Here's one: http://www.codingart.com/codeshield.html

There are plenty of others.
0
CEHJCommented:
Well i think that's already been mooted ;-)

>>
However, more seriously, look for obfuscators and other products that have some sort of compression as well.  I have written my own classloader to handle JAR compression.
>>

btw aren't JARs *already* compressed? ;-)
0
girionisCommented:
 'debug' is not a decompiler AFAIK, its closer description is a HEX Editor.
0
jimmackCommented:
>>  Well i think that's already been mooted ;-)

Sorry doronb et. al. ;-)  Perhaps I should have used "Find" instead of just my eyes when trying to see if anyone had mentioned obfuscators ;-)
0
CEHJCommented:
>>its closer description is a HEX Editor.

Not true, although it certainly has a relatively trivial application as a hex editor

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/debug_u.asp
0
doronbCommented:
@girionis:
  Look here: http://dmoz.org/Computers/Programming/Disassemblers/
  And also here: http://www.geocities.com/SiliconValley/Lab/1563/tools.html
  And especially here: http://www.microway.com.au/compuware/softice.stm

@jimmack:
  that's ok, happens to me too :)

@CEHJ:
  Jar's are not always compressed, if I'm not mistaken, the files are (by default) stored rather than compressed. However, I devised my own "compression" tool for JAR's and it works really great, adds 10% compression (at least) AFTER an obfuscator and ZIP compression were applied!!

  Debug is more a tool you'd use to modify and write out the contents of a program rather than a disassembler.
0
CEHJCommented:
>>Jar's are not always compressed

AFAIK they are - maybe you're thinking of TARs?

>>
Debug is more a tool you'd use to modify and write out the contents of a program rather than a disassembler
>>

I never said its disassembly abilities were anything more than rudimentary - but you *can* disassemble with it ;-)
0
doronbCommented:
Yes, you can disassemble with it :)

First tests I did with JAR's (don't remember the JDK though!) concluded stored files and not compressed.
0
girionisCommented:
 dorond: thanks for the links :)

0
doronbCommented:
You're welcome girionis, that'd be 50 points... j/k :)
0
CEHJCommented:
Are you thinking of going into the cracking business g? ;-)
0
doronbCommented:
CEHJ, are you asking me or girionis? :)
0
CEHJCommented:
girionis ;-)
0
girionisCommented:
 Hehe CEHJ, nope :)

  I got the terms confused, I meant to say it's not possible to *decompile* it instead of *disassemble* it  ;)
0
CEHJCommented:
I think there may well be programs around that can produce actual C code rather than mere assembler.
0
doronbCommented:
If think that other than my wife who just said: "Don't drop'em!"  everyone who participated and contributed information that would've helped the asker should get some points :) As to how to divide the points, I leave that to you.
0
doronbCommented:
Thanks, I concur :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.