Solved

Protect JAR

Posted on 2003-11-06
27
1,100 Views
Last Modified: 2013-11-23
Is there a way to password protect a jar, or prevent someone from extracting the class files?

If any has any other suggestions on how to distribute a double-clickable java program, where the code will be secure, I welcome those as well?

Thanks.
0
Comment
Question by:AverageJoez
  • 9
  • 7
  • 5
  • +2
27 Comments
 
LVL 86

Expert Comment

by:CEHJ
ID: 9697353
Make it a zip file?
0
 
LVL 92

Accepted Solution

by:
objects earned 25 total points
ID: 9697375
A jar file is a zip so you can use the password protection facility available to the zip.
But doing this will make it unusable by the standard class loader.

You could include the jar in a password protected zip that the user can then extract before running.

But really there is no secure way to do what you want to achieve without writing your own classloader and even then its not totally secure.
0
 
LVL 9

Assisted Solution

by:doronb
doronb earned 25 total points
ID: 9698088
My wife just said: "Don't drop'em!"  However, more seriously, look for obfuscators and other products that have some sort of compression as well.  I have written my own classloader to handle JAR compression... Without my JAR-booter the JAR files I encrypt and compress are unreadable, but there's so much work that goes into this process that I'd advise against doing it yourself.

If you want, I can give you some hints about how to write such a ClassLoader, however, you should know that there is no way to actually prevent someone from getting your class files.

Even .exe code is never secure as you can disassemble it and sometimes even reconstruct it at the source-level!

Good luck,
Doron Barak
0
Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

 
LVL 35

Assisted Solution

by:girionis
girionis earned 25 total points
ID: 9699837
> Even .exe code is never secure as you can disassemble it and sometimes even reconstruct
>it at the source-level!

  I do not think it's possible but if you say so you probably know more. Do you have any links I could read?
0
 
LVL 86

Assisted Solution

by:CEHJ
CEHJ earned 25 total points
ID: 9699863
>>  I do not think it's possible

It certainly is ;-)

You can't protect your classes whether or not you use custom classloaders - there is no JVM that I know of that accepts encrypted bytecode, so as it goes into the JVM as normal bytecode, you can just debug into it and record it.
0
 
LVL 35

Expert Comment

by:girionis
ID: 9699893
> It certainly is ;-)

  Any references?
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 9699913
If you're running Windows, you've already got a command line decompiler of sorts - it's called 'debug' ;-)
0
 
LVL 15

Assisted Solution

by:jimmack
jimmack earned 25 total points
ID: 9699943
If you want *some* level of protection to deter people from reverse engineering your code, then you could use a code obfuscator.  This won't stop the determined hackers, but does make things more difficult.

Here's one: http://www.codingart.com/codeshield.html

There are plenty of others.
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 9700007
Well i think that's already been mooted ;-)

>>
However, more seriously, look for obfuscators and other products that have some sort of compression as well.  I have written my own classloader to handle JAR compression.
>>

btw aren't JARs *already* compressed? ;-)
0
 
LVL 35

Expert Comment

by:girionis
ID: 9700011
 'debug' is not a decompiler AFAIK, its closer description is a HEX Editor.
0
 
LVL 15

Expert Comment

by:jimmack
ID: 9700016
>>  Well i think that's already been mooted ;-)

Sorry doronb et. al. ;-)  Perhaps I should have used "Find" instead of just my eyes when trying to see if anyone had mentioned obfuscators ;-)
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 9700032
>>its closer description is a HEX Editor.

Not true, although it certainly has a relatively trivial application as a hex editor

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/debug_u.asp
0
 
LVL 9

Expert Comment

by:doronb
ID: 9703662
@girionis:
  Look here: http://dmoz.org/Computers/Programming/Disassemblers/
  And also here: http://www.geocities.com/SiliconValley/Lab/1563/tools.html
  And especially here: http://www.microway.com.au/compuware/softice.stm

@jimmack:
  that's ok, happens to me too :)

@CEHJ:
  Jar's are not always compressed, if I'm not mistaken, the files are (by default) stored rather than compressed. However, I devised my own "compression" tool for JAR's and it works really great, adds 10% compression (at least) AFTER an obfuscator and ZIP compression were applied!!

  Debug is more a tool you'd use to modify and write out the contents of a program rather than a disassembler.
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 9703801
>>Jar's are not always compressed

AFAIK they are - maybe you're thinking of TARs?

>>
Debug is more a tool you'd use to modify and write out the contents of a program rather than a disassembler
>>

I never said its disassembly abilities were anything more than rudimentary - but you *can* disassemble with it ;-)
0
 
LVL 9

Expert Comment

by:doronb
ID: 9703815
Yes, you can disassemble with it :)

First tests I did with JAR's (don't remember the JDK though!) concluded stored files and not compressed.
0
 
LVL 35

Expert Comment

by:girionis
ID: 9706444
 dorond: thanks for the links :)

0
 
LVL 9

Expert Comment

by:doronb
ID: 9707447
You're welcome girionis, that'd be 50 points... j/k :)
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 9707461
Are you thinking of going into the cracking business g? ;-)
0
 
LVL 9

Expert Comment

by:doronb
ID: 9709157
CEHJ, are you asking me or girionis? :)
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 9709698
girionis ;-)
0
 
LVL 35

Expert Comment

by:girionis
ID: 9709948
 Hehe CEHJ, nope :)

  I got the terms confused, I meant to say it's not possible to *decompile* it instead of *disassemble* it  ;)
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 9709965
I think there may well be programs around that can produce actual C code rather than mere assembler.
0
 
LVL 9

Expert Comment

by:doronb
ID: 11438294
If think that other than my wife who just said: "Don't drop'em!"  everyone who participated and contributed information that would've helped the asker should get some points :) As to how to divide the points, I leave that to you.
0
 
LVL 9

Expert Comment

by:doronb
ID: 11507061
Thanks, I concur :)
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
why cannot we forward request once the response is committed 2 46
tomcat not starting 6 68
Problem to Alipay 10 45
Html Table Looping (part 2) 5 27
Java contains several comparison operators (e.g., <, <=, >, >=, ==, !=) that allow you to compare primitive values. However, these operators cannot be used to compare the contents of objects. Interface Comparable is used to allow objects of a cl…
By the end of 1980s, object oriented programming using languages like C++, Simula69 and ObjectPascal gained momentum. It looked like programmers finally found the perfect language. C++ successfully combined the object oriented principles of Simula w…
Viewers will learn about basic arrays, how to declare them, and how to use them. Introduction and definition: Declare an array and cover the syntax of declaring them: Initialize every index in the created array: Example/Features of a basic arr…
This tutorial will introduce the viewer to VisualVM for the Java platform application. This video explains an example program and covers the Overview, Monitor, and Heap Dump tabs.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question