Link to home
Start Free TrialLog in
Avatar of CodeSnipper
CodeSnipper

asked on

Java Application USB Dongle

I would like to protect my java application. Only user with usb dongle can use it. But something very disappointing is java can be decompiled. Seems like there is no way to really protect it. Any experienced java programmer can decompile the application and find the portion the control usb dongle and bypass it.

Is there other way to protect java application ?
Avatar of CEHJ
CEHJ
Flag of United Kingdom of Great Britain and Northern Ireland image

You can raise the bar to reverse engineering by using a Java obfuscator
not without using a secure classloader, zelix help http://www.zelix.com, but still easy enough to workaround especially in your situation.
Avatar of CodeSnipper
CodeSnipper

ASKER

CEHJ,

Java obfuscator can stop beginner java programmer. A determined programmer still can hack the code. It is just a matter of time :)

You wouldn't even need to be that determined :)  
you really need something stronger than the protection provided by the usb dongle.

Depending on the nature of the application, you might be able to compile to a native executable with gcj. That would make it much harder to reverse engineer
CEHJ,

Hmmmm. I think gcj is very similiar to JSmooth. Let's me try it out.
CEHJ,

gcj needs run0tim lib to run the compiled application, where JSmooth will wrap everything into single file to run.
No: although i don't really know JSmooth, i can see from the blurb that it's just an exe wrapper. That will do little more than save someone the bother of executing the vm directly. It will be encapsulated into an exe file that most probably contains a verbatim copy of the class file(s).

gcj is completely different: it produces full native executables. There is essentially no Java left. This can be compiled both with and without (statically) shared libraries
CEHJ,

gcj does not support full set of java. Is there a list of supported classes ?
ASKER CERTIFIED SOLUTION
Avatar of Thomas4019
Thomas4019
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
gcj is still going to be (a lot) less secure than your dongle, and is very limited in capabilities. We've never found it to be actually useful for anything more than toy applications.
I would recommend Excelsior JET,
I used it before & its promising that is if you dong mind the hefty price tag & it does not work on Mac.
It also uses a different type of VM. The earlier versions that I used produced a huge executable file that it did not fit our small usb drive (32 MB at that time), the newer versions would strip the unused part of the jvm, thus the exe's are smaller.

You could also wrap your classes into 1 big EXE file that extracts to memory & runs the application with the standard JVM.

If you are a little exited, you could try IKVM & explore .Net options, that it would be slightly harder to decompile if the output is static & symbols removed.




The particular 'toy application' i use gcj for btw, is Eclipse, which i run after it's been compiled to native code with gcj ;-)
CEHJ, have you tried gcj on Solaris & Mac/Osx?
Im curious to know its support for GUI/X applications.
No - only on Linux
Its support is limited, and its more crackable than a dongle.
What get cracked are application binaries, so the dongle has very little to do with it unless it's a special dongle with its own encryption system. In fact, if anything, using the dongle would theoretically make the app more crackable because of the usually relatively primitive file system on usb sticks