Java Application USB Dongle

I would like to protect my java application. Only user with usb dongle can use it. But something very disappointing is java can be decompiled. Seems like there is no way to really protect it. Any experienced java programmer can decompile the application and find the portion the control usb dongle and bypass it.

Is there other way to protect java application ?
CodeSnipperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CEHJCommented:
You can raise the bar to reverse engineering by using a Java obfuscator
0
Mick BarryJava DeveloperCommented:
not without using a secure classloader, zelix help http://www.zelix.com, but still easy enough to workaround especially in your situation.
0
CodeSnipperAuthor Commented:
CEHJ,

Java obfuscator can stop beginner java programmer. A determined programmer still can hack the code. It is just a matter of time :)

0
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Mick BarryJava DeveloperCommented:
You wouldn't even need to be that determined :)  
0
Mick BarryJava DeveloperCommented:
you really need something stronger than the protection provided by the usb dongle.

0
CEHJCommented:
Depending on the nature of the application, you might be able to compile to a native executable with gcj. That would make it much harder to reverse engineer
0
CodeSnipperAuthor Commented:
CEHJ,

Hmmmm. I think gcj is very similiar to JSmooth. Let's me try it out.
0
CodeSnipperAuthor Commented:
CEHJ,

gcj needs run0tim lib to run the compiled application, where JSmooth will wrap everything into single file to run.
0
CEHJCommented:
No: although i don't really know JSmooth, i can see from the blurb that it's just an exe wrapper. That will do little more than save someone the bother of executing the vm directly. It will be encapsulated into an exe file that most probably contains a verbatim copy of the class file(s).

gcj is completely different: it produces full native executables. There is essentially no Java left. This can be compiled both with and without (statically) shared libraries
0
CodeSnipperAuthor Commented:
CEHJ,

gcj does not support full set of java. Is there a list of supported classes ?
0
Thomas4019Commented:
Exclesior JET is a java "jar" to "exe" converter. It does appear to be able to protect you code.

http://www.excelsior-usa.com/jet.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mick BarryJava DeveloperCommented:
gcj is still going to be (a lot) less secure than your dongle, and is very limited in capabilities. We've never found it to be actually useful for anything more than toy applications.
0
guneshrajCommented:
I would recommend Excelsior JET,
I used it before & its promising that is if you dong mind the hefty price tag & it does not work on Mac.
It also uses a different type of VM. The earlier versions that I used produced a huge executable file that it did not fit our small usb drive (32 MB at that time), the newer versions would strip the unused part of the jvm, thus the exe's are smaller.

You could also wrap your classes into 1 big EXE file that extracts to memory & runs the application with the standard JVM.

If you are a little exited, you could try IKVM & explore .Net options, that it would be slightly harder to decompile if the output is static & symbols removed.




0
CEHJCommented:
The particular 'toy application' i use gcj for btw, is Eclipse, which i run after it's been compiled to native code with gcj ;-)
0
guneshrajCommented:
CEHJ, have you tried gcj on Solaris & Mac/Osx?
Im curious to know its support for GUI/X applications.
0
CEHJCommented:
No - only on Linux
0
Mick BarryJava DeveloperCommented:
Its support is limited, and its more crackable than a dongle.
0
CEHJCommented:
What get cracked are application binaries, so the dongle has very little to do with it unless it's a special dongle with its own encryption system. In fact, if anything, using the dongle would theoretically make the app more crackable because of the usually relatively primitive file system on usb sticks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java

From novice to tech pro — start learning today.