Secure a jar file / java app

I have to distribute a Java app, and am required to make it difficult to reverse engineer.  Having taken the app.jar file through a decompiler, I can see most of the code easily!, my boss would not want that!

Are there any easy to use tools out there to encrypt the jar file, and maybe embed the encrypted version into a .exe file, so there isn't much to look at?  The app uses additional .jar libraries, most of the additional jar libraries do not need to be "secured", but it would be nice to be able to secure some of them.

I'm looking at jar2exe by regexlab, and haven't gotten it to work yet (and still don't know if it has just one encryption key for all of its users, or if I can generate/specify any encryption keys myself)

Other solutions I read about are similar, with "write your own class loader".  I don't know how to do this, but if it's easy and there's sample code to do it, I would consider it.  I can also add some C++/dll code in the mix if it helps.

All ideas are welcome, I will divide the points between all the useful comments.  I know you can't completely protect/hide things, but whatever I can do to make it more difficult would be good.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You can try obfuscating the code and this link provides you an useful obfuscator
Pramod KumarCommented:
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

amp834Author Commented:
Thanks for the links, I am looking at them  (The decompiler will be handy, too, thanks).

I will probably go with an obfuscator plus and encryptor.  

There are so many obfuscators, including many free and open-source ones, can someone give me some criteria to look for when choosing one?  And your experience with using them?

The project I'm working on has about 200 classes, most of them are not used by reflection.

At the minimum, I would like to decrypt stack traces to the original source.

Also, is there a good way to "hide" the additional/library .jar files, so the end user can't EASILY figure out what libraries the application uses?  Perhaps I should just obfuscate them, but I thought I'd ask in case there are other ideas out there.
amp834Author Commented:
Can anyone share their experience with different obfuscators?
1) Any of the  obfuscators mentioned in the precious comments would work for your 200 classes.
    Though i dont understand this "obfuscator plus and encryptor". An obfuscator essentially produces a file which is still functionally similar to your original class so i don't know how you can encrypt a class file.
2) The libraries you are using can be obfuscated only if their EULA allows you to do it.

I'm afraid there is no silver bullet(atleast not that i'm aware of) for protecting the java class files.I think you cannot completely prevent reverse engineering if the code is available in some form in the client location.

Another list of obfuscators for you :-)

I've used only retroguard and my need was very basic.
amp834Author Commented:
Thanks wannabetechie.

Can anyone else share their actual experience with different obfuscators?
For example, does an obfuscator translate call stacks and line numbers to the developer can see the real call stack?  What are the logistics to be able to do that?
After obfuscatoing your code the stack trace will look like

_adf.xx(Compiled Code)
_adx.xy(Compiled Code)

Stack trace information (like line numbers) will not be added to compiled code.

amp834Author Commented:
I could really use some help in deciding which obfuscator to use.  It will take too long to try every one!  (I'm leaning towards ProGuard)

the list from wannabetechie has several good options.
commercial, $200, seems well maintained

yGuard looks good, and it's free.  does anyone have any experience with it?
Its documentation is straightforward.
( says that yGuard is an improved version of RetroGuard)

Proguard seems to be currently maintained, free/open source says:
There are quite a few Java class file shrinkers, optimizers, obfuscators, and preverifiers out there. Users of ProGuard tell me it easily compares with the best of them. However, you may want to check that out yourself.

Retroguard's documentation is very confusing; free for open source, else $140/yr commercial

Mick BarryJava DeveloperCommented:
if you want something free then I'd suggest going with proguard
amp834Author Commented:
The others aren't that expensive either, I'm looking for some way of deciding which one will work well and give me the fewest problems.  All of them seem to have the ability to store the map table, so they can decode a traceback.

If I don't get any particular suggestion why one is better than the other, maybe I will start with ProGuard.
amp834Author Commented:
ok, I finally played with ProGuard.  One problem is it doesn't rename resources associated with forms (made from Netbeans's form editor, which loads i18n resources with resources/<classname>.properties file for each form)

Does anyone have a good workaround for this?

What about other obfuscators, do they work ok with forms made with Netbeans?
Kevin CrossChief Technology OfficerCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.