Secure a jar file / java app

I have to distribute a Java app, and am required to make it difficult to reverse engineer.  Having taken the app.jar file through a decompiler, I can see most of the code easily!, my boss would not want that!

Are there any easy to use tools out there to encrypt the jar file, and maybe embed the encrypted version into a .exe file, so there isn't much to look at?  The app uses additional .jar libraries, most of the additional jar libraries do not need to be "secured", but it would be nice to be able to secure some of them.

I'm looking at jar2exe by regexlab, and haven't gotten it to work yet (and still don't know if it has just one encryption key for all of its users, or if I can generate/specify any encryption keys myself)

Other solutions I read about are similar, with "write your own class loader".  I don't know how to do this, but if it's easy and there's sample code to do it, I would consider it.  I can also add some C++/dll code in the mix if it helps.

All ideas are welcome, I will divide the points between all the useful comments.  I know you can't completely protect/hide things, but whatever I can do to make it more difficult would be good.
amp834Asked:
Who is Participating?
 
wannabetechieCommented:
You can try obfuscating the code and this link provides you an useful obfuscator

http://www.retrologic.com/retroguard-main.html
0
 
Pramod KumarCommented:
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

 
amp834Author Commented:
Thanks for the links, I am looking at them  (The decompiler will be handy, too, thanks).

I will probably go with an obfuscator plus and encryptor.  

There are so many obfuscators, including many free and open-source ones, can someone give me some criteria to look for when choosing one?  And your experience with using them?

The project I'm working on has about 200 classes, most of them are not used by reflection.

At the minimum, I would like to decrypt stack traces to the original source.


Also, is there a good way to "hide" the additional/library .jar files, so the end user can't EASILY figure out what libraries the application uses?  Perhaps I should just obfuscate them, but I thought I'd ask in case there are other ideas out there.
0
 
amp834Author Commented:
Can anyone share their experience with different obfuscators?
0
 
wannabetechieCommented:
1) Any of the  obfuscators mentioned in the precious comments would work for your 200 classes.
    Though i dont understand this "obfuscator plus and encryptor". An obfuscator essentially produces a file which is still functionally similar to your original class so i don't know how you can encrypt a class file.
2) The libraries you are using can be obfuscated only if their EULA allows you to do it.

I'm afraid there is no silver bullet(atleast not that i'm aware of) for protecting the java class files.I think you cannot completely prevent reverse engineering if the code is available in some form in the client location.

Another list of obfuscators for you :-)

http://directory.google.com/Top/Computers/Programming/Languages/Java/Development_Tools/Obfuscators/

I've used only retroguard and my need was very basic.
0
 
amp834Author Commented:
Thanks wannabetechie.

Can anyone else share their actual experience with different obfuscators?
For example, does an obfuscator translate call stacks and line numbers to the developer can see the real call stack?  What are the logistics to be able to do that?
 
0
 
rumi78Commented:
After obfuscatoing your code the stack trace will look like

_adf.xx(Compiled Code)
_adx.xy(Compiled Code)
....

Stack trace information (like line numbers) will not be added to compiled code.

rgds
rumi
0
 
amp834Author Commented:
I could really use some help in deciding which obfuscator to use.  It will take too long to try every one!  (I'm leaning towards ProGuard)

the list from wannabetechie has several good options.

http://www.zelix.com/klassmaster/docs/index.html
commercial, $200, seems well maintained

yGuard looks good, and it's free.  does anyone have any experience with it?
Its documentation is straightforward.
http://www.yworks.com/products/yguard/yguard_ant_howto.html#deobfuscation
(http://java-source.net/open-source/obfuscators says that yGuard is an improved version of RetroGuard)

Proguard seems to be currently maintained, free/open source
http://proguard.sourceforge.net/index.html#/alternatives.html says:
There are quite a few Java class file shrinkers, optimizers, obfuscators, and preverifiers out there. Users of ProGuard tell me it easily compares with the best of them. However, you may want to check that out yourself.


Retroguard's documentation is very confusing; free for open source, else $140/yr commercial



0
 
objectsCommented:
if you want something free then I'd suggest going with proguard
0
 
amp834Author Commented:
The others aren't that expensive either, I'm looking for some way of deciding which one will work well and give me the fewest problems.  All of them seem to have the ability to store the map table, so they can decode a traceback.

If I don't get any particular suggestion why one is better than the other, maybe I will start with ProGuard.
0
 
amp834Author Commented:
ok, I finally played with ProGuard.  One problem is it doesn't rename resources associated with forms (made from Netbeans's form editor, which loads i18n resources with resources/<classname>.properties file for each form)

Does anyone have a good workaround for this?

What about other obfuscators, do they work ok with forms made with Netbeans?
0
 
Kevin CrossChief Technology OfficerCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.