Is Java easy decompilation a factor worth considering
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
We are considering the programming language for a desktop application with extended GUI use (tables, windows) and heavy database use. We considered Java for use however the fact that it can be decompiled back very easily into source code is holding us back.
There are of course many obfuscators available however they are just that: obfuscators. The only obfuscation worth doing we got was stripping function and variables names into meaningless letters and numbers so that at least stealing code and renaming it back into something meaningful is too much work and we are 100% sure it is not reversible back in any automated way.
However as it concerns to protecting internals (like password hashes or sensible variables content) we found obfuscators really lacking.
Is there any way to make Java applications as hard to decode as .exe counterparts?
And is it a factor to consider when deciding whether to develop in Java a desktop application?
Solution
Java is relatively easy to decompile back into legal Java code and with the abundance of programs capable of doing so it should definitely be a deciding factor whether to make use of Java for desktop applications. Albeit true that obfuscators do a good job at making it hard to make sense of your code it should be considered that if the data you are trying protect to is valuable enough it can and will be found.
No matter what you write your application in there will always be the chance of your application being reverse engineered. For instance if you write your program in Assembly it will take some effort but it can still be reverse engineered into compilable/understandable source. When choosing what language to write your application in you should consider how much effort it will take to reverse engineer you app with Java and C# being one of the easiest and C and Assembly being the hardest.
You can also attempt to hide sensitive data in the app/code by making use of the following techniques:
- Encrypt variable data and have it decrypted at runtime.
- Encrypt the entire executable section of your application and decrypt it at runtime using an unpacker (this is not the best option as it will result in AV software thinking your application is a virus)
- Make sure buffers containing sensitive data are nulled after use.
- Keeping sensitive data on a remote server and make use of SSL to download it at runtime.
I hope this answers your question.
OTHER TIPS
Yes, you can make Java programs arbitrarily hard to decode. It depends on how much you want to do it and how much time and skill you have in pursuing this goal.
First, obfuscation is pretty good. Apart from mangling names it is possible to distort the code flow to the point where making sense of how a program works, what algorithm it uses and how it manipulates its data is just as hard as an optimised C++ program.
Second, it is very straightforward to disguise key data. As good developers of internationalised and configurable software you already store your data separately from your code, in resource files or something similar. The C++ programmer does something similar. You can easily encrypt that data using an algorithm and key buried deeply in the code.
Although my experience of this is in languages other than Java, you can arrange for chunks of code to be stored in encrypted form and decrypted when loaded into memory.
In these days of continuous Internet connection you can retrieve the code and keys you need dynamically from the 'net, and protect them with certificates. That's what Microsoft does with its store apps.
All of this is perfectly possible, and the game developers are doing it right now. On the other side are legions of hackers just waiting for the next release to wheel out their in-memory debugging tools and be the first to announce a crack.
You should wish that your software becomes well-known enough and valuable enough to attract this kind of attention. I have always focused first on solving the problem that no-one has heard of my software. If I am ever fortunate enough to have millions of hackers trying to break my programs, I am sure I shall have the resources to give them a good run.
