Security of Java source code?

[BenRussell]

I am working on a program/script in which I wanted to write in Perl. However, this is not possible since I want to keep the source code secure instead of releasing it open source. I want to release the program in a compiled form in which the source code cannot be revealed.

Is Java a viable candidate for this? I have seen various articles about the possibilities of reverse engineering, etc. Just how easy/effective is it to reverse engineer a java program?

- Ben

 

[h0h0h0]

Most any compiled program is susceptible to reverse engineering.

If you truly don't want the source code to be leaked your best bet is to have a webservice expose your functionality to the world. That way the code sits on a server and nobody really has access to the compiled library/executable.

If exposing your functionailty via the web isn't possible due to the nature of the app then you have the option of running an "obfuscator" on the compiled code. The obfuscator will change around the bytecodes in your compiled code so that the same functionality will be there but functioncall names, sourcecode is all changed around. WHen someone decompiles obfuscated code the resulting code is really very useless because the logic has been really "obfuscated".

But again - you always run a risk of having code decompiled once you let it free - Java, VB, .NET, C++... any of these platforms..

Look up obfuscating java bytecode or .net bytecode for more information on these tools.

 

[stefanwagner]

I like to amend: It will depend on the source and on the decompiler.
I don't know how good decompilers are on Java-1.5 code.

Obfuscators sometimes get problems with reflection, but I don't know how up to date that information is.

seeking a job as java-programmer in Berlin:

http://home.arcor.de/hirnstrom/bewerbung

 

[h0h0h0]

Right - Ben if you're looking for total security when deploying a compiled dll it doesn't exist. You can only make it tougher for other people to get at it. Don't let it stop you though!

IANAL but you have legal recorse if you state in your license agreement that "you the user will not tamper, modity, reverse engineer, decompile the code in anyway"

 

[sedj]

Release the code as open source - give to the community, don't just take !

--------------------------------------------------
Free Java/J2EE Database Connection Pooling Software

http://www.primrose.org.uk

 

[BenRussell]

Thanks so much for the advice! I will probably go ahead and make it in Java. Would C++ be more secure (source code wise), however?

The problem is that we are giving this software to foreign governments and so we really have no legal recourse if they breach contract.

- Ben

 

[h0h0h0]

Nah you should be ok with Java - but consult an IP lawyer about the agreements you need in place with your customers.

 

[sedj]

Bottom line is - if someone wants to decompile your code, then they will, whatever that language is.

All you have to do is google for a language decompiler and try it yourself. You've obfuscated the code ? So what ? Decompile that binary, and learn the obfuscating method, and apply it. If someone wants it bad enough, then they will get it.

Question is :
1) Is it such a ground-breaking piece of software that no-one else has ever written such a thing - or, actually, could someone just actually write it quite easily given the will ?

There is not a *lot* of software out there that is actually unique ...

--------------------------------------------------
Free Java/J2EE Database Connection Pooling Software

http://www.primrose.org.uk

 

[Diancecht]

And if they cannot decompile it, they can just wrap it and use it anyway.

Btw, I think there's a clear difference between compiled and interpreted language. It's much easier to decompile a .class file than an .dll or .so

Cheers,
Dian