 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / General / April 2006Recommendation for a Java Obfuscator
We have a little Java class file to ship to a client - it will be package in a JAR. For security reasons the class file has to be prevented from being decompiled. Can anyone recommend a free obfuscater? It has to be free as we have next to zero budget and it will be used extremely infrequently. When we ship the JAR to the client, will they need to have any info on the obfuscater? Thanks for your help. > We have a little Java class file to ship to a client - it will be > package in a JAR. [quoted text clipped - 9 lines] > > Thanks for your help. Laura, Up until recently, I was using RetroGuard (http://www.retrologic.com/) It was an outstanding tool, and easily integrated into Eclipse through means of External Tools. But then when I hit their website for the latest update, I found that they now charge $139/yr for the non-commercial version. Well... I'm cheap, and I knew Open Source would come through. This lead me to ProGuard which was actually spawned from RetroGuard. And, seeing as it's licensed under GPL it also fits within my budget constraints. You can find it at : http://proguard.sourceforge.net/ You definitely want to read the documentation, and decompile the end result yourself until you feel "safer" about what you've done. I say "safer", because a reverse engineer with a keg of coffee, and nothing better to do with their time is going to be able to make out what you've done. But, hey, I wouldn't know anything about that.... heheheh. And, no, provided you do it right, the client doesn't need to know about the obfuscator. Regards, Pavel <INSERT PLUG HERE> : Special thanks to Mark Welsh, Dirk Schnelle, Eric Lafortune, and anyone else that maintains and donates to the ProGuard project. Open Source would be 10000 times better if there were more donations. >We have a little Java class file to ship to a client - it will be >package in a JAR. for a list of candidates see http://mindprod.com/jgloss/obfuscator.html  SignatureCanadian Mind Products, Roedy Green. http://mindprod.com Java custom programming, consulting and coaching. > For security reasons the class file has to be prevented from being > decompiled. That "doesn't compute". I'll tell you why. You should not rely on an obfuscator for security. Maybe for protection of your code (IP), but even that is just walking on thin ice. Security should be dealt with in a different way. You should use cryptosystems for this purpose. Cryptosystems don't rely on privacy/secrecy of algorithms (that's sometimes called security through obscurity: http://en.wikipedia.org/wiki/Security_through_obscurity ), but rather on privacy/secrecy of a key (or keys) used. (Some might argue that keys are a part of an algorithm, but for the sake of this argument, let's say keys are input for an algorithm.) Don't get me wrong, though. You don't have to open source your ( super duper ;-) ) code/algorithm. But you shouldn't take it for granted that nobody will ever figure it out, either. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.