obfuscating java web applications

Question

From what I understand, obfuscating a java web application will just make it a little harder to read your application, but reverse engineering is still possible.

My goal is just to make it very difficult to read, and not be able to decompile and run (not sure if that's possible, I guess it will still run just with ugly variable names??)

So variable names like:

String username = "asdfsadf";

will become

String aw34Asdf234jkasdjl_asdf2343 = "asdfsdaf";

Is this correct:

1. public classes and variables will remain unchanged
2. ONLY private strings/classes/methods can be renamed
3. string encrytion can be used for some sensitive string data like encryption keys etc.

Really my goal is so that someone can't just decompile and release the code.

Answer 1

No amount of obfuscation can protect you against "decompile & compile again" (without trying to understand what the code does). Decompilers don't care for unreadable variable names, nor do compilers.

Incidentally, if someone has access to your code, they don't need to decompile it to use it.

So the question is really: What do you want to achieve? When you know that then you can go to the next question: How much does it cost and how much money can I earn?

Usually, that equation is: You can't save/earn any money from obfuscation but doing it costs you time and money (good obfuscators aren't free). So it's a negative ROI.

Instead, try this approach: Create a great product (so people will feel it's justified to pay for it), fix bugs quickly (-> the thieves have to steal your work again and again just to keep up), add new features. That way, honest consumers have reason to buy from you.

If you plan to get money from thieves and criminals, well, forget it. They don't want to pay you, no matter what. You can make their lives a little bit harder but at a cost.

Answer 2

http://www.excelsior-usa.com/protect-java-web-applications.html

Disclaimer: I work for Excelsior.

http://www.arxan.com/products/server/guardit-for-java/

Disclaimer: I don't work for Arxan.

Answer 3

Web applications run server side. Clients will not see the code unless you mess things up.

Answer 4

You cannot prevent java code from being decompiled and run. Even if it is obfuscated, there may be people out there that are still able to figure out what your code is doing, despite the obfuscation. Everything you publish can be reverse engineered.

There exist even much stronger efforts in other languages to prevent decompiling and debugging, disk copy protection solutions for example, and even they get reverse engineered and hacked frequently.

If you don't want people to reverse engineer your code, let it run server side only, don't publish it and try to harden the server as much as possible.

Answer 5

There are plenty of good Java obfuscators which will do what you say, and much more. Here are some from google:

• ProGuard
• yGuard
• JODE

Although these will make it much more difficult to read the decompiled code (and some decompilers will refuse to even try), keep in mind that it is always possible for someone to reverse-engineer the code if they have the binary, and are knowledgeable and patient enough.

Answer 6

The problem here is that the code needs to be in proper java syntax when you compile it. So no matter what obfustication you applied, if I have access to even just the bytecode I can figure out a way to reconstruct the source.

(http://www.program-transformation.org/Transform/JavaDecompilers#Java_Bytecode_Decompilers)

What you would need to do is keep the proprietary part of the software in such a place that your pirates would not be able to see it. As far as I am aware, that is the ONLY way to avoid hijacking your software.