WebApp Sec mailing list archives
Re: HTML/Java Protection
From: Mark Quinn <cheeky.mini () gmail com>
Date: Tue, 20 Sep 2005 10:01:32 +0100
AFAIK, there is currently no way in the standard applet runners to encrypt your class file or anything similar -- i'm sure i'll be corrected quickly enough if i'm wrong on this -- however one of the best things you can do to make your decompiled code a lot more impenetrable is to obfuscate it. Most peoples preferred obfuscator thesedays seems to be Proguard ( http://proguard.sourceforge.net/ ) Whilst your class is still decompilable, all token names will be replaced with one- or two-character versions that raise the stakes in understanding and succesfully modifying the decompiled code. [ProGuard is a free Java class file shrinker, optimizer, and obfuscator. It can detect and remove unused classes, fields, methods, and attributes. It can then optimize bytecode and remove unused instructions. Finally, it can rename the remaining classes, fields, and methods using short meaningless names. The resulting jars are smaller and harder to reverse-engineer.] Also consider techniques such as addding checks to checksum the code or classes (or to look into sensitive classes by reflection), if possible and behave differently if you don't read the correct checksum. Also be sure to look closely at how you are sending data to the server (if you have a client-server app) and try to restrict the server-side component to only respond to *valid* and possibly *verified* requests from *your* client. On 19 Sep 2005 17:01:42 -0000, confusionvalley () netcabo pt <confusionvalley () netcabo pt> wrote:
Hello all, I'm currently developing a Java applet and i want to protect the .class from being downloaded. It's very easy to download the .class file..just check the HTML code and get the class name wich will be loaded..then with a download program you can get the class file and decompile it to get the source code. The real objective is to protect the source code from the html and not so grabbers. Any idea to protect the html/java? Best regards, Nuno
Current thread:
- HTML/Java Protection confusionvalley (Sep 19)
- Re: HTML/Java Protection Peter Conrad (Sep 20)
- Re: HTML/Java Protection Roshen Chandran (Sep 20)
- Re: HTML/Java Protection Mark Quinn (Sep 20)
- Re: HTML/Java Protection Antoine Martin (Sep 20)
- Re: HTML/Java Protection Yousef Syed (Sep 20)
- Re: HTML/Java Protection Peter Conrad (Sep 20)