12 Replies Latest reply: Sep 18, 2012 3:23 AM by EJP RSS

    how to secure code in java..

    rohit007
      I am writing a java application / java class library. Because of open source of java , everything is visible here { at least for me } ,
      today i found a site www.showmycode.com which is converting .class to .java file, and now it seems to me that the library i create contains keys are not secure, any one can get .class from my .jar and then can get .java from here, "Where is the security"- its not visible to me.
      please share your words to me , that how i can implement security in my java library, what topic i need to read this , what resources java have against security of application / security of libraries .
        • 1. Re: how to secure code in java..
          gimbal2
          There we go again :) A weekly topic that always ends up in "you can't. But I must! But you can't. But I must!"

          There is only one way to make it secure - make sure it never touches the client computer. Software as a service.
          • 2. Re: how to secure code in java..
            rohit007
            you gotta kidding me ha!!!!!!!! LOL
            ok just tell me "For case of java class library" how can i try to secure the code
            what i want is!!!
            "a one can only use my methods with passing parameters rather than  see what i implement inside"
            just hint me.
            In computer field- nothing is secure , still but u should try to bother to someone who trying to break something!!!
            • 3. Re: how to secure code in java..
              gimbal2
              The best you can do when you make the huge security flaw to allow your application to touch the client computer is to obfuscate your code so it becomes "unreadable" after decompilation. That is not going to stop people from breaking and entering if they really want to. The good news there is that people very likely won't give a hoot about your stuff and won't attempt to.
              • 4. Re: how to secure code in java..
                EJP
                you gotta kidding me ha!!!!!!!! LOL
                No, he isn't kidding you, and antagonizing people who are trying to help you isn't a rational strategy. Please mind your manners here. It's in your own interest anyway, but these forums are moderated, and offensive posts are liable to summary removal without notice, sometimes the entire thread. Your terms of use and indeed your access to the site can also be compromised. All in all this sort of thing is really not in your interest.

                - Moderator
                • 5. Re: how to secure code in java..
                  939520
                  So what are these 'keys' used for that you are trying to protect? They wouldn't be passwords for a database would they? What is the impact (financial, etc) if some of your user's gain access to those keys? Is it the keys your worried about, or someone stealing your code (design)? If you describe your situation in more detail, someone may be able to help. Personally, I think a web application instead of a desktop application (assuming that's what you are doing) may be better since the code and any keys are back on the server, away from the clients.
                  • 6. Re: how to secure code in java..
                    rohit007
                    I did not want to disrespect!!!!!!! next time i will try to keep command in my words. sorry if its indicate impoliteness!!!!
                    • 7. Re: how to secure code in java..
                      morgalr
                      Java may be easier to get back to source, but in reality, there is no "safe way" to release code, so you should never put anything in it that you don't want viewed. That does not mean that there isn't ways to make it harder to view the code. Obfuscation is one thing that can be done, but you can be guaranteed that anything you do to make the code "unreadable" can be undone. I used to delight in going over code, decompile it, or, at times, just fishing through the machine code bytes to see what was there.

                      I am one that subscribes to the idea that there is no such thing as security, anyone that really wants to break in or read a product or site is going to do it. It is a game we play as programmers that goes like this: how difficult can I make it so most people leave my site alone or do not steal my code? Once the idea comes out of your head, it's fair game for anyone that really wants to take the time and effort to steal it.

                      If you do not want people to have your code, do as already suggested: do not release it, make a webservice and have it hoasted on a site. Make multiple tiers of objects with your most sensitive being called with arguments from previous layers to allow them to do their jobs without the end user ever seeing it's there, where it's located, or really what it does--hide it, don't let the user see it.
                      • 8. Re: how to secure code in java..
                        949976
                        Hi,


                        I faced the same issue and I tried to secure my java code.

                        In that, I came across a technique called "obfuscation". By using this technique,ur code will be shrunk,class names, method names and variable names will be renamed and so the hackers cant get the data from your code.

                        There are many tools to do obfuscation in java. The efficient tool is proguard.

                        U can refer http://proguard.sourceforge.net/

                        It will be highly beneficial for you.

                        Regards,

                        M.Sivapreeya
                        • 9. Re: how to secure code in java..
                          EJP
                          In that, I came across a technique called "obfuscation".
                          That was mentioned six weeks ago. Do read the thread before you post.
                          • 10. Re: how to secure code in java..
                            848602
                            I agree with some posts above, recently deploying java as a service is a more popular approach. Not particularly because code security, but the maintenance and usability of the application.

                            Not long ago writing a Java Swing desktop application gained a bit of popularity but it's getting a bit outdated now.

                            If code security is really important and you couldn't find any other way to secure your code in Java, consider writing your code in C++ maybe?
                            • 11. Re: how to secure code in java..
                              Kayaman
                              I doubt anyone wants to steal the code of someone who's posting in "New To Java".
                              • 12. Re: how to secure code in java..
                                EJP
                                Not long ago writing a Java Swing desktop application gained a bit of popularity but it's getting a bit outdated now.
                                I think you're just pontificating aimlessly here. How long ago? How much popularity? Outdated how? Since when? By what?
                                If code security is really important and you couldn't find any other way to secure your code in Java, consider writing your code in C++ maybe?
                                Speaking of outdated. The world these days is moving towards SaS: Software as a Service; albeit at a glacial pace.