All geek questions in one place

Secure Java from reverse engineering using industry-grade encryption

Goal:

Protect my Java application from reverse engineering.

Idea:

  • split the program into two halves (loader and program)
  • the loader will be a regular bank
  • the program will be an encrypted jar file (bouncycastle, AES?)
  • the bootloader requests a secure server (https) for the key to decode the program.
  • the loader then decodes the program and loads its classes

Questions:

Is the number 5 possible?
Has anyone here done this?
Do you know that the library is already available?
Can you identify the main pitfalls / would you do it differently?

Extra

I know that it is impossible to prevent the complete reverse development of code.
I just want to make it more difficult and more traceable.

+6
source share
1 answer

This is very possible with Class Loaders. But it is still very easy to decode your program. All you have to do is change the bootloader to write all the classes to disk before it loads them into memory using your regular ClassLoader.

Update

If the bootloader is what your users can do, I just need to decompile and replace the bootloader JAR file to dump the classes to disk. Not only that, I'm sure there must be something that can take a JVM memory dump and dump all the loaded bytecode.

If the bootloader is located on a locked machine in which users cannot access, then what example of use are you trying to solve?

The "solution" to these problems:

  • Use the advanced Obfuscator, which is designed to break decompilers.
  • Prevent access to JAR files. Either through the ACL on the machine, or using the remote server to execute the code that you want to protect. Essentially, this works with web applications. There may be significant amounts of IP or processing that Stackoverflow performs, but we will never have access to server processing as a result of user experience output.
+1
source

Source: https://habr.com/ru/post/911345/

More articles:


All Articles