WebApp Sec mailing list archives

Re: HTML/Java Protection

From: Mark Quinn <cheeky.mini () gmail com>
Date: Tue, 20 Sep 2005 10:01:32 +0100

AFAIK, there is currently no way in the standard applet runners to
encrypt your class file or anything similar -- i'm sure i'll be
corrected quickly enough if i'm wrong on this -- however one of the
best things you can do to make your decompiled code a lot more
impenetrable is to obfuscate it.

Most peoples preferred obfuscator thesedays seems to be Proguard  
 ( http://proguard.sourceforge.net/ )
Whilst your class is still decompilable, all token names will be
replaced with one- or two-character versions that raise the stakes in
understanding and succesfully modifying the decompiled code.

   [ProGuard is a free Java class file shrinker, optimizer, and
obfuscator. It can detect and
   remove unused classes, fields, methods, and attributes. It can then optimize 
   bytecode and remove unused instructions. Finally, it can rename the 
   remaining classes, fields, and methods using short meaningless
names. The resulting
   jars are smaller and harder to reverse-engineer.]

Also consider techniques such as addding checks to checksum the code
or classes (or to look into sensitive classes by reflection), if
possible and behave differently if you don't read the correct
checksum. Also be sure to look closely at how you are sending data to
the server (if you have a client-server app) and try to restrict the
server-side component to only respond to *valid* and possibly
*verified* requests from *your* client.


On 19 Sep 2005 17:01:42 -0000, confusionvalley () netcabo pt
<confusionvalley () netcabo pt> wrote:

Hello all,

I'm currently developing a Java applet and i want to protect the .class from being downloaded.
It's very easy to download the .class file..just check the HTML code and get the class name wich will be loaded..then 
with a download program you can get the class file and decompile it to get the source code.
The real objective is to protect the source code from the html and not so grabbers.
Any idea to protect the html/java?

Best regards,
  Nuno

Current thread:

HTML/Java Protection confusionvalley (Sep 19)
- Re: HTML/Java Protection Peter Conrad (Sep 20)
  - Re: HTML/Java Protection Roshen Chandran (Sep 20)
- Re: HTML/Java Protection Mark Quinn (Sep 20)
- Re: HTML/Java Protection Antoine Martin (Sep 20)
  - Re: HTML/Java Protection Yousef Syed (Sep 20)