• Post Reply Bookmark Topic Watch Topic
  • New Topic

Securing Java code.  RSS feed

 
Baseet Ahmed
Ranch Hand
Posts: 225
Java Notepad Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Salaam/Hi,

I would like to ask to questions here.

F:
How to make the java code(application) secured,such that it should not be converted back to source code from bytecode ?

S:
How to write java code(application) with particular expiry date. i.e to make the application as Evaluation version based ?

Regards
Baseet Ahmed
##############
Value of Parents
Jannat(Heaven) is under the feet of Mother.
Father is the middle gate of Jannat(Heaven).

[ ISLAM ]
##############
 
Rob Spoor
Sheriff
Posts: 21135
87
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What ahve you tried so far? We don't just provide you with all the answers. Read ShowSomeEffort and SearchFirst for more info.
[ June 18, 2008: Message edited by: Rob Prime ]
 
Peter Chase
Ranch Hand
Posts: 1970
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You need to decide what level of security you need.

There are a number of fairly simple approaches, some of which I've used myself, by which one can achieve a moderate level of security. So, you could prevent decompiling of the program by the usual straightforward method, or you could prevent launching of your application, by the usual straightforward method, after the expiry date.

If you want to go beyond this, so that not even a highly-skilled person with plenty of time could decompile your program, or run it after the expiry date, you are talking about a massively difficult task. As an ordinary programmer with no expertise in this area, you will fail, if you try to do it yourself. The only possibility is either to undertake very serious research (I'm talking years) or to take advantage of a serious proven product - which will likely be very expensive.
 
Baseet Ahmed
Ranch Hand
Posts: 225
Java Notepad Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Rob,

Appreciate, for the needful guide.

Rob/Peter,

But we have just plan for making one software(Application for our company) who will be useful for HR department.
The idea came into my mind that,once we developed it(using MVC or whatever pattern). Anyother(different department or hac) should not see the code.
As their are softwares who de(compile)java(opposite to javac) code.

For expiration,if possible,we will sell the product to other also with evaluation version(temporarily).

Now to come my question again, I am not asking the entire code for the same, I just need the hint/clues for the same.

If you want to go beyond this.

No.

We want only simple approaches/suggestions.


Regards
Baseet Ahmed
##############
Value of Parents
Jannat(Heaven) is under the feet of Mother.
Father is the middle gate of Jannat(Heaven).
[ ISLAM ]
##############
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13078
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Seems to me the best way to keep control is to make your full program functionality available only as a web service so the core logic runs only on a server you control.

Since this (Software as a Service) is a very hot area right now you have plenty of options.

Bill
 
Peter Chase
Ranch Hand
Posts: 1970
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by William Brogden:
Seems to me the best way to keep control is to make your full program functionality available only as a web service


I don't think that you can know whether this is a suitable option, from the information given.

However, I agree that, if selling the functionality as a service, rather than as an installable program, is compatible with the business model, then it is a good way of keeping its workings under your control.
 
Bill Shirley
Ranch Hand
Posts: 457
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I suspect you are more interested in your data being secure, not your program.

If you're program is written in a truly secure way (as opposed to an obscure way), you should be able to allow anyone to scrutinize the software.

(my soapbox for the day)
 
Paul Clapham
Sheriff
Posts: 22841
43
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The question I have is, what security breach can arise from somebody seeing your source code?
 
Baseet Ahmed
Ranch Hand
Posts: 225
Java Notepad Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you for giving useful tips/guideline.

Would like to further know about saving code(.java), because of privacy of the code oherwise anyone who got the class file, can use s/w for de-compilation.
I thought there might be some APIs who supports securing of source code.

the best way to keep control is to make your full program functionality available only as a web service so the core logic runs only on a server

Making program as web service, will achieve that the,client/any hacker on the net,cannot see the class file, as it will be resided on Server.

But what about if any other department having access on Server(Web/App) can go to the directory and look at the class file,and can do the de-compilation(which we don't want).

Else,if it is next to impossible that we cannot safeguard the code i.e bytecode -> java code is going to happen.
Then avoid it, and will try to secure it using password mechanism, if possible.

Secondly, for Expiration, what are the options left, if we make it as Web Service.

Regret, If I am not expressing the question clearly,that what we want.
Regards
Baseet Ahmed
##############
Value of Parents
Jannat(Heaven) is under the feet of Mother.
Father is the middle gate of Jannat(Heaven).
[ ISLAM ]
##############
 
Rusty Shackleford
Ranch Hand
Posts: 490
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Running the app as a web service in and of itself does not secure your application.

SQL Injection - Information disclosure, loss of date, corrupted database... This is the #1 exploit these days, even more exploited than buffer overflows.

Integer Overflow - Since Java handles this problem by ignoring it, it is extremely difficult to detect and deal with.

Command Injection - not too likely but if you carelessly use methods like Runtime.exec passing unscrubbed user input major havoc will ensue.

Bad error handling - There are lots of ways this can compromise security most notably, giving too much information on an exception could lead to giving an attacker enough info to craft other attacks.

Cross-site scripting # 2 security issue today

Abusing "hidden" fields

The list goes on...

Putting your software in a black box is not a security measure. Without starting a holy war, I think we can all agree that Windows is proof of this.

Given that the two most common methods of attacks target web services(but not exclusively) it should be clear that SAAS is also not a security measure.
[ June 19, 2008: Message edited by: Rusty Shackleford ]
 
Baseet Ahmed
Ranch Hand
Posts: 225
Java Notepad Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you for the information related to Application/Software Security.

But I was not asking about the security of application.
What I asked is securing java code i.e .class file to be prevented back into .java file. How ???
&&
Making our java program as an Evaluation Version (To be expired after particular period of days)

I had seen the securing code site, but is talking about securing application in terms of input validation, sql injection etc.

Is there any site/warehouse,where the needful information can be found ? or Somebody [of course JavaRancher(irrespective of the grade he has]) knows the tips for that.

Regards
Baseet Ahmed
##############
Value of Parents
Jannat(Heaven) is under the feet of Mother.
Father is the middle gate of Jannat(Heaven).
[ ISLAM ]
##############
 
Frank Tollenaar
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you are afraid of people copying your code, add a copyright notice. If you don't trust your customers to comply to that, you should not be in the software-selling business.
Just my 2 cents
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!