• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Junilu Lacar
  • Liutauras Vilda
Sheriffs:
  • Paul Clapham
  • Jeanne Boyarsky
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Piet Souris
  • Carey Brown
Bartenders:
  • Jesse Duncan
  • Frits Walraven
  • Mikalai Zaikin

What's the best commercial installer application for Java Desktop?

 
Ranch Hand
Posts: 494
Eclipse IDE Postgres Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

Currently i'm considering to purchase a installer application for Java.
As we know that there are some software available in the market which offers Encrypt/Decrypt on executable jar.
Which means the byte codes will be decrypted first, but before the JRE run the decrypted byte code, the when it's being executed. I consider it as "Decryption on the fly", I think this idea is awesome.
What do you think about this idea?
May i know your opinion or suggestion regarding which installer application that is the best in their class?

Thanks for sharing.

Leonardo
 
Rancher
Posts: 43028
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have no opinion on the products that use such an approach, but I want to point out that this merely makes it harder to reverse-engineer the source code - it doesn't make it impossible.
 
Bartender
Posts: 1210
25
Android Python PHP C++ Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Leonardo,

Leonardo Carreira wrote:
Which means the byte codes will be decrypted first, but before the JRE run the decrypted byte code, the when it's being executed. I consider it as "Decryption on the fly", I think this idea is awesome.
What do you think about this idea?
Leonardo


Although encryption looks like a good idea on the surface, the weak point is that all class definitions have to be introduced into a JRE through its ClassLoader.defineClass() method.
The encrypting software most likely provides a custom ClassLoader that decrypts on the fly, but it has to always call this JRE defineClass() to have its decrypted class added to the JVM.
defineClass() expects to receive the class bytecode in an unencrypted form.
So using a debugger, or tools like btrace or a simple java agent that uses instrumentation API, it's quite trivial to get to the unencrypted bytecode and decompile it, without even a decryption key.

As far as I know, this is how all classloaders have to work, atleast in the Oracle JRE. So I don't think encryption will provide the level of protection it appears to do so at first.
 
Leonardo Carreira
Ranch Hand
Posts: 494
Eclipse IDE Postgres Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Ulf,

Thanks for the thought given.


Hi Karthik,

Wow.. that's a surprise for me knowing that there's btrace project, which can trace the byte code being loaded.
Ok. What if i combine the methods, obfuscating the jar first and then encrypting the jar?
Will that give some additional protection?

Thanks,
Best regards,

Leonardo
 
Bartender
Posts: 11497
19
Android Google Web Toolkit Mac Eclipse IDE Ubuntu Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Not actually a GUI question. Moving to a more appropriate forum
 
Karthik Shiraly
Bartender
Posts: 1210
25
Android Python PHP C++ Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Leonardo Carreira wrote:
Ok. What if i combine the methods, obfuscating the jar first and then encrypting the jar?
Will that give some additional protection?


As Ulf already points out, such tricks like obfuscating+encrypting make it (slightly) harder, but nowhere near impossible, for a determined hacker.
Since it's a commercial installer, perhaps you can ask their helpdesk whether their product is not vulnerable to this problem.

I feel effectiveness of obfuscation depends on what you want to hide.
It's probably more effective if you have lots of business logic code you want to hide.
But if its real goal is to hide just a single method that does some kind of license check logic, then a hacker has to just tamper that single method's bytecode return value to always return "license_ok" or "true" or whatever; obfuscation is not that effective here.


Some other approaches that come to my mind, but they all vary vastly in expertise, effort and time required:
- consider deploying the functionality as a web application

- consider making the logic highly data driven, and concentrate on ways to securely download and encrypt the data instead of the code. That way, even if the code is reverse engineered, it may not be very useful

- try out other JVM implementations. An obscure JVM may be more difficult to debug, since tool support will not be mature.

- deploy your desktop app with your own modified version of OpenJDK or GCJ runtimes (both are open source) that overcomes this problem, perhaps by decrypting somewhere deeper in the JVM. There may be buyers out there for this kind of secure JVM, assuming there are no license restrictions against selling such a product.
 
Marshal
Posts: 5362
325
IntelliJ IDE Python Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
For the benefit of others here's a conversation the OP had with Ulf and I last week on the topic of obfuscation.

https://coderanch.com/t/615551/GUI/java/obfuscated-code-decompiled-easily
 
Bartender
Posts: 10780
71
Hibernate Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Leonardo Carreira wrote:Wow.. that's a surprise for me knowing that there's btrace project, which can trace the byte code being loaded.


When it comes to Internet piracy, you shouldn't be surprised by anything.

Ok. What if i combine the methods, obfuscating the jar first and then encrypting the jar?
Will that give some additional protection?


Yes, but TBH, I wouldn't obsess about it too much. The MS paradigm of guarding everything to the nth degree and making everything proprietary is rapidly becoming old hat; and software providers are finally beginning to understand what we Systems Administrators have known for years:

If someone - anyone - has time and money and smarts enough, they WILL find a way to crack your system.

(and BTW, the term is "crack", not "hack" - "hackers" are the good guys; "crackers" are the ones you want to string up by their private parts )

If your app has separate client and server components to it, you could try to make sure that all the sensitive stuff is on the server side; and then hire good SysAdmins to keep those safe.

But better still, make sure that your customers have a reason other than just the code to buy your product. Many software companies make their money on service contracts these days, and practically give their product away for free. Why would anyone spend good money on something like an Oracle database, when you can get DB2 (which has been around for a LOT longer) or MySQL or JavaDB for free? Why do people use WebSphere rather than Eclipse? Or MS Office rather than OpenOffice? Or Photoshop Pro rather than Gimp? Or indeed, Windows rather than Linux?

In many cases, it will come down to things like brand familiarity rather than a rational decision, because all those products I listed are pretty much equivalent in terms of what they can do (the latter one, in all cases, being free). And, in the case of Linux, actually do it much better.

My advice would be to spend some time studying what makes software successful, rather than trying to defend it to the teeth.

Remember: Linus Torvalds (the creator of Linux) is a very rich man.

Winston
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic