• Post Reply Bookmark Topic Watch Topic
  • New Topic

What's the best commercial installer application for Java Desktop?  RSS feed

 
Leonardo Carreira
Ranch Hand
Posts: 494
Eclipse IDE Java Postgres Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

Currently i'm considering to purchase a installer application for Java.
As we know that there are some software available in the market which offers Encrypt/Decrypt on executable jar.
Which means the byte codes will be decrypted first, but before the JRE run the decrypted byte code, the when it's being executed. I consider it as "Decryption on the fly", I think this idea is awesome.
What do you think about this idea?
May i know your opinion or suggestion regarding which installer application that is the best in their class?

Thanks for sharing.

Leonardo
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have no opinion on the products that use such an approach, but I want to point out that this merely makes it harder to reverse-engineer the source code - it doesn't make it impossible.
 
Karthik Shiraly
Bartender
Posts: 1210
25
Android C++ Java Linux PHP Python
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Leonardo,
Leonardo Carreira wrote:
Which means the byte codes will be decrypted first, but before the JRE run the decrypted byte code, the when it's being executed. I consider it as "Decryption on the fly", I think this idea is awesome.
What do you think about this idea?
Leonardo

Although encryption looks like a good idea on the surface, the weak point is that all class definitions have to be introduced into a JRE through its ClassLoader.defineClass() method.
The encrypting software most likely provides a custom ClassLoader that decrypts on the fly, but it has to always call this JRE defineClass() to have its decrypted class added to the JVM.
defineClass() expects to receive the class bytecode in an unencrypted form.
So using a debugger, or tools like btrace or a simple java agent that uses instrumentation API, it's quite trivial to get to the unencrypted bytecode and decompile it, without even a decryption key.

As far as I know, this is how all classloaders have to work, atleast in the Oracle JRE. So I don't think encryption will provide the level of protection it appears to do so at first.
 
Leonardo Carreira
Ranch Hand
Posts: 494
Eclipse IDE Java Postgres Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ulf,

Thanks for the thought given.


Hi Karthik,

Wow.. that's a surprise for me knowing that there's btrace project, which can trace the byte code being loaded.
Ok. What if i combine the methods, obfuscating the jar first and then encrypting the jar?
Will that give some additional protection?

Thanks,
Best regards,

Leonardo
 
Maneesh Godbole
Bartender
Posts: 11445
18
Android Eclipse IDE Google Web Toolkit Java Mac Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Not actually a GUI question. Moving to a more appropriate forum
 
Karthik Shiraly
Bartender
Posts: 1210
25
Android C++ Java Linux PHP Python
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Leonardo Carreira wrote:
Ok. What if i combine the methods, obfuscating the jar first and then encrypting the jar?
Will that give some additional protection?

As Ulf already points out, such tricks like obfuscating+encrypting make it (slightly) harder, but nowhere near impossible, for a determined hacker.
Since it's a commercial installer, perhaps you can ask their helpdesk whether their product is not vulnerable to this problem.

I feel effectiveness of obfuscation depends on what you want to hide.
It's probably more effective if you have lots of business logic code you want to hide.
But if its real goal is to hide just a single method that does some kind of license check logic, then a hacker has to just tamper that single method's bytecode return value to always return "license_ok" or "true" or whatever; obfuscation is not that effective here.


Some other approaches that come to my mind, but they all vary vastly in expertise, effort and time required:
- consider deploying the functionality as a web application

- consider making the logic highly data driven, and concentrate on ways to securely download and encrypt the data instead of the code. That way, even if the code is reverse engineered, it may not be very useful

- try out other JVM implementations. An obscure JVM may be more difficult to debug, since tool support will not be mature.

- deploy your desktop app with your own modified version of OpenJDK or GCJ runtimes (both are open source) that overcomes this problem, perhaps by decrypting somewhere deeper in the JVM. There may be buyers out there for this kind of secure JVM, assuming there are no license restrictions against selling such a product.
 
Tim Cooke
Marshal
Posts: 4051
239
Clojure IntelliJ IDE Java
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For the benefit of others here's a conversation the OP had with Ulf and I last week on the topic of obfuscation.

http://www.coderanch.com/t/615551/GUI/java/obfuscated-code-decompiled-easily
 
Winston Gutkowski
Bartender
Posts: 10575
66
Eclipse IDE Hibernate Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Leonardo Carreira wrote:Wow.. that's a surprise for me knowing that there's btrace project, which can trace the byte code being loaded.

When it comes to Internet piracy, you shouldn't be surprised by anything.

Ok. What if i combine the methods, obfuscating the jar first and then encrypting the jar?
Will that give some additional protection?

Yes, but TBH, I wouldn't obsess about it too much. The MS paradigm of guarding everything to the nth degree and making everything proprietary is rapidly becoming old hat; and software providers are finally beginning to understand what we Systems Administrators have known for years:

If someone - anyone - has time and money and smarts enough, they WILL find a way to crack your system.

(and BTW, the term is "crack", not "hack" - "hackers" are the good guys; "crackers" are the ones you want to string up by their private parts )

If your app has separate client and server components to it, you could try to make sure that all the sensitive stuff is on the server side; and then hire good SysAdmins to keep those safe.

But better still, make sure that your customers have a reason other than just the code to buy your product. Many software companies make their money on service contracts these days, and practically give their product away for free. Why would anyone spend good money on something like an Oracle database, when you can get DB2 (which has been around for a LOT longer) or MySQL or JavaDB for free? Why do people use WebSphere rather than Eclipse? Or MS Office rather than OpenOffice? Or Photoshop Pro rather than Gimp? Or indeed, Windows rather than Linux?

In many cases, it will come down to things like brand familiarity rather than a rational decision, because all those products I listed are pretty much equivalent in terms of what they can do (the latter one, in all cases, being free). And, in the case of Linux, actually do it much better.

My advice would be to spend some time studying what makes software successful, rather than trying to defend it to the teeth.

Remember: Linus Torvalds (the creator of Linux) is a very rich man.

Winston
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!