Releasing java software
April 22, 2010 3:09 PM Subscribe
When companies wish to release software written in java,
but want to be sure the source cannot be seen/decompiled,
what is the common solution?
I have a piece of java software and would like to release it. Releasing the byte code is not sufficient protection for me. I'm willing to pay money for a tool that protects the source. Can you tell me the options available and the costs? I'm willing to give up some features that java has, for example I'm ok limiting the result to only windows computers.
Alternatively, please tell me good places to look for this answer, such as a web forum that has java experts.
Thanks for your help.
I have a piece of java software and would like to release it. Releasing the byte code is not sufficient protection for me. I'm willing to pay money for a tool that protects the source. Can you tell me the options available and the costs? I'm willing to give up some features that java has, for example I'm ok limiting the result to only windows computers.
Alternatively, please tell me good places to look for this answer, such as a web forum that has java experts.
Thanks for your help.
You could use obfuscation, but it seems to me that you should consider using a different language if you're that bothered about protecting your intellectual property.
posted by gene_machine at 3:18 PM on April 22, 2010
posted by gene_machine at 3:18 PM on April 22, 2010
Or what cschneid said...
posted by gene_machine at 3:19 PM on April 22, 2010
posted by gene_machine at 3:19 PM on April 22, 2010
Best answer: One possible forum, since you asked, would be http://stackoverflow.com. Experts of all sorts, fast answers, and really the best designed site for this sort of thing. And free.
posted by jeffamaphone at 3:21 PM on April 22, 2010
posted by jeffamaphone at 3:21 PM on April 22, 2010
Best answer: Proguard. Free. Open Source.
Also, as others have mentioned, you're probably approaching this wrong.
posted by blue_beetle at 3:23 PM on April 22, 2010 [1 favorite]
Also, as others have mentioned, you're probably approaching this wrong.
posted by blue_beetle at 3:23 PM on April 22, 2010 [1 favorite]
Best answer: What you're looking for is a bytecode encryption or obfuscation. This Java World article covers some of the problems with relying on these techniques.
That said, you may want to look into truelicense or Excelsior Jet (from StackOverflow.)
On preview, derp.
posted by Loser at 3:24 PM on April 22, 2010
That said, you may want to look into truelicense or Excelsior Jet (from StackOverflow.)
On preview, derp.
posted by Loser at 3:24 PM on April 22, 2010
Response by poster: Thank you for the quick responses. Some clarifications below.
I can't change the language, that ship has sailed. I know about obfuscation. I'm looking for a recommended specific product that does it or similar solution well. I know that machine code can be debug/instrumented. I'm looking for a solution that makes a distributed piece of java software as good/robust as doing it in C/C++/etc.
posted by about_time at 3:27 PM on April 22, 2010
I can't change the language, that ship has sailed. I know about obfuscation. I'm looking for a recommended specific product that does it or similar solution well. I know that machine code can be debug/instrumented. I'm looking for a solution that makes a distributed piece of java software as good/robust as doing it in C/C++/etc.
posted by about_time at 3:27 PM on April 22, 2010
Response by poster: Progaurd and excelsior are along the lines of what I'm looking for.
Other suggestions are welcome. Thanks again.
posted by about_time at 3:36 PM on April 22, 2010
Other suggestions are welcome. Thanks again.
posted by about_time at 3:36 PM on April 22, 2010
It may be overkill, but if it's so important that Proguard won't offer sufficient protection, there's always a hardware key.
I've used WIBUkey in the past. While it can be set up to simply check if the dongle is present, it can also encrypt the bytecode and decrypt it automatically at runtime. You can build in this protection in a nearly automated way. Point the encryption tool at the jar, and away it goes.
Keep in mind, though, that you'll lose many of the dynamic features of Java unless you manually access the WIBU APIs to implement them. For instance, loading a class using a ClassLoader becomes quite difficult if it's encrypted.
Frankly, I've found that obfuscated Java is every bit as annoying to reverse engineer as machine code. That said, I've reversed both in the past to patch bugs in third-party libraries.
posted by Netzapper at 9:03 PM on April 22, 2010
I've used WIBUkey in the past. While it can be set up to simply check if the dongle is present, it can also encrypt the bytecode and decrypt it automatically at runtime. You can build in this protection in a nearly automated way. Point the encryption tool at the jar, and away it goes.
Keep in mind, though, that you'll lose many of the dynamic features of Java unless you manually access the WIBU APIs to implement them. For instance, loading a class using a ClassLoader becomes quite difficult if it's encrypted.
Frankly, I've found that obfuscated Java is every bit as annoying to reverse engineer as machine code. That said, I've reversed both in the past to patch bugs in third-party libraries.
posted by Netzapper at 9:03 PM on April 22, 2010
« Older Help me build a solid web design/development... | Brand new 1975 Norton Commandos for sale? What -... Newer »
This thread is closed to new comments.
Second: google for obfuscators. They change the variable names to meaningless things, and use tricks of bytecode to confuse decompilers. They'll also strip comments, and other unnecessary things.
posted by cschneid at 3:17 PM on April 22, 2010