Java Protection

Java Class files contain lots of symbolic information stored in constant pool sector, including all variable names and method names. This symbolic information allows Java decompilers to reconstruct the source code easily. Without protection, anyone could use a Java decompiler to get the Java source code. According to its special characters and threats, there are the following available protection mechanisms in the market to prevent from tamper or piracy.

•    Hardware-based protection
Use smart card or other chip types to embed the Java virtual machine engine in the hardware. The Java Class file will be downloaded into the hardware, and the protected application will call the token to retrieve the output parameters via sending the input parameters, and the Class file will be interpreted and executed internally. The performance and functions of this method will be restricted and impacted by the hardware configuration such as memory space, RAM, CPU, and so on.

•    Class Isolation (HTTP, Web Service, and RPC)
Developer can place the Class files in the remote server machine to prevent the hacker to analyze the Class file. This method is ideal solution; however its cost and internet speed will impact developer’s decisions.

•    Convert Java Class to Native Local Code
JNI allows developer to write sensitive native methods to enhance the difficulty of analysis by hackers because JNI file is machine code format. It needs developer to write the native local code by other languages.

•    Java Class File Obfuscation
It allows developers to obfuscate (protect) their Java Class files. All symbolic information can be removed or modified.  Traditionally it includes the following types: Lexical Obfuscation, Data Obfuscation, Control Obfuscation, and Prevent Transformation. Although there are many tools available in the market to adopting this method, the security of this method cannot be very high because handled Class file can be analyzed also.

•    Class Loader Encryption
The Java Class loader is a part of the Java runtime environment that dynamically loads Java Classes into the Java virtual machine. It is implemented by Java language itself, and can be replaced by customized Class loader. This kind of protection will decrypt the encrypted Class file when loading the Class by customized Class loader. And the decryption method can be programmed by in Class or JNI library. The security of this method cannot be very high also because the whole Class file can be dumped after decryption.

•    JVM Hook
This method will use some binary tools (Shell or Envelope) to add Shell code in JRE runtime executive file to hook Class file operation. Shell code will decrypt the encrypted Class file before reading file operation occurred. The security of this method cannot be high also because the whole Class file can be dumped after decryption. And also other limitation is the decrypted Class files will depend on specific JRE.