Objective:
Secure my Java application from reverse engineering.
Idea:
- split the program into two halves (loader and program)
- loader will be a regular jar
- program will be an encrypted jar file (bouncycastle, AES?)
- loader asks secure server (https) for a key to decode program
- loader then decodes program and loads up it’s classes
Questions:
Would number 5 be possible?
Has anyone here done this?
Do you know any library already available?
Can you spot major pitfalls / would you do it differently?
Extra
I know it is impossible to prevent full reverse engineering of the code.
I’m just looking to make it harder and more traceable.
This is very possible using Class Loaders. But it is still very easy to decode your program. All one would need to do is change your Loader to write all the classes to disc before it loads them into memory with your custom ClassLoader.
Update
If the Loader is something your users can execute then I would just need to decompile and replace the Loader JAR file to dump the classes to disk. Not only that I am certain there must be something that can take a memory dump of a JVM and output all of the loaded byte code.
If the Loader is on a locked machine in which users cannot obtain access, then what is the Use Case you are trying to solve?
The “solutions” to these problems are: