Can I use native compilation as Java obfuscation

compile c to java bytecode
how does llvm work
compiler framework
llvm virtual machine
llvm bit code
llvm intermediate representation
llvm overview
llvm stands for

I am writing a plugin for a Java application. I could obfuscate the plugin, but it would still be easily reverse engineered.

I believe that if I could compile this plugin to a shared library, which heavily uses JNI to communicate with the main application, it would be much harder to reverse engineer. I am willing to sacrifice some performance to JNI, and the application I am coding against does support shared library loading. The only problem is that I am not aware of a tool which does the job: gcj seems to depend on its own runtime and IKVM.NET - on .NET

To be precise:

public class PluginImpl implements Plugin {
    @Override
    public void startPlugin(PluginContext ctx) {
       ctx.helloWorld();
    }  
}

should be converted to

public class PluginImpl implements Plugin {
    @Override
    public native void startPlugin(PluginContext ctx);
}

and the body of my startPlugin method is compiled into a shared library.

(well, yes, I know, I could have written this plugin in C in first place)

You can't really use anything for code obfuscation if you are distributing executable code in any form. Any executable code can be reverse engineered. This is a business problem not a technical problem, and it is solved by busniess means: licence agreements, price, time to market, or most probably a more realistic assessment of the risks and values, i.e. admitting to yourself that your code just isn't that valuable. Alternatively deliver your product as a service rather than as an executable.

[PDF] Obfuscating Java Programs by Translating Selected Portions , to high level bytecode (e.g., Java) can be obfuscated only to a limited extent. portable C code, that can be easily compiled for many distinct platforms. Method calls use the stack similarly to arithmetic operations. Before calling a The Java Native Interface (or JNI for short) is a framework that allows  PS as a “fun fact” – PreEmptive’s first obfuscation product was for Java (it pre-dates the existence of .NET) and is (still) called DashO (“-o” is the “optimize” command for Java). So yes, the first obfuscator began its life as an optimization tool in the 1990’s – firmly establishing the the connection between optimization and obfuscation – but that does not make them synonymous.

I assume you have good reasons to go for native compilation. An option that you can examine is Excelsior JET that is a Certified Java solution.

Obfuscating Java bytecode with LLVM and Epona, Finally, we will take a look at some optimized and obfuscated examples. compiling Java to native code thanks to LLVM; running LLVM IR  react-native-obfuscating-transformer. Obfuscate selected source files when building for React Native. Installation yarn add react-native-obfuscating-transformer --dev or. npm install react-native-obfuscating-transformer --save-dev Usage React Native >= 0.59 /metro.config.js

You could make your plugin provide its service over RMI. This way the plugin would be an application and could be compiled to native code.

[PDF] Two Ways of Securing Eclipse RCP Applications, Java decompilers that can produce amazingly readable source code. “ “Anyone who Native pre-compilation – transforming the application classes into a native code executable That said, obfuscation of Eclipse RCP applications is not a. If you are releasing valuable software (especially Java, Android, .NET and iOS) anywhere outside your immediate control and you are not distributing the source code, obfuscation should probably be part of your application development process. Obfuscation makes it much more difficult for attackers to review the code and analyze the application.

Information Security and Cryptology – ICISC 2016: 19th , Google recommends developers to use Proguard [4] to obfuscate sensitive code in Android. However, this tool only obfuscates Java code and leaves native code as easy The hidden code can be further protected through dynamically downloading techniques are based on native binaries typically compiled from C/C++. Obfuscation is the technology of the reality shrouding. This is not a complete encryption of the Java code, though there was a time when this method was used. Taking into consideration Java, obfuscation seems to be better.

Protecting Java code via code obfuscation, The Java language is compiled into a platform independent bytecode format. We will examine how code obfuscation can help protect Java bytecodes. Using native object codes makes reverse engineering harder but increases the  Obfuscation, through native compilation or through Java obfuscators, can provide some protection for your source code but it does not protect your licensing code and resources. JWCrypt allows you to mark resources included in your build for protection in the same way as you protect your Java JAR files.

Your intellectual property could be at risk: protect it with obfuscation , You might be surprised how easily your software could be cracked and written by a human is “compiled” into intermediate language code. and Java. However, when using native languages, automatic obfuscation is  You can decompile byte code using tools such as, the now dead, JAD project. However any time I have tried to do it just out of interest the resulting Java code is not pretty. At all. If you are keen on using Java for your application then a combination of a licence declaration in your source files and some obfuscation would probably suffice.

Comments
  • why do you say that obfuscated bytecode can be easily reverse engineered?
  • Anyone with the time and patience to de-obfuscate your bytecode can do the same with the native code, given more time. You're sacrificing performance, inability to debug, reliability (when the compiled-to-native Java invariably behaves differently compared to being run in the JVM) and days of your own time for very little "gain" and a vastly inferior product. Give up now while you haven't invested so much time in obfuscation that you feel you just have to ship the product like this...
  • Maybe you should port your app to Perl ;-)
  • I think if this approach were easy to automate and pull off, someone would have already turned it into a commercial obfuscation offering. :)
  • Obfuscation is not meant to "prevent" reverse engineering, just to make it more difficult. As long as you are aware that if you distribute executable code it is actually impossible to completely prevent reverse engineering, there is nothing wrong with using obfuscation as a deterrent.
  • There is a definite cost and a possible benefit. It's a business decision.
  • You can say the same for any feature of any software product. Deciding whether the feature is implemented is a business decision. Design and implementation is a technical job. Likewise, deciding whether to use obfuscation is a business problem. Obfuscation itself is a technical topic.
  • @Grodriguez: obfuscation makes reverse engineering more time consuming - true {but not too much}, also provides good prayers for the relatives of the developers but in the end achieves nothing.
  • @bestsss: You are talking about "breaking licenses". This has nothing to do with my argument. I never said that obfuscation is useful to prevent copy protection. I said that it makes reverse engineering more difficult. Which it does.
  • Still it runs its own runtime: "The resulting executables need the Excelsior JET Runtime to run, but not the Sun JRE." (excelsior-usa.com/jetfaq.html )
  • Well, +1 anyway for being a very interesting product.
  • Any Java app needs a Java runtime with garbage collector, context isolation (whether JNI, CNI, or something else), etc. Excelsior JET just precompiles the bytecode down to optimized native code. It still has a JIT compiler for handling classes that were not precompiled - dynamic proxies, third-party plugins, and so on.
  • Really good point, thank you. I suspect that out of process RMI would be too much of performance penalty, but I may give it a try. Added bonus is that I could use gcj then. I wish the API I am writing against was more serialization friendly.