How can one secure the logic in a Java class file?

Question

I want to run a proprietary algorithm on a third-party's Java infrastructure. They gave me a jar with appropriate objects for me to build my class against. The idea is I give them a class that implements my algorithm.

How does a compiled Java class compare to a jar in terms of ease of "decompiling?"

I assume that the best one can do to protect one's IP against reverse-engineering is to run it through an obfuscator, as covered in How to protect a Jar file from being decompiled?

Except that since their infrastructure has to access named methods in my class does an obfuscator even offer that level of protection? Or if one is giving another party a compiled Java class is there practically no work required to reverse-engineer the algorithm? If the latter then what other approaches offer more security?

(I realize that all accessible code can be reverse-engineered. I just want it to require a reasonable level of effort – ideally something along the level of compiled C.)

A jar is basically just a zip file of .class files, so they're equally easy to decompile. — yshavit, Jul 20 '15 at 19:32
@ThorbjørnRavnAndersen - Does signing the code effectively encrypt it from users to whom I have not given a key? — feetwet, Jul 20 '15 at 20:29

score 2 · Accepted Answer · answered Jul 20 '15 at 19:43

To get an idea of how easy it is to decompile Java classes and JARs, see this decompiler. If you need to expose or implement a public API you'll be limited in terms of what you can obfuscate.

As long as people get access to your java binaries it will be hard to protect against reverse engineering. You could try to implement your algorithm with one of the JVM script engines (rhino, ...) and protect the script, but you're then at the mercy of someone heap dumping your running algorithm.

How can one secure the logic in a Java class file?

1 Answers1