-2

I'm wondering if there is a way to generate an obfuscated buildable version of my maven project and hand it out to clients, the obfuscation is just for protection and make it hard to steal.

I'm using proGuard to obfuscate jars, but this obfuscation is at the ByteCode level, just like it was answered in this thread Obfuscate Java Source Code

If Obfuscation isn't possible, how can I hand out my source code and be sure that it won't be stolen (or just make it hard, by making poorly organised), although the client should be able to build and run the code.

EDIT : operations need to be performed :

1- remove all comments from source code.

2- merge all classes in one single package.

3- Have meaningless class names : (e.g. A, B, C ..)

4- remove all Unit tests.

josephino
  • 360
  • 4
  • 21
  • 12
    Why are you giving your clients your source code if you don't them to be able to use it? Why not just give them compiled Jars? – Oliver Charlesworth Jun 21 '17 at 20:56
  • For some security audits, to verify that there are no security risks. – josephino Jun 21 '17 at 20:59
  • 3
    What do they want to verify exactly? Certainly not the source code if it's obfuscated? Also wouldn't a runnable distribution suffice for them to run tests? – QBrute Jun 21 '17 at 21:01
  • 5
    @josephino You want them to perform a security audit on obfuscated source code? – GriffeyDog Jun 21 '17 at 21:01
  • @QBrute They want to have a look at source code that nothing inside represents a security risk. – josephino Jun 21 '17 at 21:06
  • @GriffeyDog I just want some source code protection, I'm already obfuscating jars, so I'm wondering if it's possible to have some protection while handing out source code too. – josephino Jun 21 '17 at 21:08
  • 10
    @josephino You say: _They want to have a look at source code that nothing inside represents a security risk._ But you want to provide them with _obfuscated_ source code. Don't you think that will make it pretty difficult for them to audit it? – GriffeyDog Jun 21 '17 at 21:11
  • @GriffeyDog, so should I just give them the source code and hope that everything's gonna be OK ? maybe just something like removing all comments and merge classes into a single package... – josephino Jun 21 '17 at 21:15
  • 3
    @josephino I would say your options are 1) provide the source code as is and let them audit it, or 2) don't provide the source code. Only you can answer which is the best option. – GriffeyDog Jun 21 '17 at 21:17
  • @josephino As answered by FiReTiTi below, could you look into something akin to an NDA -- a doc stating any and all code they audit is your sole property? Have you consulted your legal team (if you have one)? – deckeresq Jun 21 '17 at 21:18
  • 2
    If the source code is licensed appropriately, you can take legal action against those who violate the license. There shouldn't be any unit tests in a production JAR to remove to begin with. You can't really obfuscate Java code. Merging classes into a single package is a bad idea - you are hurting the code itself that way, not protecting it. Are you confident that anyone would _want_ to steal your code? Are you sure? – Lew Bloch Jun 21 '17 at 23:45

1 Answers1

8

The goal of obfuscation is to hide the source code, make the reverse engineering impossible. And proGuard works really well for that.

What you want is to juridically protect your source code when you give it to your client. The best thing to do is to talk with a lawyer in order to have a legal form attached with the given code that your client will receive and sign, acknowledging that the code is yours and that he cannot not reuse it for different purposes as defined in the contract.

FiReTiTi
  • 5,597
  • 12
  • 30
  • 58