I am currently creating some little Framed application in java.
When we clean an built a main project with netbeans (therefore creating a jar file), does it create a secured jar file ?
What I mean is that mine contains some tables with keys and I don't want that future users can be able to watch these key logs.
So is the code totally hiden ? In case not, how can we "protect" jar files please?
Thank you in advance for your help, please let me know if I wasn't clear enough.
EDIT : I am currently under windows 7
It isn't at all protected. It's just an archive (built on ZIP) of .class -es and other resources, metadata, etc.
You could try and obfuscate java bytecode with tools like Proguard. That would give you some protection, that is - it would make reverse-engineering more difficult.
My suggestion would be to encrypt the files that have the sensitive information, before you jar them. Let the application decrypt them when it needs to use the data. Use a ramdom-looking encryption key so people will be unlikely to figure it out by listing the strings in your class files.
Although this does not prohibit someone from viewing the contents of the jar file there are mechanisms that provide tamper evidence and prohibit someone from creating an additional jar that appends methods to your package.
This is called signing and sealing.
Related
I have looked at this answer provided here, and here, and here
The answers provide some useful information but I wanted to know if there are better ways to do it.
I have built my apk and I used pro guard, but when i decompiled the apk, everything was the same as they were before the compression.
The name of the classes and some variables were obfuscated but a Newbie could have looked at the code and would understand how the app works.
In my app I want to hide the core network communication between the app and the server. For example, the address of the server, the JSON format etc.
I came across something as way to protect from decompilation is putting the java.class files into jars and then signing them and then add them as a library to my app.
My question is:
Is it the correct way to do it ie. using the jar signing ?
No. Jar signing is used to make sure the file isn't tampered with. You can still decompile it.
Rather than wasting time worrying about decompilation, you should concentrate on something useful. Obfuscation is used to save space in Android, not to prevent people from looking at your code. Besides, did you really create something so special that you need to protect it? (Be honest now)
I am trying to create a java standalone program and was wondering if there is a way to have some sort of data storage within my jar?
You see, my initial idea was to use xml files within the jar for reading and writing stuff in. I had no problem reading stuff from the xml files but I was told you cant really edit/create new files within a jar.
I want it so when i send the executable jar to my friend, initial data I have put in will be in it already and then they can just add to or change the data. I find it pretty tricky as it has to be a form of data storage without the internet access or any need for my friend to install anything more.
I decided to go for sqlite in the end. It works exactly how i want it to work. I might look into javaDB in the future as it seems to have better SQL language support sqlite.org/cvstrac/wiki?p=SqliteVersusDerby
As far as I know, JAR files are read-only, which cannot be rewritten to.
My suggestion is to use MS Access database as your JAR's data keeper.
As it is portable, the only weakness is that you have to bring both of your JAR and MDB files together (or put them in 1 folder).
I want to make setup file for java swing application .
I am creating the setup by writing the script file and selecting the source file as jar and other necessary resources .
Now i want to make my jar disable to extraction .
Is there any way from which i make sure so that no can access the resources from my jar file either the class files or images etc.
thanks in advance
You can make it harder to get your resources, but you can't make it impossible. That's not a Java problem, by the way, but a general one of distributed software. In order to access your resources, your program (or in the case of Java the runtime environment) must be able to unpack them. Even when you encrypt them somehow, the program needs to include the decryption key and the decryption algorithms. A determined user can find these through reverse engineering, and use them to get your resources.
You could try obfuscating your codes.
This is the one I have used for obfuscate.
http://www.zelix.com/klassmaster/
You could find more tools for that.
You can use java webstart, your jars will be kept in cache so very its hard to access.
Java Web Start Guide
Is there any way in Java to store external files (inside jar) safely? Java files are compiled to .class files and not readable.
I'm planning to use this meganism to store sql files, which hold queries, however i dont want those to be readable when one extracts the jar. External files are pre, cause we then have syntax highlighting while developping instead of putting them into a string.
A jar file is pretty much just a .zip file, so you can put whatever you want in them. There's no built-in encryption, so if you're trying to make the SQL files non-readable, you'll have to encrypt them (and then unencrypt in your code). I don't understand what you mean by "External files are pre, cause we then have syntax highlighting while developping instead of putting them into a string."
Yes, people do this all the time. Just add the files to the jar, and then access them with
getResourceAsStream. If you build with maven, you just plop them into src/main/resources to get them into the jar.
Of course you can put them in the Jar. Once there you can get at them by using the ClassLoader's getResourceAsStream method.
The challenge is to prevent other people extracting them. If your code can read them, so can someone else. What are your requirements here?
I am developing a small game in Java and I am shipping it as a single Jar file. I want to store the high scores/best times for that game somewhere. Instead of storing it in a separate file, I would like to store it in the application itself (inside the Jar) so that its not lost. Is this possible at all ? If so, how to do it programatically.
Java does not give you tools to modify the JARs which are currently run. If you really want to do it, you have to guess the location of the JAR by yourself (which might reside on a read-only filesystem) and modify it the same way you would modify any archive file.
Bottom line: it's a very bad idea, don't do it! See this question for a much more reasonable solution.
Nothing is impossible, but storing it in the jar file would make it very complicated. You might also end up with unwanted side effects like "Permission Denied" errors when the jar is owned by another user. Virus scanners might get nervous when they see jar files change without reason, etc....
I would look to the Preferences API for storing this kind of info.
I think it is a bad idea to try and store anything in the jar file. Another option is to have a web based service offered to the people playing with your game. The game could connect through a web service to your hosted server and then store everything centrally there. Not sure if it is exactly what you want but it's just an idea. It would also allow people to compete with each other.
Java JAR file is a ZIP-Archive, so you could possibly access it with standard ZIP-Tools and just extract one hisghscores.txt file, modify it and then pack it back again.