Recently I've been developing a client-side Java Swing application for a client, and I've had a creeping concern that at any given time the client could simply take a snapshot build of the system and run-off with it.
The app needs to be connected to the internet in order to do anything, and I was hoping on getting some tips on how I could put some sort of security in-place to prevent the system from working if I wanted to i.e. he may copy/install the application somewhere else without me knowing about it (edit from the comment here).
I'd need this to be fairly transparent to the client, and it wouldn't need to be 100% robust as the client is not technically competent and is unlikely to try to 'crack' any security that is there.
Any tips would be much appreciated!
Thanks
I think you're going to want to look into code obfuscation:
http://www.cs.arizona.edu/~collberg/Research/Students/DouglasLow/obfuscation.html
http://java-source.net/open-source/obfuscators
Related
I'm writing a Android app and every time someone install it he must connect to a web server to get a updated data that it needs to work properly. The app does that only one time and after that is good to go on his own. Is a really small information, 1mb at top. But considering a lot of installation(hopefully) I was wondering what is the best framework to do that. What's your opinion?
Since this app is made in Java I was thinking about doing this "server side" part a RESTful service with Springboot but I don't know if it can handle a lot of simultaneous connections. And I don't think I'll need to implement "POST", "DELETE", "PUT". I just need(as far as I can see) to implement "GET". That's why I'm not sure if REST service is good idead. What do you people think?
Speaking from my experience there are a lot of good frameworks that enable you to build backend applications and there is already a lot of comparisons you can find about it on web.
Since you are good at java I think springboot would be a good be really good option. Springboot is an excellent framework that is core to a lot of enterprise applications that use springboot and hence you don't have to worry about the performance. It would absolutely work well for you.
But if you are looking to quickly develop an application you could try with flask or django and both of them have also proved their mettle.
If you are good with javascript you could even try node. Except node maynot perform well for CPU intensive tasks but probably work very well if you are looking to fetch data with GET requests.
All of the above have a huge community support and hence you wouldn't have a problem learning it.
But if you are looking to implement something really really fast and not much complex checkout firebase. It might do the trick for you.
I am exploring options how to convert my existing java application which has Sprint framework to Azure Cloud server less "Logic App" and "Functions" concept
without re-writing.
As far as i can see, there is no accurate information in microsoft websites.
Can any one please suggest me on the road map, that, how i must lift and shift my java spring frame work to Azure Function?
I am aware of the fact that there will be little modifications that i might need to do, that is ok with me. But not a complete re-write into some other language.
Thanks !
Hard to say exactly but with the new Java support as long any package you are using can be resolved with Maven it should work in Functions. The potential bigger question is what can remain as-is. Likely each of your controller methods would become Azure Functions - the method signature would change but the code inside should remain largely the same (HttpTrigger with a request message to a route). The models should be able to stay untouched. If you had any orchestration or workflows that would become orchestrated by Logic Apps - but since Logic Apps has no-code, it would mean re-creating that workflow/orchestration in Logic Apps.
Java is still in preview so you may hit some snags here and there, but let us know if you have any other questions along the way.
I did a pretty fair bit of scouring, yet could not find anything useful which answers my questions. Either that or I am asking the wrong questions.
I am trying to make a web application which gives a user a graphical view of the server desktop. I have understood that somewhere in here X engine has to be invoked and I have also understood that this is not something that php can accomplish primarily because its a language which processes before sending requests, please correct me if I am wrong in this regard.
You may say that what I am trying to accomplish is something akin to what teamviewer does only on the web. My dilemma is whether I should be using python or java for this task, both would be pretty apt for the task, but which one would be better?
Please give your suggestions
To allow the user to interact with the desktop in real-time, you need to run the application in the users web browser. Interaction with a webserver would just be too slow to do anything meaningful. I do not know about any way to execute Python in a web browser, so I would rule it out. Some of your options for client-sided code execution are:
Javascript (the recent addition of Canvas and WebSocket made it suitable for this kind of problem)
Java Applets (felt out of favor recently due to security problems)
ActiveX (IE- and Windows only, very rarely used in a public context nowadays)
Flash (a popular but dying technology)
I've been thrown in at the deep end a bit here, as I never expected I would have to do something like this and I have no idea where to start; so I'm helping somebody will be able to help me (ideally by providing some java code)...
In my effort to protect my Java software from piracy I have found that it is completely impossible unless I continusely check online - so thats what I want to do. Only, the only details I know are that, my program needs to communicate with some sort of script online and verify the licence key the program is using and then report back accordingly.
However, that's all I know - I am still stuck as to what the server side actually consists of. I'm hoping that the fact I am not hosting the website myself (an using JustHost) will not stop me from being able to do what I need.
So basically, I would like some help in creating a setup that allows my prevent anyone from pirating my software while connected to the internet. I though about having something like a login system; the users licence key would act as a username and password, but to be honest I really have no idea because if I did it that way would have to manually login and logout each time they wanted to use the software.
And not to run before I can walk but what happens when the user is not connected to internet? Even worse, how do I tell if somebody has stealed an legitamate users licence key? etc.
Thanks in Advance,
Andy
PS If it helps, I plan to use PostgreSQL (or maybe MySQL) and I am not paying for a dedicated server with JustHost.com...
Once your code is on their machine they can modify to simply ignore your checks. You can make it as hard as possible but it will never be hack proof.
In general your question is identical to this one which has some good discussion.
Try to delegate part of your business logic to server side. This way some core processes can not complete unless the application license is valid. Of course, if you have some logic that can be delegated. If your application is client-only than this approach is a bad choice.
If your application will be sold for a lot of money, try implementing solution using HASP key approach (which is investment by itself) instead of server authentication I understand this is not what you asked, I am just giving another idea.
try to create security by obfuscation/encryption and you will fail if your application becomes popular, since there will always be someone who will crack it in 5 minutes :(
I'm in the process of developing an application that uses client side code (js to be specific), which needs to be secured. I.e. so that a user cannot steal the code and reuse it. Obfuscation is not an option, as I need the code to be fully secured (with encryption). After extensively scouring the internet for a solution that allows js encryption I have come come to the conclusion that this proprietary code can only be executed server side to ensure its security.
Does any one have any other ideas or solutions, that would relieve the server from having to process things that otherwise could be done on the client with js. Executing some of the code on the server is an option, but resources are limited. Another issue is that it would need to be something like "server side js" i.e. the user experience is not changed.
If the code is client side, they have the code. Period. That's how the internet works.
If you want to protect it from the end-user, then yes, you need to keep that on the server side. Alas, that will change the user experience. There really isn't a way around that, though perhaps via judicious AJAX calls you can find a happy medium.
Nope, it sounds like you've pretty much got the gist of things. Use the server to process anything that needs to be done securely. Use javascript to display the data sent from the server.
I don't know what application you're working on, but typically efforts to offload significant processing onto the client side involve so much data transfer that the server has to do more work in the long run. Can I ask what kind of processing you're wanting to do client-side?
The user experience would have to be changed for a server-side solution, simply by the fact that you'd be running code on a different box, with a network between the two. The latency will be different. It may be good enough, of course, but it's hard to say without knowing what kind of app it is.
The closest I can imagine is hosting some sort of JavaScript engine within an otherwise-secure application... but you can tell from the state of the games industry's attempts how easy they've found it to make unhackable client code. Basically, if it's going to run locally, the code has to be there to execute... and that means it can be inspected. All you can do is make it harder.
You could encrypt your javascript and then decrypt&eval it on the client side. If it´s a private application, you could use a password for the encryption, so anyone without password could not decrypt it. Otherwise you should make it really complex.
Apart from standard JS obfuscation which is discussed e.g. here: https://stackoverflow.com/questions/2285593/how-to-sell-and-protect-software-that-has-easily-visible-source-like-javascript
this is close to impossible to do.
I would tend to question whether there really is a need to protect the client side code in the first place. What makes it so unique that this is necessary? Any kind of sensitive data manipulation should be done on the server side anyway, as every obfuscation method will always be only imperfect protection.