A great presentation at a local user's group today did a demo on the different ways to compromise a desktop Java app.

These threats aren't necessarily peculiar to Java, but it's worthwhile to recap them here.

[ Maybe that's why I don't know anyone other than myself and the eclipse folks who write desktop java code? ]

Recap Of Desktop Java IP Threats:

  1. Decompiler threats (tools like JAD Decompiler etc)
  2. Machine level threats (tools like IDA Pro Interactive etc)
  3. Java Runtime threats ( google "hack java class encryption")
  4. Debugger threats (run in debugger and intercept)

These are all threats to the main ways of protecting IP on a java desktop app, below.

 

Recap Of Desktop Java IP Techniques:

  • Obfuscate code by renaming utitities
  • Encrypt all strings
  • Anti-tamper code that signs or checksums classes
  • Classfile encryption
  • Insert crappy unreadable code like gotos and multiple crazy if statements
  • Custom class loaders - go get this class from here
  • Distributing pieces of keys all over the environment
  • Bind your app to the hardware that initialized it at install
  • Java Agent jar file that you pass to the JVM as a parameter

In the demo today, they showed how to defeat many of the above measures, and then how to do countermeasures to some of the defeats. And then how to do countermeasures to some of the defeats of countermeasures. Whew.

 

These guys were solid pros, and demonstrated that software security is an iterative layered process, it's not like you're going to buy a license and click a button and turn on software security.

Credits

Presentation was from the guys at Arxan, who provide the "Gaurd-It" line of software security for C, .net, Java and other platforms.

 

Tags: