Obfuscation

Obfuscation is the cover up of intended meaning in communication, making communication confusing, deliberately ambiguous, and more complicated to interpret.

Obfuscated code is source code in a computer programming language that is difficult to understand. Programmers may deliberately obfuscate code to conceal its purpose, to prevent reverse engineering, or as a puzzle or recreational challenge for readers.

Obfuscating code to prevent reverse engineering is typically done to manage risks that stem from unauthorized access to source code.

Obfuscation is one technique used in a process called “application hardening”, which also includes such techniques as tamper detection and response, application encryption, and custom virtual machines.

Java and .NET languages (e.g., Oxygene, C#, Visual Basic) take a different approach to compilation. They are far easier to reverse engineer because they do not compile to machine code, they compile into intermediate code.
Advantages of obfuscation

• Intellectual property protection
• Reduced security exposure
• Size reduction
• Library linking
• At best, obfuscation merely makes it time-consuming, but not impossible, to reverse engineer a program. When security is important, measures other than obfuscation should be used
• Obfuscated code is extremely difficult to debug. Variable names will no longer make sense, and the structure of the code itself will likely be modified beyond recognition.
• Obfuscated code often depends on the particular characteristics of the platform and compiler, making it difficult to manage if either change
• Reflection is a set of APIs in various languages that allow an object to be examined or created just by knowing its classname at run-time. Many obfuscators allow specified classes to be exempt from renaming; and it is also possible to let a class be renamed and call it by its new name. However, the former option places limits on the dynamism of code, while the latter adds a great deal of complexity and inconvenience to the system.

Disadvantages of obfuscation
ProGuard is a free Java class file shrinker, optimizer, obfuscator, and preverifier. It detects and removes unused classes, fields, methods, and attributes. It optimizes byte code and removes unused instructions. It renames the remaining classes, fields, and methods using short meaningless names. Finally, it preverifies the processed code for Java 6 or for Java Micro Edition.

• Creating more compact code, for smaller code archives, faster transfer across networks, faster loading, and smaller memory footprints.
• Making programs and libraries harder to reverse-engineer.
• Listing dead code, so it can be removed from the source code.
• Retargeting and preverifying existing class files for Java 6, to take full advantage of Java 6′s faster class loading.

ProGuard‘s main advantage compared to other Java obfuscators is probably its compact template-based configuration.

How It Works?

1. In the shrinking step, ProGuard starts from these seeds and recursively determines which classes and class members are used. All other classes and class members are discarded.
2. In the optimization step, ProGuard further optimizes the code. Among other optimizations, classes and methods that are not entry points can be made private, static, or final, unused parameters can be removed, and some methods may be inlined.
3. In the obfuscation step, ProGuard renames classes and class members that are not entry points. In this entire process, keeping the entry points ensures that they can still be accessed by their original names.
4. The preverification step is the only step that doesn’t have to know the entry points.

ProGuard typically reads the input jars (or wars, ears, zips, or directories). It then shrinks, optimizes, obfuscates, and preverifies them. Optionally, multiple optimization passes can be performed, each typically followed by another shrinking step. ProGuard writes the processed results to one or more output jars (or wars, ears, zips, or directories). The input may contain resource files, whose names and contents can optionally be updated to reflect the obfuscated class names.

ProGuard is a command-line tool with an optional graphical user interface. It also comes with plugins for Ant and for the JME Wireless Toolkit.

-injars class_path

Specifies the input jars (or wars, ears, zips, or directories) of the application to be processed.

-outjars class_path

Specifies the names of the output jars (or wars, ears, zips, or directories).

-libraryjars class_path

Specifies the library jars (or wars, ears, zips, or directories) of the application to be processed. The files in these jars will not be included in the output jars.

-keepclasseswithmembers [,modifier,...] class_specification

Specifies classes and class members to be preserved, on the condition that all of the specified class members are present

-printseeds [filename]

Specifies to exhaustively list classes and class members matched by the various -keep options.

-keepattributes [attribute_name,...]

Specifies any optional attributes to be preserved.

-keepclasseswithmembernames class_specification

Short for -keepclasseswithmembers,allowshrinking class_specification

Specifies classes and class members whose names are to be preserved, on the condition that all of the specified class members are present after the shrinking phase.
Example:
To shrink, optimize, and obfuscate the ProGuard application itself, one would typically create a configuration file proguard.pro and then type:

java -jar proguard.jar @proguard.pro

The configuration file would contain the following options:

-injars proguard.jar

-outjars proguard_out.jar

-libraryjars /lib/rt.jar

-printmapping proguard.map

-keep public class proguard.ProGuard {

public static void main(java.lang.String[]);

}
ANT task
ProGuard can be run as a task in the Java-based build tool Ant (version 1.6.0 or higher).

Before you can use the proguard task, you have to tell Ant about this new task. The easiest way is to add the following line to your build.xml file:

<taskdef resource=”proguard/ant/task.properties”

classpath=”/usr/local/java/proguard/lib/proguard.jar” />
Other interesting Java related Posts you may like :
What is Java? (clean-clouds.com)

Object-Oriented Programming Concepts (clean-clouds.com)

Java Language Fundamentals (clean-clouds.com)

Operators, Expressions and Control Structures in Java (clean-clouds.com)

Creating, Compiling and Running a Simple program in Java (clean-clouds.com)

Generics and Collections in Java (clean-clouds.com)

Applet and Swing in Java (clean-clouds.com)

JDBC in Java (clean-clouds.com)

Basic I/O in Java (clean-clouds.com)

Threads in Java (clean-clouds.com)

Packages in Java (clean-clouds.com)

Exceptions in Java (clean-clouds.com)

Using JavaDoc to document your Java Program (clean-clouds.com)

Java Coding Standards (clean-clouds.com)

Open Source ILS: Installation Guide for Koha on Ubuntu 11.10 or Ubuntu 11.04 or Ubuntu 10.10 or Ubuntu 10.04 LTS with MySQL 5 (clean-clouds.com)

REST and OO REST (clean-clouds.com)

Java Application in One JAR (clean-clouds.com)

Obfuscation in Java (clean-clouds.com)

Encryption~Hybrid Approach (clean-clouds.com)

Reference:
http://www.dmoz.org/Computers/Programming/Languages/Java/Development_Tools/Obfuscators/

http://proguard.sourceforge.net/

Related articles

• De-obfuscate Javascript code to make it readable again (stackoverflow.com)