Interpreted Code Protection: GuardIT® for Java

Protect Web 2.0 Client and Server Applications

Java offers an efficient framework for developing and deploying Web 2.0 server or client-side applications. However, Java byte code is highly structured, and contains detailed metadata and debugging information. Free decompilers can easily decompile Java applications into near-original source code, creating a number of vulnerabilities, such as:

• Theft of IP and PII:  Intellectual property (IP) embedded in applications, such as a proprietary trading algorithm, is vulnerable to theft.  Hackers also study application code to craft exploits to intercept client-server transactions, and gain unauthorized access to personally identifiable information (PII) or other sensitive data controlled by the application.
  
• Invasion by malware: Hackers can discover exploitable vulnerabilities in code and craft malware to compromise the application layer
  
• Key and credential theft: Secret keys and passwords embedded within Java applications can be easily discovered and misused
  
• Tampering of security routines: Thick clients or proprietary Java software is at risk of piracy through tampering and disabling of license management, authentication, or dongle measures.
  
• Tampering of thin clients: While the server and database portions of a multi-tier web application are somewhat shielded from hackers by the DMZ and perimeter security measures, the client portion is undefended in the wild. Hackers have complete visibility into the code, data, transactions, communication protocol, and execution platform of your client. It is very easy, following disassembly of unprotected Java clients, to discover internal security algorithms and transaction logic. The next step is to build exploits to tamper the client - enabling compromised transactions and deeper exploits that tunnel from the presentation tier into the logic and data tiers.  If there is proprietary IP or logic in the unprotected client, you can expect that to be compromised as well.

In today’s threat environment enterprises need resilient protection of their Java application layer in order to:

• Protect the R&D investment made in their Java software assets
  
• Enhance conformance with security regulations, and
  
• Minimize costly application breaches, unauthorized access and malware invasions.

GuardIT for Java - Core Features

Many Java obfuscation solutions largely rely on string encryption and variable renaming to prevent comprehensive disassembly of code. However, given the current sophisticated attack landscape, such superficial measures are easily circumvented; giving rise to the myth that Java cannot be secured.

• Control Flow Obfuscation. This advanced obfuscation technique breaks the correlation between byte code and semantically meaningful source code constructs. This degrades the results of decompilation, this preventing recovery of Java source code and protecting applications against reverse engineering. Many low-cost obfuscators rely on select tactics to break popular decompilers. In contrast, GuardIT for Java leverages language-level properties to implement reliable, long-lived protection that is not hostage to an arms race between a protection solution and decompiler enhancements.
  
• String Encryption and Variable Renaming. These commonly used techniques remove semantically meaningful variable names, strings and thus, context, from the code. This provides an additional measure of defense against decompilation and reverse engineering.
  
• Real-time Security Alerts. Arxan’s active protection technology provides real-time security alerts for running applications. This tamper-evidence mechanism reports forensics information to a security incident and event management (SIEM) system when malware invasion, piracy or other forms of tampering are detected. This allows potential breaches to be addressed dynamically and accurately, thereby limiting and/or preventing loss.
  
• Developer-Friendly.  GuardIT for Java directly protects compiled class files. It is integrated with popular development environments including Eclipse, IBM RAD and Ant.  It is also accessible as a command line tool. Protection is easy as ‘point-and-click’ for rapid, hassle-free deployment.
• 100% Verifiable Code. The protected application is pure, fully compliant Java byte code, and remains fully portable.