Security for Android Java Mobile Applications

Java offers an efficient framework for developing and deploying enterprise and server or client-side applications. However, Java bytecode being an interpreted language, contains highly detailed metadata and debugging information which is susceptible to tampering, reverse-engineering and piracy. Free decompilers can easily decompile Java applications into near-original source code, creating a number of vulnerabilities.

Types of Applications that Require Protection Include:

  • Java Mobile and Desktop Applications – Distributed applications that are written in Java are susceptible to static and dynamic analysis attacks. These applications suffer from the same inherent reverse engineering issues as mobile and desktop applications written in other languages except bytecode is even easier to decompile.

Examples of Java Vulnerabilities include:

  • Reverse Engineering: Attackers can reverse engineer a bytecode file and decompile the code after it’s downloaded to the client. This enables IP theft as well as reverse engineering of security routines or other critical routines that can be found and exploited
  • Bypass critical routines: Attackers can patch thick client binaries to bypass authentication logic or exploit restricted functionality contained in your client code. This enables attacks on your server
  • Key and credential theft: Often secret keys or authentication credentials are hardcoded into components. These are quite simple to identify, and can then be abused to launch attacks on your server
  • Easy decompilation: As an interpreted language, Java is very easy to decompile. A number of free and low-cost decompilers are widely available and automatically process bytecode to produce amazingly readable source code. Hackers can quickly decompile your bytecode, modify it to implement hacks or create counterfeits, and recompile – resulting in a hacked version of your original application

Download the free White Paper: Choosing the Right Android Java Application Protection Solution

Arxan’s Solution for Java Mobile Applications

Arxan’s GuardIT® protects critical functions of an application by combining advanced encryption and obfuscation with Guards® that are manipulating the bytecode. GuardIT®  for Java is based on patented technology that features various advanced obfuscation techniques. The creation of customized GuardSpec guides the insertion of various layers of protection for your Intellectual Property

In today’s threat environment enterprises need resilient protection of their Java application layer in order to:

  • Protect the R&D investment made in their Java software assets
  • Enhance conformance with security regulations, and
  • Minimize costly application breaches, unauthorized access and malware invasions.

Core Features

Many Java obfuscation solutions largely rely on string encryption and variable renaming to prevent comprehensive disassembly of code. However, given the current sophisticated attack landscape, such superficial measures are easily circumvented; giving rise to the myth that Java cannot be secured.

  • Control Flow Obfuscation. This advanced obfuscation technique breaks the correlation between byte code and semantically meaningful source code constructs. This degrades the results of decompilation, this preventing recovery of Java source code and protecting applications against reverse engineering. Many low-cost obfuscators rely on select tactics to break popular decompilers. In contrast, GuardIT for Java leverages language-level properties to implement reliable, long-lived protection that is not hostage to an arms race between a protection solution and decompiler enhancements.
  • String Encryption and Variable Renaming. These commonly used techniques remove semantically meaningful variable names, strings and thus, context, from the code. This provides an additional measure of defense against decompilation and reverse engineering.
  • Developer-Friendly. GuardIT for Java directly protects compiled class files. It is integrated with popular development environments including Eclipse, IBM RAD and Ant. It is also accessible as a command line tool. Protection is easy as ‘point-and-click’ for rapid, hassle-free deployment.
  • 100% Verifiable Code. The protected application is pure, fully compliant Java byte code, and remains fully portable.

Guards at work to protect Java 24/7:

GuardIT leverages thousands of guard instances, of many types, to comprehensively safeguard your applications against tampering, piracy and any manner of theft. The following table summarizes the types of Guards for Java, and the functions performed by each of them.

The functions performed by each of these Guards is described below: 

Class of DefenseGuard TypeFunction
DEFENDObfuscationTransforms programs into code that’s difficult to disassemble and understand, but has the same functionality as the original
RenamingRenames the symbols in the protected application to nonsense strings
String EncryptionEncrypts string literals and decryption at run-time
Debug InfoStrips debug info from the final, protected binary
Class EncryptionEncrypts input class files at protection time and restores them to their pre-encrypted state at runtime before they are loaded
Call HidingUses Java reflection to hide method calls
Resource EncryptionEncrypts user‐identified resources in the Android APK
DETECTDebugger DetectionDetects whether a program has been executing in a debugging environment
ChecksumDetects whether a program has been modified by computing a checksum within a specified range
Resource VerificationVerifies resource files or shared library in the APK, at run-time, have not been altered or tampered
Hook DetectionDetects whether an attacker has overridden a called function that resides in a system library or within the application
Root DetectionDetermines whether the device on which the application is running is rooted


Following exhibit summarizes the process of transforming unprotected application into a protected application using GuardIT® for Java:GuardIT_for_Java_Protection_Process