Java offers an efficient framework for developing and deploying enterprise and server or client-side applications. However, Java bytecode being an interpreted language, contains highly detailed metadata and debugging information which is susceptible to tampering, reverse-engineering and piracy. Free decompilers can easily decompile Java applications into near-original source code, creating a number of vulnerabilities.
Types of Applications that Require Protection Include:
- Java Mobile and Desktop Applications – Distributed applications that are written in Java are susceptible to static and dynamic analysis attacks. These applications suffer from the same inherent reverse engineering issues as mobile and desktop applications written in other languages except bytecode is even easier to decompile.
- Web Applications with server side business logic – Thin client based web applications where logic in the Web/Business/System tier is susceptible to theft, malware insertion, unauthorized access to authentication credentials and keys.
Examples of Java Vulnerabilities include:
- Reverse Engineering: Attackers can reverse engineer a bytecode file and decompile the code after it’s downloaded to the client. This enables IP theft as well as reverse engineering of security routines or other critical routines that can be found and exploited
- Bypass critical routines: Attackers can patch thick client binaries to bypass authentication logic or exploit restricted functionality contained in your client code. This enables attacks on your server
- Key and credential theft: Often secret keys or authentication credentials are hardcoded into components. These are quite simple to identify, and can then be abused to launch attacks on your server
- Easy decompilation: As an interpreted language, Java is very easy to decompile. A number of free and low-cost decompilers are widely available and automatically process bytecode to produce amazingly readable source code. Hackers can quickly decompile your bytecode, modify it to implement hacks or create counterfeits, and recompile – resulting in a hacked version of your original application
Arxan’s Solution for Java Mobile Applications
Arxan’s GuardIT® protects critical functions of an application by combining advanced encryption and obfuscation with Guards® that are manipulating the bytecode. GuardIT® for Java is based on patented technology that features various advanced obfuscation techniques. The creation of customized GuardSpec guides the insertion of various layers of protection for your Intellectual Property
In today’s threat environment enterprises need resilient protection of their Java application layer in order to:
- Protect the R&D investment made in their Java software assets
- Enhance conformance with security regulations, and
- Minimize costly application breaches, unauthorized access and malware invasions.
Many Java obfuscation solutions largely rely on string encryption and variable renaming to prevent comprehensive disassembly of code. However, given the current sophisticated attack landscape, such superficial measures are easily circumvented; giving rise to the myth that Java cannot be secured.
- Control Flow Obfuscation. This advanced obfuscation technique breaks the correlation between byte code and semantically meaningful source code constructs. This degrades the results of decompilation, this preventing recovery of Java source code and protecting applications against reverse engineering. Many low-cost obfuscators rely on select tactics to break popular decompilers. In contrast, GuardIT for Java leverages language-level properties to implement reliable, long-lived protection that is not hostage to an arms race between a protection solution and decompiler enhancements.
- String Encryption and Variable Renaming. These commonly used techniques remove semantically meaningful variable names, strings and thus, context, from the code. This provides an additional measure of defense against decompilation and reverse engineering.
- Developer-Friendly. GuardIT for Java directly protects compiled class files. It is integrated with popular development environments including Eclipse, IBM RAD and Ant. It is also accessible as a command line tool. Protection is easy as ‘point-and-click’ for rapid, hassle-free deployment.
- 100% Verifiable Code. The protected application is pure, fully compliant Java byte code, and remains fully portable.
Guards at work to protect Java 24/7:
GuardIT leverages thousands of guard instances, of many types, to comprehensively safeguard your applications against tampering, piracy and any manner of theft. The following table summarizes the types of Guards for Java, and the functions performed by each of them.
The functions performed by each of these Guards is described below:
|Class of Defense||Guard Type||Function|
|DEFEND||Obfuscation||Transforms programs into code that’s difficult to disassemble and understand, but has the same functionality as the original|
|Renaming||Renames the symbols in the protected application to nonsense strings|
|String Encryption||Encrypts string literals and decryption at run-time|
|Debug Info||Strips debug info from the final, protected binary|
|Class Encryption||Encrypts input class files at protection time and restores them to their pre-encrypted state at runtime before they are loaded|
|Call Hiding||Uses Java reflection to hide method calls|
|Resource Encryption||Encrypts user‐identified resources in the Android APK|
|DETECT||Debugger Detection||Detects whether a program has been executing in a debugging environment|
|Checksum||Detects whether a program has been modified by computing a checksum within a specified range|
|Resource Verification||Verifies resource files or shared library in the APK, at run-time, have not been altered or tampered|
|Hook Detection||Detects whether an attacker has overridden a called function that resides in a system library or within the application|
|Root Detection||Determines whether the device on which the application is running is rooted|