Signing for protecting the JAR from reverse-engineering

Question

I'm thinking how to protect the JAR from reverse-engineering.

(Question 1):

If JAR is signed by signature, is the signature able to protect the JAR? If not, then what is the purpose of signing?

(Question 2):

Android APK can be signed by platform signature, and It is impossible for extracting the platform signature from the APK itself.

From this point of view, I think signature can be used to protect something. But why can we decompile any APK even it is protected by platform signature?

Answer 1

Think about your own signature, that you write with a pen. Does signing a piece of paper make the contents of the paper somehow impossible to read?

No: it simply gives somebody reading the paper an indication that it was written by you (or you agree with its contents, or whatever).

And so it is with signing a jar: all it does is gives people an indication that you (or people you have authorized to use the signature) produced it, in order that nobody else can change the jar contents and present it as "authentic".

Signatures will not help you to stop reverse engineering.

Answer 2

If JAR is signed by signature, is the signature able to protect the JAR? If not, then what is the purpose of signing?

If you sign a contract, does that prevent any of the involved parties from breaking the contract?! Nope, it doe not. The signature is simply something that (theoretically) legally identifies you.

And that is the whole point of signing software: to tell users of the software: "this is my delivery, you can trust it, because I signed it (and nobody else can have changed it)".

Signatures do nothing to protect your content from reverse engineering. They are solely useful for users of your content, as they can be "sure", that they are really using your content, and not something that a third party faked and only claims to be your delivery.

The only kind of protection is to look into obfuscating your JAR file content. There are tools for that (especially on Android). Nonetheless obfuscation for Java isn't exactly perfect. See here for example.

Answer 3

If JAR is signed by signature, is the signature able to protect the JAR? If not, then what is the purpose of signing?

As the others have pointed out, it prevents others from distributing their own copies of your code under your name/brand. For example, suppose you write a calculator and post a signed bytecode on github, then I can't write my own bytecode and claim (without getting caught that its a false one, unless I find the key with which it was signed, which itself is very very ... very unlikely) that it is a copy of your calculator.

But why can we decompile any APK even it is protected by platform signature?

Because, it does not prevent us from decompilation. We can get the source code from such APKs but, we cannot like put our own arbitrary code in its place and makes others believe it is same as yours.

Put in plain terms, a signature is a proof of source and authenticity of a code, nothing more.

Edit:

Why can't we extract the original signature from the APK? Why is it impossible?

Because the signature is a hash, generated using a cryptographic hash function and a key that only you hold (called private key) and a public key, which is freely available. Since that private key is with you and assuming that you used a powerful cryptographic hash function, it will take a lot of time for a person trying to impersonate that key to find that key by directly trying all the hashes possible, which is usually the only possible way unless you have a clever work-around to find the key. The public key is openly available and is used for verification of the authenticity of the signature.

Can we use this mechanism for protecting our JAR?

Depends on what you are trying to protect. If it is impersonation by somebody else, then yes, for sometime, as long as they do not stumble upon the key by some way. As seems for obvious, it is no good against reverse engineering