How can I make IP of my Java/Java EE app more secure?

Question

We have an application (say core application) build using Java/Java EE/Spring batch. This application contains all the business logic and is packaged into a jar file.

Now, we have another web-application built using Spring MVC, Hibernate. This web-application provides a UI to users to configure our core application. This web-application uses a jar of the core-application to perform business-tasks by referring the configuration. Now, we want to distribute these applications as a product to various companies. But as we all know, jars/wars can be decompiled.

Hence, what can we do to save our IP?

Currently we are trying DashO (java obfuscator from Preempitve). Even after obfuscating, one can read the code using a decompiler. Even-though, the code is much more complex to read, business logic can be read.

What are the best practises to secure our IP? What are the various methods to make our application more secure?

EDIT : Please note that we have to distribute a WAR to our clients, which is the main cause of worry.

Answer 1

Are you trying to protect your server-side logic, or the client side logic, or both?

If it's the first, you're already done, because you can't decompile a file you don't have access to.

If it's the second, you're pretty much out of luck. Move sensitive logic from the client to the server, make the client simply a middleman who delivers user input and formats the server output in a pretty UI. That way you won't care if someone sees your boring web service client.

Answer 2

Below are some of the ways you can secure your code.

1. Use of Complex Obfuscators Go through this:

[Complex Obfuscator Tools][1]

There are similar tools which does much more than just java code mangling.

1. Secure your network using SSL. Make the entire network path encrypted.

2. Use of Certificate Management enhances security and prevents unauthorized users from accessing your source code illegally.

Let me know if you have any clarifications on the above.

Thanks.

Answer 3

Can you make parts of the app download from the web? So war starts up, downloads futher modules from your server and then uses them. Also, would make sure download modules were not stored on disk anywhere.

Or how about if you build an API, and move important IP into the API?

Or how about moving parts of the code into native code?

Answer 4

Obviscation is not security. As my security buddy calls it, its "Security through Obscurity".

My short answer is that you should design your application(s) from the start with security in mind. The long answer is that YOU need to secure your communications. For instance, you could require some sort of unique public/private key in order to access your web service, and make all your web services HTTPS so that hackers can't snoop through your packets as easily and pick out the protocols. We could call it a "license key". But, as everyone who knows anything about security will tell you, there really isn't any full-prof method, only ones that make it harder.

I had a buddy that used to write Java Applet games that struggled with this. When he obviscated his code, thinking it would stop hackers from sending bogus scores, he found they just started de-compiling the code and calling the JARs directly. Eventually, he re-wrote his entire score tracking system to be more "intelegent" such that it would know that you can't just score 10000000 points at once. Instead, the client had to send regular score updates, and the server had baked-in rules that prevented the scores from growing too fast.

Anyway, thats my $0.02 worth.