Introduction
Obfuscation is the process of making a readable code difficult to understand by concealing its purpose. Obfuscated code deters reverse engineering to some extent. Obfuscator is a program that converts readable code into obfuscated code. In this article, we will see about ‘yguard’ which is an Open Source Java obfuscator and shrinking software.
Yguard Obfuscator
yguard requires Java2 SDK 1.4 or above and ANT 1.5 or greater. Yguard integrates with your deployment process (build.xml). You need to add a separate task for obfuscation in your build.xml. The yguard task contains two nested elements that perform the name obfuscation and code shrinking separately:
• The shrink element removes all code elements that are not reachable from the entry points given in the nested keep element.
• The rename element performs name-obfuscation, renaming all packages, classes, methods and fields according to a selectable name-mapping scheme. Elements can be excluded from the renaming process using a nested keep element.
Get Started:
Download yguard and copy the jar file ‘yguard.jar’ into the project directory.
In the above example, it is assumed that the java source files are compiled to a JAR file and that jar is the input. Yguard obfuscates the input jar and creates a new jar.
Shrink & Rename:
The shrink task removes all classes, fields and methods that are not reachable or unused. You can see the number of classes, methods or fields removed from the jar in the log file ‘shrink.log’. The rename task does the actual obfuscation by renaming the classes, methods and fields. The details will be available in rename.xml. Using the nested keep element, you can specify all classes, methods, fields, and attributes that should be excluded from name obfuscation or shrinking. The obfuscation will fail, if yguard detects any problems during the process. The error-checking attribute with value ‘pedantic’ will make the obfuscation fail.
Adjust Element
If the class names are referred in properties/config files, yguard can replace the plain-text class names in the properties files as well via adjust element.
Known Challenges:
• In Java, Obfuscation does not support Reflection API. Simple bean introspection will not work, if you decide to obfuscate your public accessor methods, since it makes use of reflection.
• The customized serialization mechanism will not work if you obfuscated or shrinked the writeObject and readObject methods as well as the serializationUID field.
• If you do not set the -Xmx property for the Java virtual machine, the yguard Ant task might fail due to a java.lang.OutOfMemoryError. Set export ANT_OPTS="-Xmx512M"
Is Obfuscation Important?
Obfuscation does not mean security. Still, some people believe in security through obscurity. You can think of obfuscation, if you are exposing a critical or important logic as a JAR to public. Otherwise, it will just be an extra step in deployment process. Obfuscation can't stop a determined hacker. Yet, it can save your code from newbies. It would still be better to get appropriate license and enforce law through copyrights.
References:
• Yguard download link - ‘http://www.yworks.com/en/products_download.php?file=yguard-2.3.0.1.zip’.
• Java Decompiler download link - http://java.decompiler.free.fr/?q=jdgui
• Yguard documentation html that comes in yguard-2.3.0.1.zip.
