Welcome to the Java Programming Forums


The professional, friendly Java community. 21,500 members and growing!


The Java Programming Forums are a community of Java programmers from all around the World. Our members have a wide range of skills and they all have one thing in common: A passion to learn and code Java. We invite beginner Java programmers right through to Java professionals to post here and share your knowledge. Become a part of the community, help others, expand your knowledge of Java and enjoy talking with like minded people. Registration is quick and best of all free. We look forward to meeting you.


>> REGISTER NOW TO START POSTING


Members have full access to the forums. Advertisements are removed for registered users.

Page 1 of 2 12 LastLast
Results 1 to 25 of 33

Thread: Secure Java Files

  1. #1
    Junior Member
    Join Date
    Oct 2014
    Posts
    16
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Question Secure Java Files

    Dear Java Programmers,

    My friend has a youtube channel with 50.000 - 100.000 subscribers. I dont know the exact amount but he asked me to make a program for his subscribers. I made it in Java and it works perfectly fine but now i want to make it secure so people can't decompile it and read/change the code. Because ofcourse he also has viewers who can hack programs.

    But i dont know how i can do that. I dont want to make the code hard to read. I already heard about program which adds lines of code without doing anything actually and programs making the code a lot more complicated. But thats not what i want, i want to make the Class files undecompilable so people cant decompile it to Java files again and read the code.

    I know this is possible, Runescape for example is written in Java too and secured good enough in my opinion. I know there are fake Runescape games called private servers or something like that. But its not easy as downloading the game, decompiling it, connecting it to another server and you're done. A little kid can do that but i think its even possible that people just programmed Runescape again from scratch.

    So i want to make my program very hard to decompile or even impossible, i want it as impossible as possible. Does anyone know how i can do that?

    Thanks for ur help in advance,
    Resantic

  2. The Following User Says Thank You to Resantic For This Useful Post:

    codingninja (October 8th, 2014)


  3. #2
    Super Moderator
    Join Date
    Jun 2013
    Location
    So. Maryland, USA
    Posts
    5,520
    My Mood
    Mellow
    Thanks
    215
    Thanked 698 Times in 680 Posts

    Default Re: Secure Java Files

    Welcome to the forum! Please read this topic to learn how to post code in code or highlight tags and other useful info for new members.

  4. #3
    Super Moderator Norm's Avatar
    Join Date
    May 2010
    Location
    Eastern Florida
    Posts
    25,042
    Thanks
    63
    Thanked 2,708 Times in 2,658 Posts

    Default Re: Secure Java Files

    Research: obfuscation for one technique.

    How do clients execute your code? Where are the class files loaded from? Is there a server involved for each load of a class?
    If you don't understand my answer, don't ignore it, ask a question.

  5. #4
    Senior Member
    Join Date
    Jul 2013
    Location
    Europe
    Posts
    666
    Thanks
    0
    Thanked 121 Times in 105 Posts

    Default Re: Secure Java Files

    Quote Originally Posted by Resantic View Post
    But i dont know how i can do that. I dont want to make the code hard to read. I already heard about program which adds lines of code without doing anything actually and programs making the code a lot more complicated. But thats not what i want, i want to make the Class files undecompilable so people cant decompile it to Java files again and read the code.

    I know this is possible
    No its actually not.
    Java is an interpreted language and ALL interpreted language are, by design, not safe against reverse engineering. Because the code that your computer reads to run the program can also be read by a human.

    The only way to secure a program written in an interpreted language is to make the code hard to read for humans which is obfuscation, it is what you have already described yourself and what you said you didnt want to use.

    Alternatively you could simply use a compiled language. Compiled code can be read by computers but is very difficult to read for humans. There are tools out there that can translate java code to C code, this could be another way of protecting your software.

  6. #5
    Junior Member
    Join Date
    Oct 2014
    Posts
    16
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Default Re: Secure Java Files

    First of all it is impossible to translate Java code in to whatever other code because java has things which C or C++ dont have.

    Of course human can read compiled code like a computer does but there must be a way someone can make a program without being annoyed by hackers. Even if its impossible to make it 100% safe. I dont want to use C languages or any other language i just want to use Java. And making it harder to read doesnt help at all in my opinion. I just dont want people to decompile my files because it uses databases for example and if someone decompiles it they can see my database password and change everything they want or delete data from the databases.

    Also if people decompile my program they can change the if statement which checks if the password the user entered matches the one in the database and put instead an if statement which lets you log in if you typed in as password 1234.

    What is the best way to fix that in Java?
    Last edited by Resantic; October 4th, 2014 at 04:29 PM.

  7. #6
    Super Moderator Norm's Avatar
    Join Date
    May 2010
    Location
    Eastern Florida
    Posts
    25,042
    Thanks
    63
    Thanked 2,708 Times in 2,658 Posts

    Default Re: Secure Java Files

    If you give the java code to someone, they can decompile it. If you keep the java code on a server, away from everyone, then they won't be able to decompile it.
    Can you change the app so parts of it remain on a server?
    If you don't understand my answer, don't ignore it, ask a question.

  8. #7
    Junior Member
    Join Date
    Oct 2014
    Posts
    16
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Default Re: Secure Java Files

    I can but i dont understand how i can secure it. Because like if i put the code that verifies the password on the server side i still have to call it from the client side. How can i let the server tell the client ok the password is right let the user proceed or no, the password is wrong?

  9. #8
    Super Moderator Norm's Avatar
    Join Date
    May 2010
    Location
    Eastern Florida
    Posts
    25,042
    Thanks
    63
    Thanked 2,708 Times in 2,658 Posts

    Default Re: Secure Java Files

    You can make it harder, but someone can always get by your security if there are class files on the client.
    Don't put any classes on the client's disk that can be useful when decompiled.
    A suggestion would be to use a custom classloader to retrieve class files from the server after the user has logged in.
    If you don't understand my answer, don't ignore it, ask a question.

  10. #9
    Junior Member
    Join Date
    Oct 2014
    Posts
    16
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Question Safety Java

    Dear Java Programmers,

    I had some security problems in java a few times and i couldnt find a way to fix my problem. So i want to know now if its smart to make a program that needs security in java. I want to try to make a game and it will use login stuff and databases etc. Is java a good language to use in that case if you look at the security? Because java can be decompiled easily and deobfuscated too.

    I prefer Java because its hard to learn C/C++. The language itself isnt hard in my opinion but i like Java more and there arent many good tutorials on C but a lot of good tutorials about Java.

  11. #10
    Senior Member
    Join Date
    Jul 2013
    Location
    Europe
    Posts
    666
    Thanks
    0
    Thanked 121 Times in 105 Posts

    Default Re: Secure Java Files

    Quote Originally Posted by Resantic View Post
    First of all it is impossible to translate Java code in to whatever other code because java has things which C or C++ dont have.
    No its not. Java byte code is an abstract form of machine code. Is rather simple to translate that to actual machine code, the same code that C or C++ programs are compiled to. Of course, once you do that its not a java program anymore and loses all the benefits of being a java program.


    If your application is a web application then the best solution would be what norm said. The client code should be no more but a stupid terminal that does what the server is telling it to do. The server is in your hand and safe, keep everything that is important on the server and you dont have to fear any security breaches.

  12. #11
    Super Moderator
    Join Date
    Jun 2013
    Location
    So. Maryland, USA
    Posts
    5,520
    My Mood
    Mellow
    Thanks
    215
    Thanked 698 Times in 680 Posts

    Default Re: Secure Java Files

    Threads merged.

    Please do not start multiple threads on the same topic. I'm sorry you don't like the answers that you've gotten so far, but they won't change by starting a new thread.

  13. #12
    Junior Member
    Join Date
    Oct 2014
    Posts
    16
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Default Re: Secure Java Files

    U guys dont understand what im saying so i will explain it again. It will not be on a website it will be a PROGRAM which runs on the computer of the CLIENT. I have a game with 2 functions, 1 called update or tick and 1 called render. 1 updates the game and 1 shows the game. The update method is allowed to update for a maximum of 60 times per second so on faster computers that can handle 1000 updates per second you will not run or attack faster. But the client can decompile the class file and change the maximum from 60 to 100 for example. I CANNOT handle the updates for every player on the server and even if i do that, the client can change the code and instead of telling the server that the client moved 1 step to the left tell the server the client moved 2 steps to the left. How can i fix that?

    And i cant even secure logging in, people can change the client's code and make it so you can login on everyones account that CANNOT be on te server!

    Is it even possible to make a game and (mostly) prevent hacking.

  14. #13
    Super Moderator Norm's Avatar
    Join Date
    May 2010
    Location
    Eastern Florida
    Posts
    25,042
    Thanks
    63
    Thanked 2,708 Times in 2,658 Posts

    Default Re: Secure Java Files

    Is it even possible to make a game and (mostly) prevent hacking.
    Not in java.

    But the client can decompile the class file
    Not easily if it is loaded from the server and not on the client's disk.
    If you don't understand my answer, don't ignore it, ask a question.

  15. #14
    Junior Member
    Join Date
    Oct 2014
    Posts
    16
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Default Re: Secure Java Files

    Mods are so active.. Always have to follow the rules lol. But u tell me that i dont even have to try make a game in java because its impossible to prevent hacks. Can u explain to me how runescape became successfull? It is written in java but not easy to hack.

  16. #15
    Senior Member
    Join Date
    Jul 2013
    Location
    Europe
    Posts
    666
    Thanks
    0
    Thanked 121 Times in 105 Posts

    Default Re: Secure Java Files

    Quote Originally Posted by Resantic View Post
    U guys dont understand what im saying so i will explain it again. It will not be on a website it will be a PROGRAM which runs on the computer of the CLIENT. I have a game with 2 functions, 1 called update or tick and 1 called render. 1 updates the game and 1 shows the game. The update method is allowed to update for a maximum of 60 times per second so on faster computers that can handle 1000 updates per second you will not run or attack faster. But the client can decompile the class file and change the maximum from 60 to 100 for example. I CANNOT handle the updates for every player on the server and even if i do that, the client can change the code and instead of telling the server that the client moved 1 step to the left tell the server the client moved 2 steps to the left. How can i fix that?

    And i cant even secure logging in, people can change the client's code and make it so you can login on everyones account that CANNOT be on te server!

    Is it even possible to make a game and (mostly) prevent hacking.
    Of course it is, but its complicated and you dont seem to have yet reached the level necessary to program an application like that.
    You have to put in a huge effort to separate what the client and what the server can do.

    The easiest way is to have the server do everything. If your server is not strong enough for that and performance is an issue then you have to find ways around that.
    You could have the server make checks periodically at random and kick players who are caught cheating. This way you can cut down on the workload for the server dynamically. The less players are playing the more often can you check for hackers. Its not a perfect system but if you lack the equipment for better security then there is not much you can do.

  17. #16
    Super Moderator Norm's Avatar
    Join Date
    May 2010
    Location
    Eastern Florida
    Posts
    25,042
    Thanks
    63
    Thanked 2,708 Times in 2,658 Posts

    Default Re: Secure Java Files

    its impossible to prevent hacks.
    Pretty much true. But you can elevate the skill level required for a hack.
    If you don't understand my answer, don't ignore it, ask a question.

  18. #17
    Junior Member
    Join Date
    Oct 2014
    Posts
    16
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Default Re: Secure Java Files

    I can learn anything. People who made very successfull games didnt learn that in a few minutes too, it was always my dream to have my own game, but i dont know where to start. I can make the game itself but the server cant handle updates because the client needs to tell the server to update the server cant know by itself. And i never worked with servers before only with clients.

    --- Update ---

    Norm ur being too complicated, everything can be hacked and i understand that but you can make it very hard to hack so it doesnt happen often. But i am very bad at security and i want to learn that i know how to make the game itself even if its not an amazing game i just want to learn security now and later put everything i know together and make a game.

  19. #18
    Senior Member
    Join Date
    Jul 2013
    Location
    Europe
    Posts
    666
    Thanks
    0
    Thanked 121 Times in 105 Posts

    Default Re: Secure Java Files

    Then you have a dangerous design thats susceptible to hacks by nature.
    It must be the server that is dictating the flow of the game, if the clients have any power you are ALWAYS at danger. People can hack anything if they have enough time and motivation, but only if they actually have access to the code. People do not have access to your server, so if you put things on your server you are save.

    It would probably be a lot of work but as it sounds to me you need to re-write large parts of your program to take security into consideration.

  20. #19
    Junior Member
    Join Date
    Oct 2014
    Posts
    16
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Default Re: Secure Java Files

    Cornix's comment was very useful, atleast if its true. Is the only way to make a game secure to remove all the power from the client and let everything be verified by the server before doing it?

    And if i make the game in C or C++ or any compiled language, do i have to take all the power from the client too and use a server? Or is that for Java only?
    Last edited by Resantic; October 4th, 2014 at 06:23 PM.

  21. #20
    Super Moderator Norm's Avatar
    Join Date
    May 2010
    Location
    Eastern Florida
    Posts
    25,042
    Thanks
    63
    Thanked 2,708 Times in 2,658 Posts

    Default Re: Secure Java Files

    The client could load the class file from the server after vetting so it won't be on the client where it could be decompiled. Of course a programmer could write code to intercept the downloading and change the contents of the class file before it was executed. That takes more skill then a simple decompile.
    If you don't understand my answer, don't ignore it, ask a question.

  22. #21
    Senior Member
    Join Date
    Jul 2013
    Location
    Europe
    Posts
    666
    Thanks
    0
    Thanked 121 Times in 105 Posts

    Default Re: Secure Java Files

    Here, I made a diagram for you:
    ServerClientModel.jpg

    The idea is that both the server and the client have their own game state. The client only updates its game state after the server told it to do so. The server only updates its game state after the client has send a valid input. The server is the one in charge, selecting which input is valid and which is not.


    If you want your clients to only be able to move a certain distance within a certain duration all you need is a timer on your server and a counter to remember how far the client has moved recently. If the client has already moved too far the input is invalid and either the client code has errors or somebody was trying to hack.

    Please note that this design is not the best when it comes to performance, but its absolutely save (as long as your server is not compromised). Security and performance are mutually exclusive. Any security features you implement will cost you in performance and memory usage. You have to decide how important security is to you and whether you want to skip certain validation checks.


    Edit: And the diagram is not readable, great. Try this link:

  23. The Following User Says Thank You to Cornix For This Useful Post:

    GregBrannon (October 5th, 2014)

  24. #22
    Junior Member
    Join Date
    Oct 2014
    Posts
    16
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Default Re: Secure Java Files

    Thanks for replying everyone,

    I just want to tell u guys what i learned from this and tell me if its true or not so i know if i understanded what u said right. So the client has to do something and send it to the server, the server has to check if the input is valid and its not hacked, but some things i dont have to check like moving because if there are enough moderators they can ban him/her if they see anyone using speed hacks. And also other players can report. So some things i can fix without decreasing my performance because traveling faster is not that big problem, only stuff that is really important should be checked.

    One last question: is it a good idea to do what i said above AND load the class files from the server for extra security? Or does that drop the performance a lot?

  25. #23
    Super Moderator Norm's Avatar
    Join Date
    May 2010
    Location
    Eastern Florida
    Posts
    25,042
    Thanks
    63
    Thanked 2,708 Times in 2,658 Posts

    Default Re: Secure Java Files

    Loading the class files from the server would only be done one time when the program started.
    If you don't understand my answer, don't ignore it, ask a question.

  26. #24
    Senior Member
    Join Date
    Jul 2013
    Location
    Europe
    Posts
    666
    Thanks
    0
    Thanked 121 Times in 105 Posts

    Default Re: Secure Java Files

    The thing with security is, there is no right or wrong. Doing more for security might be good or it might be too much. We can not tell for sure.
    If security is very important you can do as much for security as possible. If you dont care that much actually you can drop it.


    But I guess loading files later will not hinder security all that much, as Norm said its a one time effort and the classes would need to be loaded anyways. Of course this also depends on how big your classes are. If the clients have to download 5 gb of information it is a no-go. If its only a few kb then why not?

  27. #25
    Junior Member
    Join Date
    Oct 2014
    Posts
    16
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Question Multiplayer Support

    Hey Java Programmers,

    I have 0 knowledge of networking and i want to learn that. I have a program with 20 by 20 tiles now but i can make it bigger. And there is also a player, u can move it with WASD keys or the arrow keys. Now i want to put a server and database in the program.

    What i want to do is:
    1. Connect multiple clients to a server and let it be a multiplayer game so u see other people moving around.
    2. Let the server handle the moving instead of the client to avoid hacking/making it harder.
    3. Save the X and Y coördinates for the player so the next time he/she logs in the player will be on the last X and Y as when he or she logged out.

    What is the best and most secure way to do this? Also if i save the X and Y every second in a database it will decrease the performance more than if i do it every 3 seconds, so what is the best way to fix that? Also how can i let the server handle moving because i know a lot of games can be hacked and increase the speed just with a simple program called Cheat Engine and making the program run faster or something like that. That doesnt need any hacking knowledge and a little kid can do it, How can i avoid that?

    Thanks in advance,
    Resantic

Page 1 of 2 12 LastLast

Similar Threads

  1. Secure web page content
    By arunkumar.n in forum Web Frameworks
    Replies: 5
    Last Post: January 5th, 2014, 01:52 AM
  2. Replies: 1
    Last Post: October 7th, 2013, 11:36 AM
  3. Java ClassLoader: How to make it secure and stable
    By GavinL in forum Java Theory & Questions
    Replies: 0
    Last Post: November 2nd, 2011, 05:15 AM