Encrypted Class Files
By Greg Travis
Most people are concerned about the user's privacy on the Web, but what about the developer's privacy? With traditional languages like C or C++, it's easy to protect your source code—just don't distribute it.
Unfortunately, code written in Java is particularly easy to "borrow." With a decompiler, anyone can look inside your code and use it for their own purposes. Fortunately, the very flexibility that makes Java easy to steal also makes it relatively easy to protect using encryption.
All it takes is an understanding of Java's ClassLoader object. Of course, if you're going to work with encryption, you should learn about the Java Cryptography Extension (JCE) as well.
Why Encrypt?
There are ways to obscure class files so that decompilers have trouble processing them. It isn't hard to fix a decompiler so that it can process these tainted class files, however. You can't simply rely on security through obscurity.
Of course, you could encrypt your application using a popular encryption tool such as Pretty Good Privacy (PGP) or GNU Privacy Guard (GPG). End users would have to decrypt it before they can run it. Once they do, they then have a decrypted copy of your class files, and you're no better off than before.
Fortunately, Java provides a mechanism for loading (and potentially modifying) bytecode at runtime. Each class file that the JVM loads requires an object called a ClassLoader, which is responsible for loading the new class into a running JVM.
