Obfuscation for dummies

Most people who worry about obfuscation shouldn't. Nobody wants your code :). Byte-code encryption does not work, so obfuscation only makes reverse engineering sligthly more difficult. At the other end of the scale, mobile development pretty much mandates obfuscation: files need to be as small as possible.

Obfuscation Tools

• ProGuard Shrinker and obfuscator, JME support. Comes with a wizard, pretty straightforward
• JMangle
• Retroguard Shrinker and obfuscate JME applications
• yGuard

Observations

• Any methods that are accesssed via reflection need to be excluded from obfuscation
• properly obfuscating swing applications is very difficult due to the dynamic nature of the swing components
• expect to spend several iterations of full regression sweeps to validate the obfuscated product
• if you are adding obfuscation late in the development cycle, expect to produce parallel builds (obfuscated and non obfuscated) so that QA can repro bugs. One big problem with debugging obfuscated code is the fact that you will not get a stack trace that's meaningful
• obfuscation will drastically reduce your jarsize and your memory footprint
• good luck patching an obfuscated applicaiton in the field. You will probably have to redeliver a new jar instead of just the updated classes

Issues

• Use of dynamic techniques like Bean introspection, external IOC configuration and in general reflection are break with obfuscation
• Security by obscurity never works
• Obfuscation doesn't work very well
• Recovering the original exception stack traces could become difficult

Conclusions

• Obfuscation is not the ultimate solution but if the client feel better if the code is obfuscated then we will have to do it
• Your are screwed if you use reflection

Decompilers

Java Decompiler JAD.