How does it work?
ClassGuard is a tool to prevent Java decompiling and for licensing Java applications.
The Java class files are encrypted using a 128Bit AES encryption. The AES key is generated randomly every time you start the encryption tool. The decryption is done transparently by a custom class loader. The main part of this class loader is written in C to prevent decompiling and other tampering.
The current version additionally contains a license manager. The main part of the license manager is also written in C. Java class files are only decrypted if a valid license is found.
How does Tomcat and Jboss support work?
As of Version 1.5, ClassGuard supports Tomcat containers.
To use ClassGuard in combination with tomcat, you have to configure your web application for using the ClassGuard tomcat class loader. This can be set in the context of the web application.
Support for other J2EE containers may be implemented on request, please ask.
Is there a way of encrypting additional resources?
Since version 2.0, the encryption of addtional resources (e.g. property files or images) is possible in a transparent way. Encrypted resources may be loaded by getResource() or getResourceAsStream().
How secure is it really?
There is no way of cracking the used 128Bit AES encryption. As the main part of ClassGuard is written in C, the key can't be extracted using a Java decompiler. However, it is possible to extract single class files from
memory using a debugger on the assembler level. The effort necessary for this is increasing with
the number of encrypted classes in your application. So ClassGuard is not absolutely secure, but
puts security on a level comparable to software written in a native language.
Some experts state, it would be possible to crack byte code encryption by hacking some class
files of the Java language itsself, e.g. defineClass() in java.lang.ClassLoader. Bytecode encrypted
by ClassGuard is passed through to the virtual machine on the native level. The bytecode never
appears in any Java class. At the moment, no successful attempt on attacking real world applications is known.
What platforms are supported?
The current version 4 supports Sun/Oracle Java 5, 6 and 7 for Windows and Linux on i386 and x86-64. On OSX, Apple Java 6 is supported on all Intel based platforms. The release planning for platforms is based on demand, more platforms may be available on request. Virtual machines besides Oracle Java may work, but are not supported.
When I debug my encrypted project, I get a java.lang.NoClassDefFoundError
Currently, there are three ways to implement a Java debugger or profiler:
- java.lang.instrument (-javaagent)
- jvmti (-agentlib/-agentpath)
- jvmpi (-Xrun)
It is possible to get Java bytecode by all of these ways. Therefor ClassGuard detects Java debuggers and refuses to decrypt any classes in case of any running debugger.
Can I combine ClassGuard and Code Obfuscation?
As ClassGuard works on the binary level of class files, it does not iterfere with Java code obfuscation tools.
How can I check if my class encryption tool works reliably?
You may use our debugging agent to test your code encryption tool. Download JSecurityAgent.jar and run your application with the additional parameter -javaagent:JSecurityAgent.jar. The bytecode agent displays all classes of which it can get the bytecode. If you see a line like
BytecodeAgent: Got bytecode of my/encrypted/class
your tool is vulnerable.