A Review of Two Java Obfuscators

Java applications are deployed as a collection of class files, each class file containing bytecode (virtual machine instructions), as well as all symbol information from the source (symbol names, string constants, scalar type constants; and operand type information, field names type and initial values, method names, parameter types, return type, bytecode and debugging information). Java Decompilers have been constructed that in principal can recover most—if not all—of the original source code (e.g., Mocha). The possibility of such decompilation can potentially compromise the intellectual property (source code) of a company deploying an application. Obfuscators are application programs that modify the contents of the class files by renaming classes, methods, and fields, so that if the obfuscated class files were to be decompiled, it would be difficult (if not impossible) to decipher the meaning of the sources.

We reviewed two such Java obfuscator programs: DashOPro Version 2 developed by PreEmptive Solutions, Inc.,* and Condensity developed by Plumb Design. A 30-day demo version of each product is available for download from their respective Web sites.

PreEmptive Solutions' DashOPro is distributed on CD-ROM with a well written 62-page User Guide. The User Guide clearly explains the available software options and some of the potential pitfalls in obfuscating a complex software system. Serialization and reflection pose potential problems for any Java obfuscator. The multitude of setup options available in DashOPro allows the user to carefully work around these potential problems.

Plumb Design's Condensity is a simpler product that comes with no documentation. The user options are integrated into the-easy-to use, GUI-based application.

We tested several systems using each product. The first system used reflection quite heavily. Although each program produced obfuscated output class files that ran correctly, the DashOPro Obfuscator was not as smart as the Condensity Obfuscator. It was not able to obfuscate the six classes that used class name literals (xxx.class). Condensity was able to obfuscate these six classes and change the name of the class literals to match the obfuscated class names. That was impressive. Each application claims to be able to remove unused methods and optimize the output class files for size. DashOPro provides an option of optimizing the output class files for speed. The second system containing 50 or so classes in a complex package structure was easily handled by Condensity, but not by DashOPro. In fairness to DashOPro, we did not expend a significant amount of effort to find the appropriate options to get it to work. With Condensity, the default options were sufficient to quickly produce a completely obfuscated set of output files that ran perfectly.

Although both products provide outstanding performance and results and are highly recommended, we give the edge to Condensity because of its simplicity of use and smarter obfuscation in the several cases we tested.

* 26250 Euclid Ave., Suite 503, Euclid, Ohio 44132 (www.preemptive.com)

157 Chambers Street, New York, NY 10007 (www.condensity.com)