Using class decompilers to facilitate the security of Java applications!

Undoubtedly, Java^TM has become a very popular choice of Internet programming language for developing many Web applications. However, few engineers or researchers questioned Java security problems due to its informative classfiles in which hackers can easily use most available decompilers to reverse-engineer targeted applications. We investigate an interesting proposal of the innovative combination of class decompilers and obfuscators as a feedback-and-control system to secure Java applications. Unlike ordinary obfuscation techniques which always require prior knowledge about the Java source files, our approach can start from the compiled Java classfiles, especially useful when the original source is partially or completely lost. Moreover, the obfuscated codes can also use back the class decompiler as a tester to check if the final product is sufficiently secured. In general, our contribution is two-fold. First, our proposal demonstrated the first constructive use of class decompilers to facilitate the security of Java applications. Decompilers are combined with visualization techniques to deduce useful information for obfuscation. More importantly, with component-based approach, our implemented system can actually be extended as a centralized Web-based testing center with a library of obfuscators to secure most real-life Java applications against a collection of class decompilers