Search code examples
javaspring-bootdeploymentreverse-engineeringpublishing

Safe distribution of Spring based application

Im thinking about creating spring boot application that i would like to comercialize some day.

I planned to build a Jar that i would allow to download, and once client launched it locally and provided some license key, it becomes useable.

I have some doubts about this distribution strategy especially in the meaning of the safety of the code and licensing.

If i provided a Jar, anybody may try reverse engeenering on it - so its easy to be hacked or cracked.

Turning it into executable is more user friendly, also possibly may hide the code better, but still i think its relatively easy to be reverse engineered.

It made me think about obfuscation. If i completely messed up the app before prod build, it would be a way harder to understand or change the code. It may seem okay in the matter of "copying and modifying" the app, but still i think it would be easy to locate licensing limitations in the source files. For example: limit for 5 users can be easilly located in sources by value "5" or the message the user sees, and even if code looks awfull, this lines can be removed, project compiled again, breaking the limitation and wasting my entire effort.

It will be small application, I want to provide clients the instalator, and let them set it up personally. I dont want to be responsible for settting it up in the cloud for the client (without publishing instalator or Jar), as clients may not be interested in cloud based access.

Could You advise me some wise solution for this situaltion? Thanks in Advance ! :)

Solution

  • The short answer is that there is no way to prevent reverse engineering if someone can run the software on hardware that they control.

    The only way to 100% prevent reverse engineering is to ONLY run the software on a platform that you control ... and that can prevent them from getting a copy of the executables.

    There are a couple of ways that can make reverse engineering harder:

    • Use an obfuscator on your JAR files. It will make it harder for someone to read the decompiled code. There are 3rd-party obfuscator products you could use.

    • Use jpackage (or a 3rd-party tool) to create a native executable for your application.

    But beware that modifying an application to disable a license check is much simpler than full reverse engineering. A determined software engineer (or hacker) will be able to do that, given enough time and incentive.

    Look at this problem another way:

    • There are many people and companies making money out of writing and supporting software without resorting to license keys, obfuscation and so on.
    • Conversely, there are probably millions of aspiring software entrepreneurs who never even turn their clever idea into a worthwhile (saleable) product.
    • Conversely, there are millions of apps (e.g. in Android app stores) that are simply not worth the effort protecting from IP theft.

    Don't get lost in the problem protecting your IP before you have actually created it. And don't overrate its (hypothetical) value.