Thread: Secure Java Files

Dear Java Programmers,

My friend has a youtube channel with 50.000 - 100.000 subscribers. I dont know the exact amount but he asked me to make a program for his subscribers. I made it in Java and it works perfectly fine but now i want to make it secure so people can't decompile it and read/change the code. Because ofcourse he also has viewers who can hack programs.

But i dont know how i can do that. I dont want to make the code hard to read. I already heard about program which adds lines of code without doing anything actually and programs making the code a lot more complicated. But thats not what i want, i want to make the Class files undecompilable so people cant decompile it to Java files again and read the code.

I know this is possible, Runescape for example is written in Java too and secured good enough in my opinion. I know there are fake Runescape games called private servers or something like that. But its not easy as downloading the game, decompiling it, connecting it to another server and you're done. A little kid can do that but i think its even possible that people just programmed Runescape again from scratch.

So i want to make my program very hard to decompile or even impossible, i want it as impossible as possible. Does anyone know how i can do that?

Thanks for ur help in advance,
Resantic

Welcome to the forum! Please read this topic to learn how to post code in code or highlight tags and other useful info for new members.

Originally Posted by Resantic

But i dont know how i can do that. I dont want to make the code hard to read. I already heard about program which adds lines of code without doing anything actually and programs making the code a lot more complicated. But thats not what i want, i want to make the Class files undecompilable so people cant decompile it to Java files again and read the code.

I know this is possible

No its actually not.
Java is an interpreted language and ALL interpreted language are, by design, not safe against reverse engineering. Because the code that your computer reads to run the program can also be read by a human.

The only way to secure a program written in an interpreted language is to make the code hard to read for humans which is obfuscation, it is what you have already described yourself and what you said you didnt want to use.

Alternatively you could simply use a compiled language. Compiled code can be read by computers but is very difficult to read for humans. There are tools out there that can translate java code to C code, this could be another way of protecting your software.

I can but i dont understand how i can secure it. Because like if i put the code that verifies the password on the server side i still have to call it from the client side. How can i let the server tell the client ok the password is right let the user proceed or no, the password is wrong?

Dear Java Programmers,

I had some security problems in java a few times and i couldnt find a way to fix my problem. So i want to know now if its smart to make a program that needs security in java. I want to try to make a game and it will use login stuff and databases etc. Is java a good language to use in that case if you look at the security? Because java can be decompiled easily and deobfuscated too.

I prefer Java because its hard to learn C/C++. The language itself isnt hard in my opinion but i like Java more and there arent many good tutorials on C but a lot of good tutorials about Java.

Originally Posted by Resantic

First of all it is impossible to translate Java code in to whatever other code because java has things which C or C++ dont have.

No its not. Java byte code is an abstract form of machine code. Is rather simple to translate that to actual machine code, the same code that C or C++ programs are compiled to. Of course, once you do that its not a java program anymore and loses all the benefits of being a java program.


If your application is a web application then the best solution would be what norm said. The client code should be no more but a stupid terminal that does what the server is telling it to do. The server is in your hand and safe, keep everything that is important on the server and you dont have to fear any security breaches.

Threads merged.

Please do not start multiple threads on the same topic. I'm sorry you don't like the answers that you've gotten so far, but they won't change by starting a new thread.

U guys dont understand what im saying so i will explain it again. It will not be on a website it will be a PROGRAM which runs on the computer of the CLIENT. I have a game with 2 functions, 1 called update or tick and 1 called render. 1 updates the game and 1 shows the game. The update method is allowed to update for a maximum of 60 times per second so on faster computers that can handle 1000 updates per second you will not run or attack faster. But the client can decompile the class file and change the maximum from 60 to 100 for example. I CANNOT handle the updates for every player on the server and even if i do that, the client can change the code and instead of telling the server that the client moved 1 step to the left tell the server the client moved 2 steps to the left. How can i fix that?

And i cant even secure logging in, people can change the client's code and make it so you can login on everyones account that CANNOT be on te server!

Is it even possible to make a game and (mostly) prevent hacking.

Mods are so active.. Always have to follow the rules lol. But u tell me that i dont even have to try make a game in java because its impossible to prevent hacks. Can u explain to me how runescape became successfull? It is written in java but not easy to hack.

Originally Posted by Resantic

U guys dont understand what im saying so i will explain it again. It will not be on a website it will be a PROGRAM which runs on the computer of the CLIENT. I have a game with 2 functions, 1 called update or tick and 1 called render. 1 updates the game and 1 shows the game. The update method is allowed to update for a maximum of 60 times per second so on faster computers that can handle 1000 updates per second you will not run or attack faster. But the client can decompile the class file and change the maximum from 60 to 100 for example. I CANNOT handle the updates for every player on the server and even if i do that, the client can change the code and instead of telling the server that the client moved 1 step to the left tell the server the client moved 2 steps to the left. How can i fix that?

And i cant even secure logging in, people can change the client's code and make it so you can login on everyones account that CANNOT be on te server!

Is it even possible to make a game and (mostly) prevent hacking.

Of course it is, but its complicated and you dont seem to have yet reached the level necessary to program an application like that.
You have to put in a huge effort to separate what the client and what the server can do.

The easiest way is to have the server do everything. If your server is not strong enough for that and performance is an issue then you have to find ways around that.
You could have the server make checks periodically at random and kick players who are caught cheating. This way you can cut down on the workload for the server dynamically. The less players are playing the more often can you check for hackers. Its not a perfect system but if you lack the equipment for better security then there is not much you can do.

I can learn anything. People who made very successfull games didnt learn that in a few minutes too, it was always my dream to have my own game, but i dont know where to start. I can make the game itself but the server cant handle updates because the client needs to tell the server to update the server cant know by itself. And i never worked with servers before only with clients.

--- Update ---

Norm ur being too complicated, everything can be hacked and i understand that but you can make it very hard to hack so it doesnt happen often. But i am very bad at security and i want to learn that i know how to make the game itself even if its not an amazing game i just want to learn security now and later put everything i know together and make a game.

Then you have a dangerous design thats susceptible to hacks by nature.
It must be the server that is dictating the flow of the game, if the clients have any power you are ALWAYS at danger. People can hack anything if they have enough time and motivation, but only if they actually have access to the code. People do not have access to your server, so if you put things on your server you are save.

It would probably be a lot of work but as it sounds to me you need to re-write large parts of your program to take security into consideration.

Here, I made a diagram for you:
ServerClientModel.jpg

The idea is that both the server and the client have their own game state. The client only updates its game state after the server told it to do so. The server only updates its game state after the client has send a valid input. The server is the one in charge, selecting which input is valid and which is not.


If you want your clients to only be able to move a certain distance within a certain duration all you need is a timer on your server and a counter to remember how far the client has moved recently. If the client has already moved too far the input is invalid and either the client code has errors or somebody was trying to hack.

Please note that this design is not the best when it comes to performance, but its absolutely save (as long as your server is not compromised). Security and performance are mutually exclusive. Any security features you implement will cost you in performance and memory usage. You have to decide how important security is to you and whether you want to skip certain validation checks.


Edit: And the diagram is not readable, great. Try this link:

Thanks for replying everyone,

I just want to tell u guys what i learned from this and tell me if its true or not so i know if i understanded what u said right. So the client has to do something and send it to the server, the server has to check if the input is valid and its not hacked, but some things i dont have to check like moving because if there are enough moderators they can ban him/her if they see anyone using speed hacks. And also other players can report. So some things i can fix without decreasing my performance because traveling faster is not that big problem, only stuff that is really important should be checked.

One last question: is it a good idea to do what i said above AND load the class files from the server for extra security? Or does that drop the performance a lot?

The thing with security is, there is no right or wrong. Doing more for security might be good or it might be too much. We can not tell for sure.
If security is very important you can do as much for security as possible. If you dont care that much actually you can drop it.


But I guess loading files later will not hinder security all that much, as Norm said its a one time effort and the classes would need to be loaded anyways. Of course this also depends on how big your classes are. If the clients have to download 5 gb of information it is a no-go. If its only a few kb then why not?

Hey Java Programmers,

I have 0 knowledge of networking and i want to learn that. I have a program with 20 by 20 tiles now but i can make it bigger. And there is also a player, u can move it with WASD keys or the arrow keys. Now i want to put a server and database in the program.

What i want to do is:
1. Connect multiple clients to a server and let it be a multiplayer game so u see other people moving around.
2. Let the server handle the moving instead of the client to avoid hacking/making it harder.
3. Save the X and Y coördinates for the player so the next time he/she logs in the player will be on the last X and Y as when he or she logged out.

What is the best and most secure way to do this? Also if i save the X and Y every second in a database it will decrease the performance more than if i do it every 3 seconds, so what is the best way to fix that? Also how can i let the server handle moving because i know a lot of games can be hacked and increase the speed just with a simple program called Cheat Engine and making the program run faster or something like that. That doesnt need any hacking knowledge and a little kid can do it, How can i avoid that?

Thanks in advance,
Resantic