Class ObfuscatedString


  • public final class ObfuscatedString
    extends Object
    A utility class used to replace string literals in Java source code with an obfuscated representation of the string. Client applications should use this class to implement the org.zkoss.zkex.license.LicenseParam, org.zkoss.zkex.license.KeyStoreParam and org.zkoss.zkex.license.CipherParam interfaces in order to make it considerably hard (although still not impossible) for a reverse engineer to find these string literals while providing comparably fast operation and minimum memory footprint.

    To use this class you need to provide the string literal to obfuscate as a parameter to the static obfuscate(java.lang.String) method. Its return value is a string which contains the Java code which you should substitute for the string literal in the client application's source code.

    Please note that obfuscation is not equal to encryption: In contrast to the obfuscation provided by this class, encryption is comparably slow and expensive in terms of resources - no matter what algorithm is actually used. More importantly, encrypting string literals in Java code does not really increase the privacy of these strings compared to obfuscation as long as the encryption key is still placed in the Java code itself and tracing the calls to the JVM is possible. Hence, obfuscation is selected in favour of encryption.

    In order to provide a reasonable level of security for your application, you should always obfuscate the application code too, including this class. Otherwise, a reverse engineer could simply use the UNIX "strings" utility to search for all usages of this class, which would render its use completely pointless! In case you're looking for a Java code obfuscation tool for this task, please consider ProGuard, available and usable for free at http://proguard.sourceforge.net.

    This class is designed to be thread safe.

    Author:
    Christian Schlichtherle
    • Method Detail

      • main

        public static void main​(String[] args)
        Obfuscates each given argument.
        Parameters:
        args - The command line arguments.
      • obfuscate

        public static String obfuscate​(String s)
        Returns a string containing obfuscated string generating Java code which you can copy-paste into your source code in order to represent the given string. Obfuscation is performed by encoding the given string into UTF8 and then XOR-ing a sequence of pseudo random numbers to it in order to prevent attacks based on character probability. The result is encoded into an array of longs which is embedded in some Java code which would produce the original string again. The sequence of pseudo random numbers is seeded with a 48 bit random number in order to provide a non-deterministic result for the generated code. Hence, two subsequent calls with the same string will produce equal results by a chance of 1/(248-1) (0 isn't used as a seed) only!

        As an example, calling this method with "Hello world!" as its parameter may produce the result "new ObfuscatedString(new long[] { 0x3676CB307FBD35FEL, 0xECFB991E2033C169L, 0xD8C3D3E365645589L }).toString()". If this code is compiled and executed later, it will produce the string "Hello world!" again.

        Parameters:
        s - The string to obfuscate. This may not contain null characters.
        Returns:
        Some obfuscated Java code to produce the given string again.
        Throws:
        IllegalArgumentException - If s contains a null character.
      • toString

        public String toString()
        Returns the original string.
        Overrides:
        toString in class Object