Is it worth to obfuscate a java web app source code so that the web host cannot make wrong use of the code or even steal your business? If so, how should this be dealt with? How should we obfuscate?
We are a new start up launching a product in market. How can we protect our product/web application's source code?
A malicious hosting provider can do a lot more than simply steal your code. They can modify it to introduce backdoors, they can steal your clients' data, and ruin your whole business. Trust must exist between you and the host.
About the source code. If the attacker is trying to gain access to your source code, they will gain access to your source code, obfuscated or not, compiled or interpreted.
There is a value in obfuscating your code, in that you'll probably make it just a liiiiitle bit more difficult to be obtained by the occasional opportunistic attacker. But if your host is out to get you, they'll get you.
The solution? The law. Sign a contract with them and agree on some form of NDA.
Well, this calls for three comments:
You cannot protect secrets with code obfuscation. Not really. Code obfuscation somehow works against unmotivated attackers, but it is not strong. If there is commercial value in breaking through it, then it will happen.
If you don't trust your hosting service then look for another hosting service. If the secrecy of your code is important and worth more than a few hundred bucks, then you should use your own hardware: you rent some isolated bay space, with locks and guards, and you run your own machine in it.
Your code exists as compiled (byte)code on the servers, but also as source code in your development systems, and in the heads of your developers. It cannot be that secret. As they say, one million dollar is always enough to unravel secrets, if only by bribing one of the individuals who has been made privy to it.
(In this last case, that might be your plan: you might wish to see some bigger competitor simply buy you out.)
Protection against reverse-engineering and pilfering of your intellectual property is normally ensured through legal means, not technical.
No, it isn’t worth it. Nobody wants to steal your code. A thousand million SaaS products have been launched by individuals and companies using third-party hosting of some description or another, and roughly none of them have found themselves to be competing against themselves after having the code for their products stolen by their hosts.
So, should you obfuscate your code? Sure, if it makes you feel better. No harm done. Are you protecting your IP against a valid threat? No, not really. It’s kind of the web developer’s version of a tin-foil hat.
Whatever you do, don't waste a lot of time and energy thinking about it. Make a decision to obfuscate or not, and then move on to worrying about mitigating real threats.
Ultimately you're the only one who can make that risk assessment. If you'll sleep better obfuscating your code, go for it.
Personally I wouldn't bother. Reputable web hosting services are in the web hosting business not the source code theft business. If they steal your code they'd still have to install it, sell the service, find customers, and fight off the lawsuit you'd file against them. It's too much effort for them with too much risk for too little reward.
Obfuscation is ineffective against a determined attacker, it only makes it slightly more difficult. If you have a particular reason to distrust your hosting provider, get another.
If you just want to be safe, get a non-disclosure agreement and other legal assurances that allow you to go after your host if they abuse things.
If you still don't trust them even with those legal assurances, get dedicated servers that you can control and encrypt such that the hosting provider can not access the data unless they hack in to the operating server.
If you are worried about someone having physical access to your servers, then setup your own data center or physically lock them in an enclosure in a collocated facility with monitoring of the physical property.
Simply using an NDA should be sufficient with any reputable hosting provider though.
I wouldn't bother.
Two reasons:
Runtime interpreted languages really cannot be fully protected that way. To completely obfuscate it you would have to obfuscate it from the runtime as well, then there would be no way to execute it. Obfuscation just makes the task slightly more annoying. It can also make debugging and deployment more time consuming for your own staff.
Very few applications really contain the kind of secret sauce code people really would go to that much trouble to steal. It is a lot easier just to get a feature list and some contractors and say "make something like this" than it is to copy function by function with most common applications.
When you don't trust your hoster to not steal your data, you should look for a more trustworthy hoster or host yourself.
You are not just entrusting your program code to them, you also entrust all your data and the data of all of your users. When you assume that your hoster is malicious enough to steal your programming, they are also malicious enough to steal your user-data and sell it to the highest bidder. Data you likely vowed to protect under a privacy policy.
When you come to the conclusion that you don't trust any hoster but hosting yourself is too expensive, you have the option of buying your own physical server and let someone else host it, but 1. fully encrypt its filesystem so they can't clone the hard drives during maintenance and 2. make sure all network communication is encrypted so they can't sniff on the traffic.
You should take precautions to protect yourself, but not for the reasons or from the threat that you're imagining.
First of all, if you can't trust your hosting provider, get a new hosting provider. No more needs to be said about that.
Second, even though you think that the intellectual property in the web application you've built is valuable, chances are you're the only one. Would you steal your competitor's website? Probably not; it wouldn't be worth the trouble. As a rule, people aren't interested in stealing your site. Typically the cost of customizing someone else's site to fit your own needs approximates or exceeds the cost of building it yourself.
Finally, you should be worried about attackers retrieving your code and using that to attack you. Saved passwords, user databases, programming errors and vulnerabilities -- your code probably presents a juicy target for malicious attackers. This is particularly true if your code is poorly-written or your service is popular.
Obfuscating your code is not a solution, and wouldn't help anyway. But good security practices, including following the principle of least privilege, should help you. Segregate out your access so compromising one system or component doesn't give your attacker the whole app in a neat little bundle. The more independent and disconnected the elements of your business, the less an attacker can snag in a single go.
I have many web applications hosted online. Some code is valuable yes. However, I did not obfuscate any of it since even if it gets stolen, no one else can maintain it. They will eventually pull their hair out. I tried it with someone who wanted my software badly. He could not install it, understand it nor get anything out of it so how would he be able to find customers and sell it as mentioned above.
The value is in the data and in the support you give and keeping the customer happy.
All my desktop applications could be decompiled one way or another. I think VB6 was the only one that could not be decompiled. No one could maintain them because I use tricky coding and tricky variable names.
There is no security merit in attempting to obfuscate any client-side code. A determined enough attacker will bypass any obfuscation methods you throw at them.
If the code is really important, keep it on the business side. Consider any client-side code public and available to anyone and everyone.
The world is upside down, the real value is usually not in the application code. It's in the customer data that the code is used to gather/modify. In many web applications the code is secured and the data sits in plaintext often without any simple protection. This is one of the issues that PCI DSS, HIPAA, and other data security standard are meant to address.
With the assumption that your hosting provider is malicious them getting access to customer data will destroy your company far quicker than getting your code.
Besides the issue of security through obscurity, code obfuscation can also introduce security issues and will need to be vetted to the same or a higher level as your regular code base.
No.
Clearly: You're planning to invest time in a so called security through obscurity technology.
I'ts not a good idea!
To protect your idea against third part licensing, you could publish them under such a public license like GNU GPL, creative commons or others.
Obfuscation never hide or change your Code, it just modifies it into some other format in which it can process it,
Ex: if you want to obfuscate your class name MyHomePage my be changed into M4Page Similarly a method of addWidgets() will be named in some other, and the function name might also be changed, not the Functionality So if i wish to call the method from your obfuscated code i can easily implement it...
You can't obfuscate your code or data enough to make them secure. If you were able to, your code and data would be unusable to even you.
Security via obscurity only works so long as the secret of your obfuscation remains intact. Secrets never stay secret. This is the basis for most digital rights systems, and to date all of them have been cracked.
On a more technical note, if you are using an interpreted language (Perl, PHP) or a bytecode-interpreted language (Java), consider using the included native compile tools for them. Many such high level languages include a tool to output a C/C++ version of your scripts or compile natively for your hardware. Having a natively compiled version removes the need to keep your source tree on your remote servers and provides a significant performance boost as well.
Security by obscurity is not bad if is not only thing you rely on. Using obfuscation to protect your code will not work,but using obfuscation with other licensing is not bad.
