One of the things that isn't immediately obvious when using the True License Java license key manager software library is how to use the ObfuscatedString string class. In short, you're supposed to use this class to help obfuscate Java String objects that you might ordinarily include directly in your Java source code. If you're trying to protect your Java class (your intellectual property, or "IP"), you want to obfuscate these strings, otherwise they can be easily found by people trying to hack your code so they can use it freely.
As the True License documentation mentions, obfuscating your Java String instances won't stop all would-be hackers, but it may help stop some of them, especially those who know simple tricks like looking at your code with the Unix/Linux strings
command.
Using the True License ObfuscatedString class is a two-step process:
- First, you obfuscate the string literals you would normally include directly in your Java class files.
- Second, you put these obfuscated references in your Java class files.
After that, you use these String references just like you normally would. Let's look at a simple example of these steps.
Step 1: Obfuscate your Java String literals with ObfuscatedString
The first step is to obfuscate your Java String literals. For instance, when using True License, you'll need a String that contains the name of your Java keystore file. Assuming that file is named "hyde.keystore", you'd first use a program like this to create an ObfuscatedString from your string:
import de.schlichtherle.util.ObfuscatedString; public class CreateObfuscatedStrings { private static final String PUBLIC_KEYSTORE_FILENAME = "hyde.keystore"; public static void main(String[] args) { String result = ObfuscatedString.obfuscate("hyde.keystore"); System.out.format("KEYSTORE-FILENAME: %s\n", result); } }
The output from this program looks like this:
KEYSTORE-FILENAME: new ObfuscatedString(new long[] {0x86DD4DBB5166C13DL, 0x4C79B1CDC313AE09L, 0x1A353051DAF6463BL}).toString() /* => "hyde.keystore" */
Step 2: Use this ObfuscatedString instance in your program
Now that you have this ObfuscatedString output, you just put it in your application where you would normally use a Java String literal. Instead of having a line of code in your Java program that looks like this:
private static final String PUBLIC_KEYSTORE_FILENAME = "hyde.keystore";
you replace it with a line of Java code that looks like this:
private static final String PUBLIC_KEYSTORE_FILENAME = new ObfuscatedString(new long[] {0x86DD4DBB5166C13DL, 0x4C79B1CDC313AE09L, 0x1A353051DAF6463BL}).toString();
So now if someone tries to figure out what's going on in your Java class, instead of finding the String literal "hyde.keystore", well, they won't find it as easily.
That's all you have to do to use the True License ObfuscatedString class.
Don't forget to obfuscate your Java code
Of course you also need to obfuscate your Java class files if you really want to try to protect your IP. I've written several articles about obfuscating your Java class files, including these:
- How to obfuscate Java class files with ProGuard
- Java decompilers and obfuscators (Oh my!)
- A list of Java obfuscators