B4J Question Can people decompile and use my code?

Discussion in 'B4J Questions' started by MegatenFreak, Dec 12, 2018.

  1. MegatenFreak

    MegatenFreak Member

    Hello.
    I'm making a product management windows application for a company. My partner and I are seriously concerned with security issues. It is imperative that we make sure no one can "steal" our code and hijack the application for themselves, therefore ruining our career!
    I'm not very familiar with how B4J compiles and packs the final executable.
    My question is: Can someone manage to "decompile" our software and figure out the code? Or is it as tough as disassembling EXE applications? Should we worry about our code being hacked and stolen?
    Thank you so much in advance.
     
  2. Erel

    Erel Administrator Staff Member Licensed User

    There is no 100% protection.

    You can compile with obfuscation to make it more difficult to reverse engineer your code: https://www.b4x.com/android/forum/threads/13773/#content
     
    MegatenFreak likes this.
  3. MegatenFreak

    MegatenFreak Member

    Thank you so much! That is fantastic.. especially the variable renaming.
     
  4. MegatenFreak

    MegatenFreak Member

    One thing I'm not sure I got completely:
    So even B4J creates Dalvik code? Isn't that Android byte code?
     
  5. Erel

    Erel Administrator Staff Member Licensed User

    B4J compiles to Java bytecode.
     
    MegatenFreak likes this.
  6. MarkusR

    MarkusR Well-Known Member Licensed User

    if it is a very expensive software maybe build in a server side activation procedure as copy protection.
    beyond that its possible to recreate this app by seeing screenshots or workflow / logic.
    the risk is that other developers offer the same for better price / license.
    client satisfaction play also an important part.
     
    MegatenFreak likes this.
  7. MegatenFreak

    MegatenFreak Member

    Thank you. The software works with a remote database. We're planning to handle the purchase and management of the mySQL host ourselves and hardcode its address/user/pass into the program we deliver to the company. I was worried that the compiled code might be more readable than, say, PC Assembly bytecode. If it is in face as complex as machine code, even if they manage to reverse engineer the logic and workflow, if strings are obfuscated it would be much more difficult to figure out the structure of the database when they have no direct access to the mySQL server.
    I suppose there is never a 100% guarantee, but this is not something people would spend a lot of money just to hack and reverse engineer. So as long as it is really difficult, I think we'll be safe!
    In any case, how do you suggest we approach a server side activation procedure?
     
  8. MarkusR

    MarkusR Well-Known Member Licensed User

    rough
    typically after setup its not activated, at uninstall the activation is removed.
    so if u start the app u need input a "id" from a contract/order and a email name.
    the mail is verified by click a link.
    the activation is ok if it is not activated else info for a support call.
    your online self hosted database contains the activation table.
    before the app use the business logic it make a test if activated.
    "hardcode" something like a config file.
    the app identity can be saved as ini file,sqllite or registry.
    generally the activation procedure should not being annoying.
     
    MegatenFreak likes this.
  9. MegatenFreak

    MegatenFreak Member

    You gave me helpful ideas for the task;)
    Thank you.
     
  10. MarkusR

    MarkusR Well-Known Member Licensed User

    if the app is used by a handful people and u delivery the config/identity with it, maybe just activate this one direct in database.
    if someone install it again elsewhere the pop up already activated/in use/service number will come.
    if they uninstall/install the activate process will start.
     
  11. MegatenFreak

    MegatenFreak Member

    I was thinking of something similar.
    With every installation I'd have that system's hardware ID and the provided serial number registered in the database, so we'll know every time the application is installed. In any case, we won't provide the customer with the information about the database (its address, username, password), and since that database is specifically personalized for that customer, even if they manage to run it without activation, they won't be able to use it for other purposes. Even if they find a way to change the database information to their own by reverse engineering the code, they won't know the structure of the tables.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice