B4J Question Can people decompile and use my code?

[MegatenFreak]

Hello.
I'm making a product management windows application for a company. My partner and I are seriously concerned with security issues. It is imperative that we make sure no one can "steal" our code and hijack the application for themselves, therefore ruining our career!
I'm not very familiar with how B4J compiles and packs the final executable.
My question is: Can someone manage to "decompile" our software and figure out the code? Or is it as tough as disassembling EXE applications? Should we worry about our code being hacked and stolen?
Thank you so much in advance.

 

[Erel]

t is imperative that we make sure no one can "steal" our code and hijack the application for themselves

There is no 100% protection.

You can compile with obfuscation to make it more difficult to reverse engineer your code: https://www.b4x.com/android/forum/threads/13773/#content

 

[MegatenFreak]

Thank you so much! That is fantastic.. especially the variable renaming.

 

[MegatenFreak]

There is no 100% protection.

You can compile with obfuscation to make it more difficult to reverse engineer your code: https://www.b4x.com/android/forum/threads/13773/#content

One thing I'm not sure I got completely:
So even B4J creates Dalvik code? Isn't that Android byte code?

 

[Erel]

So even B4J creates Dalvik code? Isn't that Android byte code?

B4J compiles to Java bytecode.

 

[MarkusR]

if it is a very expensive software maybe build in a server side activation procedure as copy protection.
beyond that its possible to recreate this app by seeing screenshots or workflow / logic.
the risk is that other developers offer the same for better price / license.
client satisfaction play also an important part.

 

[MegatenFreak]

Thank you. The software works with a remote database. We're planning to handle the purchase and management of the mySQL host ourselves and hardcode its address/user/pass into the program we deliver to the company. I was worried that the compiled code might be more readable than, say, PC Assembly bytecode. If it is in face as complex as machine code, even if they manage to reverse engineer the logic and workflow, if strings are obfuscated it would be much more difficult to figure out the structure of the database when they have no direct access to the mySQL server.
I suppose there is never a 100% guarantee, but this is not something people would spend a lot of money just to hack and reverse engineer. So as long as it is really difficult, I think we'll be safe!
In any case, how do you suggest we approach a server side activation procedure?

 

[MarkusR]

how do you suggest we approach a server side activation procedure?

rough
typically after setup its not activated, at uninstall the activation is removed.
so if u start the app u need input a "id" from a contract/order and a email name.
the mail is verified by click a link.
the activation is ok if it is not activated else info for a support call.
your online self hosted database contains the activation table.
before the app use the business logic it make a test if activated.
"hardcode" something like a config file.
the app identity can be saved as ini file,sqllite or registry.
generally the activation procedure should not being annoying.

 

[MegatenFreak]

rough
typically after setup its not activated, at uninstall the activation is removed.
so if u start the app u need input a "id" from a contract/order and a email name.
the mail is verified by click a link.
the activation is ok if it is not activated else info for a support call.
your online self hosted database contains the activation table.
before the app use the business logic it make a test if activated.
"hardcode" something like a config file.
the app identity can be saved as ini file,sqllite or registry.
generally the activation procedure should not being annoying.

You gave me helpful ideas for the task
Thank you.

 

[MarkusR]

if the app is used by a handful people and u delivery the config/identity with it, maybe just activate this one direct in database.
if someone install it again elsewhere the pop up already activated/in use/service number will come.
if they uninstall/install the activate process will start.

 

[MegatenFreak]

I was thinking of something similar.
With every installation I'd have that system's hardware ID and the provided serial number registered in the database, so we'll know every time the application is installed. In any case, we won't provide the customer with the information about the database (its address, username, password), and since that database is specifically personalized for that customer, even if they manage to run it without activation, they won't be able to use it for other purposes. Even if they find a way to change the database information to their own by reverse engineering the code, they won't know the structure of the tables.