Package org.zkoss.zkex.util

Class ObfuscatedString

  • public final class ObfuscatedString
extends java.lang.Object
    A utility class used to replace string literals in Java source code with an obfuscated representation of the string. Client applications should use this class to implement the LicenseParam, KeyStoreParam and CipherParam interfaces in order to make it considerably hard (although still not impossible) for a reverse engineer to find these string literals while providing comparably fast operation and minimum memory footprint.

    To use this class you need to provide the string literal to obfuscate as a parameter to the static obfuscate(java.lang.String) method. Its return value is a string which contains the Java code which you should substitute for the string literal in the client application's source code.

    Please note that obfuscation is not equal to encryption: In contrast to the obfuscation provided by this class, encryption is comparably slow and expensive in terms of resources - no matter what algorithm is actually used. More importantly, encrypting string literals in Java code does not really increase the privacy of these strings compared to obfuscation as long as the encryption key is still placed in the Java code itself and tracing the calls to the JVM is possible. Hence, obfuscation is selected in favour of encryption.

    In order to provide a reasonable level of security for your application, you should always obfuscate the application code too, including this class. Otherwise, a reverse engineer could simply use the UNIX "strings" utility to search for all usages of this class, which would render its use completely pointless! In case you're looking for a Java code obfuscation tool for this task, please consider ProGuard, available and usable for free at http://proguard.sourceforge.net.

    This class is designed to be thread safe.

    Author:
    Christian Schlichtherle

    • Constructor Summary

      Constructors 
      Constructor Description
      ObfuscatedString​(long[] obfuscated)
      Constructs an obfuscated string.

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      static void main​(java.lang.String[] args)
      Obfuscates each given argument.
      static java.lang.String obfuscate​(java.lang.String s)
      Returns a string containing obfuscated string generating Java code which you can copy-paste into your source code in order to represent the given string.
      java.lang.String toString()
      Returns the original string.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

    • Constructor Detail

      • ObfuscatedString

        public ObfuscatedString​(long[] obfuscated)
        Constructs an obfuscated string.
        Parameters:
        obfuscated - The obfuscated string.
        Throws:
        java.lang.NullPointerException - If obfuscated is null.
        java.lang.ArrayIndexOutOfBoundsException - If the provided array does not contain at least one element.
        See Also:
        obfuscate(String)

    • Method Detail

      • main

        public static void main​(java.lang.String[] args)
        Obfuscates each given argument.
        Parameters:
        args - The command line arguments.

      • obfuscate

        public static java.lang.String obfuscate​(java.lang.String s)
        Returns a string containing obfuscated string generating Java code which you can copy-paste into your source code in order to represent the given string. Obfuscation is performed by encoding the given string into UTF8 and then XOR-ing a sequence of pseudo random numbers to it in order to prevent attacks based on character probability. The result is encoded into an array of longs which is embedded in some Java code which would produce the original string again. The sequence of pseudo random numbers is seeded with a 48 bit random number in order to provide a non-deterministic result for the generated code. Hence, two subsequent calls with the same string will produce equal results by a chance of 1/(248-1) (0 isn't used as a seed) only!

        As an example, calling this method with "Hello world!" as its parameter may produce the result "new ObfuscatedString(new long[] { 0x3676CB307FBD35FEL, 0xECFB991E2033C169L, 0xD8C3D3E365645589L }).toString()". If this code is compiled and executed later, it will produce the string "Hello world!" again.

        Parameters:
        s - The string to obfuscate. This may not contain null characters.
        Returns:
        Some obfuscated Java code to produce the given string again.
        Throws:
        java.lang.IllegalArgumentException - If s contains a null character.

      • toString

        public java.lang.String toString()
        Returns the original string.
        Overrides:
        toString in class java.lang.Object