Stringer Java Obfuscator documentation


Documentation menu

Introduction to Stringer



Stringer Java Obfuscator protects Java application binaries (JARs, WARs, EARs, Eclipse RCP projects, OSGi bundles) against reverse engineering and modification.

Stringer accepts as an input any of the following:

  • Directory (or directories) containing class files and resources
  • JARs with classes and resources
  • Java containers: WARs, EARs

Protection can be executed via the command line; via the Stringer desktop GUI application; via the Stringer Eclipse plugin; or directly within your build pipeline via Ant, Maven or Gradle.

Stringer is compatible with JRE versions ≥ 1.7, and can process Java applications compiled for J2SE 5.0 and higher.


  • String Encryption
  • Hide Access: Virtualization of Method Calls, Field Types, and Field Access
  • Resource Encryption and Resource Name Obfuscation
  • Integrity control: Certificate checks; file content checks; file sealing; runtime integrity checks
  • Tamper detection notifications and callbacks
  • Code optimization
  • Flexible protection filters
  • Secure Runtime Environment (anti-emulator, anti-debug)
  • Transparent SSL Pinning / HTTP Public Key Pinning (HPKP)
  • Watermarking

String Encryption

Encryption of strings is used to hide the contents of string constants in Java applications. It is based on a strong cryptographic algorithm with the dynamic keys. These keys are calculated during the work of the protected application based on many parameters, and they can't be extracted from the application's code. As a result, if the code is decompiled, the contents of strings will be hidden and will be inaccessible for static analysis and decryption.

Hide Access: Virtualization of Method Calls, Field Types, and Field Accesses

The Hide Access mechanism masks the calls of library methods and application methods using randomly generated dynamic functions. Virtualization of method calls, field types, and field accesses protects an application’s critical logic from analysis and modification.

Note: It is recommended using this function only for classes which logic must be protected from analysis and modification, for example, critical application's logic, work with the license, etc.

Note: This technique allows you to hide Java API calls or third-party API calls you use in your project. If your bytecode is targeted to Java 7 it hides method calls by replacing them with calls to 'invokedynamic' engine, so that reverse engineering of the logic is extremely difficult, not to say impossible.

Resource Encryption and Resource Name Obfuscation

Stringer can also be used to encrypt resources — media files, data files, etc. — to prevent IP and data theft. In addition to this, it can obfuscate resource file names.

Integrity control: Certificate checks; file content checks; file sealing; runtime integrity checks

A binary processed by Stringer will be inoperable - essentially corrupted - if it is modified after protection. This prevents adversaries from disabling a licensing subsystem or injecting malicious code in your app, e.g. to obtain sensitive information such as passwords or credit card numbers of your application's users. Stringer Enterprise allows you to manually configure the integrity control function: enable/disable the file signature checks, file contents checks, and to configure tamper detection notifications and responses - how the protected application behaves after it was modified.

Tamper detection notifications and callbacks

Stringer allows you to specify how the app should behave in the event it detects any attempts to modify applications' content and/or the signature.

Code optimization

Stringer can remove redundant information such as debugging data and local variable names from code, optimizing the app for both size and performance.

Flexible protection filters and performance tuning

An important part of the configuration process is specifying which packages and classes will be targeted for protection. Stringer therefore provides a flexible mechanism for setting custom filters for each of its code and resource protection mechanisms.

There is a reference configuration file stringer.xml in the distro. String Encryption, Hide Access are enabled in this configuration, with exclusions for common open source libraries. We recommend starting with the reference configuration and then modifying it according to requirements


Sample projects are available on GitHub.