Introduction to Stringer

Stringer Java Obfuscator protects Java application binaries (JARs, WARs, EARs, Eclipse RCP projects, OSGi bundles) against reverse engineering and modification.

Stringer accepts as an input any of the following:

Protection can be executed via the command line; via the Stringer desktop GUI application; via the Stringer Eclipse plugin; or directly within your build pipeline via Ant, Maven or Gradle.

Stringer is compatible with JRE versions ≥ 1.7, and can process Java applications compiled for J2SE 5.0 and higher.

Encryption of strings is used to hide the contents of string constants in Java applications. It is based on a strong cryptographic algorithm with the dynamic keys. These keys are calculated during the work of the protected application based on many parameters, and they can't be extracted from the application's code. As a result, if the code is decompiled, the contents of strings will be hidden and will be inaccessible for static analysis and decryption.

The Hide Access mechanism masks the calls of library methods and application methods using randomly generated dynamic functions. Virtualization of method calls, field types, and field accesses protects an application’s critical logic from analysis and modification.

Note: It is recommended using this function only for classes which logic must be protected from analysis and modification, for example, critical application's logic, work with the license, etc.

Note: This technique allows you to hide Java API calls or third-party API calls you use in your project. If your bytecode is targeted to Java 7 it hides method calls by replacing them with calls to 'invokedynamic' engine, so that reverse engineering of the logic is extremely difficult, not to say impossible.

Stringer can also be used to encrypt resources — media files, data files, etc. — to prevent IP and data theft. In addition to this, it can obfuscate resource file names.

A binary processed by Stringer will be inoperable - essentially corrupted - if it is modified after protection. This prevents adversaries from disabling a licensing subsystem or injecting malicious code in your app, e.g. to obtain sensitive information such as passwords or credit card numbers of your application's users. Stringer Enterprise allows you to manually configure the integrity control function: enable/disable the file signature checks, file contents checks, and to configure tamper detection notifications and responses - how the protected application behaves after it was modified.

Stringer allows you to specify how the app should behave in the event it detects any attempts to modify applications' content and/or the signature.

Stringer can remove redundant information such as debugging data and local variable names from code, optimizing the app for both size and performance.

An important part of the configuration process is specifying which packages and classes will be targeted for protection. Stringer therefore provides a flexible mechanism for setting custom filters for each of its code and resource protection mechanisms.

There is a reference configuration file stringer.xml in the distro. String Encryption, Hide Access are enabled in this configuration, with exclusions for common open source libraries. We recommend starting with the reference configuration and then modifying it according to requirements

Sample projects are available on GitHub.