Obfuscating code, and references to Java standard APIs

ags1 · June 11, 2013, 8:56pm

So… I am building a little benchmarking app and people will be able to send results to my web server.

If I have any success, and people being people, I anticipate that overly competitive users might hack their results for bragging rights of Facebook etc. So I have encrypted the communication, and I plan to obfuscate the code too (but not the benchmark loops, which are fragile enough as it is :-\ ).

However, I think I could hack that pretty easily. Lets say I wanted to attack the communication with the web server. All I need to do is decompile and search the obfuscated code for references to relevant classes from the Java APIs. Then I reverse engineer the little bit of the program that sends the message to the server, and now I can submit world-beating scores.

It seems almost futile. Do I need to obfuscate Java too?

princec · June 11, 2013, 9:17pm

Yes, this is futile.

Cas

ags1 · June 11, 2013, 9:25pm

Bugger.

I am building in statistical checks on the server to discard outlier results, and also the ability to query and bulk delete results if needed. And there will be a cap on the frequency of submissions from any given IP.

Andre_Lopes · June 12, 2013, 5:12pm

Maybe the calculus should be made on server-side ?

Z-Man · June 12, 2013, 5:58pm

I don’t know that this would help, then hackers would just fake the data being sent to the Server for calculations.

ags1 · June 12, 2013, 9:18pm

Yes, the calculations are on the server as that is where the data is available for comparison. At least outrageous results can be excluded, and source code is not accessible.