Java .class files safe?

[Badmi]

I do not know where to post this so I am going to post it here. 

I have been considering making an offline commercial game in java for a long time. The one thing that concerns me is the fear that pirates would decompile my game and remove any security I placed in it then redistribute it for free. Is there any way I can protect my code? 

[Jeff]

Pirates WILL decompile your code and defeat your security.

 No ,matter what it is written in. 

They've been doing that for long before Java even existed. Deal with it.

This is a red herring where Java is concerned.

[Badmi]

Dose java have an increased risk?

Games published by our own members! Check 'em out!

[kevglass]

Definitely an increased risk - it's easy to decompile java and understand it than it is with C++.

However, if you intend to write a commercially successful game then it has to be good. If it's good - then someone *will* crack it. It only takes one to crack it - distribution after that doesn't take long.

Obfuscation helps.
Compiling to a native helps.
Using quirky/ornate security helps.

Still, if it's good, and people want it - it'll get cracked.

Kev

[Markus_Persson]

If the attacker knows how to decompile java and read it (and is not just a script kiddy) obfuscation doesn't help at all.
For example, if the attacker wants to bypass, say, a cd rom check, obfuscation might turn a 30 minute hack into a 45 minute one. But not more.

That said, obfuscation definitely doesn't hurt either, and it's dead simple to automate into your building process, so there's really no reason to not use an obfuscator. Just make sure you use one that spits out a reverse mapping file so you can still follow the stack traces. =)

[CommanderKeith]

Its a little strange that such a basic problem as this has no solution for all of java's security

re obfuscation: I've read that it makes your jars smaller in size too.

[erikd]

Its a little strange that such a basic problem as this has no solution for all of java's security

It's not so strange if you consider that java security is not about copy protection. It's two totally different matters.

[Markus_Persson]

To be honest, I think the java way is slightly better and less self-deceptive.

Natively compiled files can and frequently do get decompiled, analyzed and modified as well.
There's no such thing as client-side code security. As long as you're aware of this, you get forced to either implement some REAL security (if possible), or not ship sensitive material to the client. Of course, those two are often the same thing.

[Badmi]

The problem with single player games is that all the sensitive data is on the clients side. Are there any successful single player games that use java? Is there any tool that would allow me to encrypt the class file then hide the key?

[Riven]

You can encrypt whatever you want, but you are required to give the client the key at some point, invalidating the whole effort.

Games published by our own members! Check 'em out!

[cylab]

As others stated, you can't prevent that your game will be decompiled and cracked. Code obfuscation is an option to provide make it more difficult. You could encrypt your jars and write a ClassLoader that decrypts them, but the loader code will be unencrypted and therefore vulnerable.

I would opt to trust your users

[Jeff]

And it just aint that hard to find the test condition for your security in assembled binary and NOP it.

It really isnt.

[Anon666]

And it just aint that hard to find the test condition for your security in assembled binary and NOP it.

It really isnt....

...that simple.

[noblemaster]

put some code on a server ...

[pepijnve]

The company I work for sells a commercial api. We've had the same concerns about people running off with the code, but in the end came to the conclusion that it's just not worth all the effort you put into it. As has been said before, any software checks (however clever you make them) can be cracked if people put enough time and effort into it. The more complex you make your copy protection/licensing system the more you'll annoy your legitimate users. In the end we just used a relatively simple license checking system combined with obfuscation (using proguard) and that has worked fine. We are in a niche market though, so the likelihood of widespread piracy is probably alot smaller than in the games market.

[Evil-Devil]

For online multiplayer games i like the way with hashvalues. Just check for each login if the package has the right hash value. If not reject the client. Ok, skilled hackers will find a way to manipulate your files/archives while not having the hash been changed. But there is some effort needed

[Markus_Persson]

Or just remove the hash check, as that has to be client side as well.

(or if you sent the hash to the server, just send the hash of the unmodified client)

[Martin Strand]

If you've got a lobby server, send the license key from the client and let the server check it against a db. That way even keygens won't work.

[Markus_Persson]

If the lobby isn't needed to play the game, the client can just bypass that step.

[blahblahblahh]

Its a little strange that such a basic problem as this has no solution for all of java's security

If you can "solve" this "basic" problem, you will become the world's richest person.

Of course, the only way to solve this problem is to be one of the world's richest people to start off with.

(HINT: it requires you to own every PC in the world. Quite expensive, don't you think?)

Or, to put it another way:

"I can't believe that such a basic problem as death hasn't been solved yet by Western doctors. We have all these smart people, they must be really lazy that they haven't worked out how to do it yet."

[beowulf03809]

The problem with single player games is that all the sensitive data is on the clients side. Are there any successful single player games that use java? Is there any tool that would allow me to encrypt the class file then hide the key?

I'm worried from these statements that you're considering Java unsuitable for single-player games because it's "less secure"?  I would counter that there are probably no ( quality ) single-player games written in C++ that have not already been cracked.  Some show up on P2P systems days after release ( sometimes even days BEFORE release ).  In addition to just having download-n-play versions floating around for anyone with the bandwidth and knowing where to look, I have seen various resources ( graphics and sounds ) from such games used on web sites and emails.

As long as the user has physical access to the code the program is going to be hacked if someone wants to.  Trying to avoid this is right up there with the record company trying to "protect" music or Hollywood trying to "protect" movies.  It will deter but it will not stop.  The only way to guarantee your game is never hacked after release is to produce a game so poor that no one wants to put in the effort.  Otherwise, you should do your best to secure it against the efforts of less skilled folk and maybe some extras ( "call home" stuff, etc ) to deter the next level, and just accept that if you made a quality product some people will pay for it and others will steal it.

[kevglass]

The question is how much of a deterent are Java class files that decompile into reading source compared to native binaries.

It's definitely *easier* in Java to crack software with no online protection. This doesn't mean it's more or less likely to happen though.  That's determined by how good your game is.

I'd suggest spending less time on worrying about security and more time worrying on making the game good enough that people want to crack it. It could almost be considered a badge of achievement - you went to the effort of cracking my game - heh, it must be good

Kev

[Death33284]

So true... When people try to get enough protection on software (*coughstarforcecough*) it just ends up being a problem for even regular users. Go the route that even Elder Scrolls IV: Oblivion took, no real protection at all. They knew they had a great game, why delay the inevitable with protection and even though there was no protection they sold millions of copys.

[noblemaster]

Just because there is no copy protection does not mean people are not paying for it anymore. Just because I see an unlocked bicycle on the street does not mean I am going to steal it.

It is still illegal to distribute copyright protected software - most people will pay for your product: Better worry about writing a cool game ... 

[Ask_Hjorth_Larsen]

Just write your game in Malbolge instead of Java. Problem solved.

http://en.wikipedia.org/wiki/Malbolge

[Markus_Persson]

haha, I guess that actually WOULD solve the problem.

Now the problem is just managing to write a game in malbolge..

[Jeff]

The question is how much of a deterent are Java class files that decompile into reading source compared to native binaries.

It's definitely *easier* in Java to crack software with no online protection. This doesn't mean it's more or less likely to happen though.  That's determined by how good your game is.

And keep in mind that in this case 90% security  (security against 90% of the users) is no better then 10% security.

As soon as any ONE person cracks your code, its open.

Welcome to the world of the internet.

[zingbat]

There is one type of copy protection that can cracked (of course) but will annoy the hell out of hackers. At least it will make them play the entire game which they may not like and give up on cracking the game.

At the beginning of the game ask for the game key and save it somewhere on disk. But don't place this check only at the beginning of the game. Scater silent checks all over the game code and in several, more or less advanced, stages of the game. This forces the hacker to analize the entire code and play the game from start to finish. Also don't terminate the game immideatly after an hacked game is detected.

[Riven]

I read an article on a game that Sony built years ago, that removed certain key-elements from the game that prevented you from finishing certain levels.

This 'delayed' the first working crack a few *months*, which for an AAA title might actually increase revenue.

But for anything non-AAA, every brain-cycle spent on clientside-protection is wasted.

[Orangy Tang]

I read an article on a game that Sony built years ago, that removed certain key-elements from the game that prevented you from finishing certain levels.

That'd be Spyro and it's sequel, the article is on gamasutra and pretty much essencial reading for anyone doing crazy hack prevention. Some really clever stuff, most of which isn't possible in Java code (or even on a pc). IMHO though all it really proves is that *everything* will eventually be hacked, and no copy protection is entirely non-intrusive when it comes to normal development. The real question is how much development time you're willing to spend on it (and so how much you're willing to take away from actual 'proper' development).