javajarsigned-appleturlclassloader

Detect Java JAR/Code Tampering


I'm writing a piece of software that is distributed as a JAR file. Currently, this JAR file can be tampered with to retrieve and save another file that our server transmits via URLClassLoader, be decompiled, and find various things in our code that should remain private for the security of the clients using it. Basically, I want to implement a way to check if the original JAR is tampered with. I know this is paradoxically impossible by implementing a check for validity of a SignedObject in the original class due to the nature of Java being able to be decompiled, but is there some other way that I can determine if code has been tampered with in the original file? This check can happen via an intermediary class that is downloaded to check for validity, or any other means that will be guaranteed to work. I've been sitting here all day trying to come up with a solution to this problem. Any help is welcomed.


Solution

  • This is theoretically and practically impossible. The verification of jars occurs on the client side. Any cryptography is not presented to you in a verifiable fashion, and you trust that the client offers any crypto.

    Even if you were to request arbitrary bytes from the jar file itself for verification, the evil user may configure for bytes to be taken from a good jar but presented by bad code.

    You can use a cryptographic proof to ensure the other side has data, but making sure that it only has that copy/revision/version of that data is impossible. A determined attacker can feed you any lies as he can claim in any verification that he has the valid jar.

    In short, presence of correct data does not imply exclusive presence of same.