yGuard is now open source - obfuscation easy as pie

Disclaimer: This is not a sponsored post. However so my current employee pays me for maintaining the repository, so it's fair to mention them.

I work for a company called yWorks. They make libraries for graphs that are (imho) state of the art, and also are a fun company to work at 🍺

Because these libraries are sophisticated the company is very inclined to protect their intellectual property. In the golden age of Java (which was right about the time they put this onto the market) it would have been crucial to implement some sorts of protection in order to ensure this IP. This is why yGuard was initially developed (side note: when I first touched the repository, some assets were as old as 11 years).

I love open source - period. Knowing this, my CTO approached me a while ago, certain I would be all 🔥 for making this product available for a wider audience. We had a brief discussion and off I went on my journey to make it open-source.

I made a checklist of things that needed to be addressed before releasing it to the public on GitHub:

• relicense everything that can be relicensed ✅
• replace proprietary code with libraries or rewrite it if necessary ✅
• replace ancient build system and dependencies with up-to-date ones ✅
• set up tests and CI so it stays in good shape ✅
• add extensive documentation and sample code ✅
• add contribution guidelines ✅

With this list done, I'm thrilled to announce: we released yGuard into the wild (a while ago)!

This post however should not only be a mere release announcement, but I am going to put some sample code here, so it becomes clear what this obfuscation actually does 💡

Say, we have a rather complete Java application that has an entrypoint like so:

package com.yworks.example;

public class HelloWorld {
    public static void main(String[] args) {
        System.out.println("Hello World");
    }
}

Now, given we use Gradle as our build system, we could use a very simple yguard task to obfuscate the resulting .jar

task obfuscate {
  dependsOn jar

  doLast {
    ant.taskdef(
            name: 'yguard',
            classname: 'com.yworks.yguard.YGuardTask',
            classpath: sourceSets.main.runtimeClasspath.asPath
    )

    def archivePath = jar.archiveFile.get().asFile.path
    ant.yguard {
      inoutpair(in: archivePath, out: archivePath.replace(".jar", "_obf.jar"))
      shrink(logfile: "${buildDir}/yshrink.log.xml") {
        keep {
          method(name: "void main(java.lang.String[])", "class": application.mainClassName)
        }
      }
      rename(mainclass: application.mainClassName, logfile: "${buildDir}/yguard.log.xml") {
        property(name: "error-checking", value: "pedantic")
      }
    }
  }
}

This tells the build system:

• configure an Ant task so we can use yguard
• execute the yguard task with an input and output .jar
• shrink the resulting .jar, leaving only classes and methods that are loaded from main
• obfuscate all class names, function names, variable names, ... except for main

Once we call gradle obfuscate this will produce an obfuscated .jar, leaving nothing but a weird trail of characters in the file names and classes.

Did you notice the logfile property? This is the best part. We can use the mapping established during obfuscation to unscramble stacktraces!

I could write a rather lengthy article about all the possible configurations that you can use, which would far exceed a simple introduction. Maybe someday, somewhen I'll give a nice talk about how it all works 😎. In the meantime, please have a look at the extensive documentation and examples, which covers all of these options.