Obfuscate the plugin
We recommend obfuscating your paid plugin before uploading it to the Marketplace. Every application can be hacked, but proper obfuscation makes doing so much harder.
Here are some of the most popular Java obfuscators:
At JetBrains, we have a lot of experience with Zelix Klassmaster, so we are sharing some information about how to configure it. Information about Zelix configuration and tips for regarding the features is provided by Eugene Zhuravlev, the IntelliJ IDEA developer who implemented the licensing mechanism and Marketplace support in IntelliJ IDEA.
You can find the full documentation here, and we have been using the script file (not the UI tool.)
This is the configuration for the obfuscator we use for IntelliJ IDEA based products:
And these are the most important features:
trim removes unused fields, methods, and classes. It’s a useful feature, but you should use it carefully. Normally we limit the scope to the licensing packages only. For example,
static final constants are normally inlined by the compiler, but the fields and their values are preserved in the code. It might give additional "hints" to those analyzing the bytecode of your plugin.
obfuscateFlow=aggressive can tangle the control flow in the method, which complicates the addition of hacking code.
encryptStringLiterals=enhanced is very important. It encrypts the string literals, which also masks reflection calls, hardcoded signatures, and certificates.
methodParameterChanges=flowObfuscate is an additional protection level that complicates the decryption of scrambled string literals. It creates additional dependencies and connections between classes, which results in protection against getting classes from IntelliJ IDEA Community Edition (open source) and putting it in IntelliJ IDEA Ultimate Edition, expecting them to work.
obfuscateReferences=normal is important to configure for some packages and classes. If you are calling a method of an object from some package, let's say
javax.security.*, the obfuscator will mask this call changing it to the reflection with the encrypted name of the method. With this feature, you are hiding the places where some important libraries are called, and without this feature, it would be very easy to locate these pieces of code via links to the libraries.
We certainly recommend reading the full documentation to understand how obfuscation works. We believe that the plugins can use more aggressive obfuscation/scrambling than we do in IntelliJ IDEA, as we have a lot of APIs that we have to preserve on our side. Don't be shy about scrambling the code – it increases the protection a lot.
We have tried getting the same result with ProGuard (as it's free), and one of the major drawbacks was the lack of String Obfuscation support (Zelix option
encryptStringLiterals=enhanced). Some users complement ProGuard with an additional paid string obfuscator (e.g.https://jfxstore.com/stringer/), see this article
By default, ProGuard can
preverify, and all four options are recommended.
We would also recommend using
-overloadaggressively for more aggressive obfuscation and
-applymapping ChangeLog.txt to keep a log of changes. You can learn about more options here.
Similar features surely exist in other Java obfuscators, including free/open-source ones.
As of now, we haven’t been able to find any Kotlin obfuscators or Java obfuscators with Kotlin support, so we can't recommend much here. We are looking into the situation, and we’ve started working with the Kotlin team to make sure that support for Kotlin is provided on the obfuscator’s side.