Increased security with ProGuard

[bolodecenouracomcafe]

Overview of the feature request

Add Proguard to the JHipster stack, increasing the security of the projects and contributing to a safer internet.

ProGuard is a tool with more than 7 years of existence, open source and that will continue to have releases.

https://www.guardsquare.com/en/products/proguard/manual/introduction
http://wvengen.github.io/proguard-maven-plugin/

Motivation for or Use Case

By obfuscating the source code, we prevent an attacker from having access to the source code in order to exploit possible logic flaws.

Obfuscation of source code has popularized its use in android applications due to the apk being downloaded to the user's device.

In a scenario of invasion to the server, access to source codes is much more critical, exposing sensitive information that assists the attacker in his attack.

Related issues or PR

#1405

• Checking this box is mandatory (this is just to show you read everything)

[jdubois]

I found the source code at https://github.com/Guardsquare/proguard and it has a GPL v2 license. As it re-writes the whole application, I would be very cautious to use it, as I believe this means your whole application becomes GPL v2.

Anyway, I really don't understand the added-value of such a tool for a server-side application (=the attacker has access to the database, why bother modifying the Java code), and it would definitely make debugging and monitoring more complicated (=Java agents will be unusable), so I would be very hesitant to use it. I wouldn't push it to our users, anyway, as it can cause a huge number of side-effects because of the code modifications.

[atomfrede]

As it is mainly configuration of the build tooling it can go to a module.

[bolodecenouracomcafe]

I asked to Proguard team and they answered: "Optimizing and name-obfuscating server-side applications is generally not useful, unless you are really concerned about the application size."

We can close this issue, leaving it only for history.