CAP file is a common binary redistributable in the Java Card world which contains all required information for a smart card manufacturer to be able to upload the third party application onto the SIM and deliver the final product. Such scenario is quite common for mobile applications which are usually provided by one smart card vendor or by an independent company and distributed to all vendors wishing to deliver SIM cards to an operator or just to take part in a preliminary testing. Therefore, quite often such an applet may fall into hands of competitors. Owing to the growth of the Java Card application market and the increasing size and complexity of the applications itself such thread should carefully considered.
It is known that interpreted Java byte codes are quite vulnerable to reverse engineering attacks which can be performed even with the open source java decompilation tools unless the compiled code underwent obfuscation. Standard Sun’s converter normally employed for CAP generation works to a great extent as an obfuscator hiding class and field names as well as method signatures. Nevertheless, a CAP file generated by a common Sun’s compiler and converter can be reverse engineered and in most cases will remain compilable.
A proposed by the authors CAP decompilation technique is a two stage process. At first step class files are reconstructed from the original CAP using the reversed procedure followed by the common converter, then, source codes can be recovered using available open source tools such as JAD. The reconstructed code misses original class, method and field names and its analysis itself can be a challenge, however, it can be used for certain operations. The proposed technique is sensitive to java compiler and converter versions used for the original compilation. Therefore certain counter-measures implemented in the converter such as flow or stack operations obfuscation can prevent from the correct code reconstruction.
The presented results demonstrate that vulnerability to reverse engineering attacks should be seriously considered by Java Card developers intending to distribute their applications to the third parties especially for Java Card 3.0 platform.