In the previous company, we had such questions, mainly related to management paranoia.
First of all, you need to understand that absolute security is just a myth. As long as your program runs on unreliable hardware, it can be decompiled, no matter what language you use. The only thing you can change is the cost of the attacker to understand your software / algorithm / data.
As for obfuscation: it can be considered the first level of protection, since it makes Java code completely unreadable. Good obfuscators like ProGuard use forbidden characters in variable / method names, preventing decompiled code from executing. Now, this can be considered a pretty good security measure, since code decompilation is not as simple as running Jad or other decompilers and having perfectly working Java code. However, you can understand most of the algorithms presented in such code (since the readable code is very different from the compiled code).
Additional security measures include:
- Running confidential code on the server using a kind of web service to send results and get results (using REST / SOAP / YouNameIt)
- Download sensitive code from a remote server using HTTPS and (possibly) additional security levels.
Of these two security measures, I would honestly choose the first. In fact, the second can be undermined by typical HTTPS attacks (the man in the middle, proxies, etc.) ... and it has the great inconvenience of putting code on untrusted equipment, which makes it possible to borrow from there.