How to understand why R8 doesn't obfuscate code - android

I'm building an Android app using Android Gradle Plugin 4.1.0 and Gradle 6.5.1. In my build.gradle file the flag minifyEnabled has the value true. This is my proguard-rules.pro file:
#rx
-dontwarn rx.**
-keep class rx.** { *; }
#retrofit / okhttp
-dontwarn retrofit.**
-keep class retrofit.** { *; }
-keep class okio.** { *; }
-keep class com.squareup.okhttp.** { *; }
-keep interface com.squareup.okhttp.** { *; }
-dontwarn com.squareup.okhttp.**
-dontwarn okhttp3.internal.platform.**
-dontwarn okio.**
-dontwarn org.conscrypt.**
#gson
-keepattributes SerializedName
-keep class com.google.gson.** { *; }
-keep class sun.misc.Unsafe { *; }
-keep class * implements com.google.gson.TypeAdapterFactory
-keep class * implements com.google.gson.JsonSerializer
-keep class * implements com.google.gson.JsonDeserializer
-keepclassmembers enum * { *; }
-keepattributes Signature
-keepattributes Exceptions
-keepattributes *Annotation*
-dontwarn javax.annotation.Nullable
-dontwarn javax.annotation.ParametersAreNonnullByDefault
-dontwarn javax.annotation.concurrent.GuardedBy
-dontwarn org.codehaus.mojo.animal_sniffer.IgnoreJRERequirement
#guava
-dontwarn afu.org.checkerframework.checker.formatter.**
-dontwarn afu.org.checkerframework.checker.nullness.**
-dontwarn afu.org.checkerframework.checker.regex.**
-dontwarn afu.org.checkerframework.checker.units.**
-keep class * implements ru.surfstudio.android.network.Transformable
-keep class * implements ru.surfstudio.android.network.response.BaseResponse
-dontwarn com.bumptech.glide.**
#firebase crashlytics
-printmapping mapping.txt
-keepattributes *Annotation*,SourceFile,LineNumberTable
-keep public class * extends java.lang.Exception
-keep class com.google.firebase.crashlytics.** { *; }
-dontwarn com.google.firebase.crashlytics.**
#kotlin-reflect
#https://stackoverflow.com/questions/45871970/kotlin-reflect-proguard-smallsortedmap
-dontwarn kotlin.reflect.jvm.internal.**
#Cashoff javascript interface
-keep class ru.sbi.android.f_analytics.analytics.CashoffInteface { *; }
-dontwarn ru.sbi.android.f_main.R$id
-keep class ru.sbi.android.ui.navigation.MainTabType
#Cross-feature navigation keeps
-keep interface ru.sbi.android.ui.fragment.CrossFeatureFragment {*;}
-keep class * implements ru.sbi.android.ui.fragment.CrossFeatureFragment
#android standard
-keep class ru.surfstudio.android.rx.extension.ConsumerSafe { *; }
-keep class ru.surfstudio.android.rx.extension.ActionSafe { *; }
#AndroidPdfViewer
-keep class com.shockwave.pdfium.util.Size
#firebase
-dontwarn com.google.firebase.messaging.**
#android material
-keep class com.google.android.material.** { *; }
-dontwarn com.google.android.material.**
#Если вы хотите применять новый API Google API для отслеживания инициаторов
-dontwarn com.android.installreferrer.com.android.installreferrer
-ignorewarnings
I see lots of minifyReleaseWithR8 tasks being executed during the build.
But when I'm decompiling the resulting APK using apktool I see that all the package, class, methods names are the same as in my Android Studio. How can I understand why R8 doesn't obfuscate the code?

You have a keep rule for every single class you use in your app. If you have a -keep rule matching a class it will be kept and not obfuscated. For obfuscation to rename items (classes/fields and methods) that either have to not be matched by a keep rule (or matched by a keep rule with modifier allowobfuscation).
Keep rules are only required for items which are looked up through reflection, so you will have to trim down your rules to a much smaller set. I suggest that you start out by an empty proguard-rules.pro and only get what getDefaultProguardFile('proguard-android-optimize.txt') generates (like here). Then your app might not work, but then you can figure out what is going wrong and start adding additional rules. One way to start there is to only keep the classes in you own application package (-keep class ru.sbi.android.** { *; }), as libraries normally does not need keep rules, and then try to trim that further.
Please take a look at Shrink, obfuscate, and optimize your app as well.

Related

Gradle 3.4.1 not able to parse the response into Object with Proguard

I just updated my Gradle to 3.4.1.
I am having an API call inside one of my module.
I am using the module inside the app :
implementation com.mindvalley.module_login:Module_Login:$rootConfiguration.loginLibraryVersion
Now when I generate a signed build with ProGuard, the object is null, meaning retrofit is not able to parse the object.
P.S. : This works fine with debug mode or if I run the app with Gradle version 3.3.2
My Retrofit Proguard file :
-dontwarn retrofit2.**
-keep class retrofit2.** { *; }
-keepattributes Signature
-keepattributes Exceptions
-keepclasseswithmembers class * {
#retrofit2.http.* <methods>;
}
-keepattributes Signature, InnerClasses, EnclosingMethod
-keepattributes RuntimeVisibleAnnotations, RuntimeVisibleParameterAnnotations
-keepclassmembers,allowshrinking,allowobfuscation interface * {
#retrofit2.http.* <methods>;
}
-dontwarn org.codehaus.mojo.animal_sniffer.IgnoreJRERequirement
-dontwarn javax.annotation.**
-dontwarn kotlin.Unit
-dontwarn retrofit2.KotlinExtensions
-if interface * { #retrofit2.http.* <methods>; }
-keep,allowobfuscation interface <1>
-dontwarn org.codehaus.mojo.**
-keepattributes *Annotation*
-keepattributes RuntimeVisibleAnnotations
-keepattributes RuntimeInvisibleAnnotations
-keepattributes RuntimeVisibleParameterAnnotations
-keepattributes RuntimeInvisibleParameterAnnotations
-keepattributes EnclosingMethod
-keepclasseswithmembers class * {
#retrofit2.* <methods>;
}
-keepclasseswithmembers interface * {
#retrofit2.* <methods>;
}
My OkHttp proguard file :
-keepattributes Signature
-keep class okhttp3.** { *; }
-keep interface okhttp3.** { *; }
-dontwarn okhttp3.**
-dontwarn javax.annotation.**
-keepnames class okhttp3.internal.publicsuffix.PublicSuffixDatabase
-dontwarn org.codehaus.mojo.animal_sniffer.*
-dontwarn okhttp3.internal.platform.ConscryptPlatform
-dontwarn org.codehaus.mojo.animal_sniffer.*
My GSON proguard file :
-keepattributes Signature
-keepattributes EnclosingMethod
-keep class sun.misc.Unsafe { *; }
-keep class com.google.gson.stream.** { *; }
-dontwarn com.google.gson.internal.UnsafeAllocator
-keepattributes Signature
-keepattributes *Annotation*
-dontwarn sun.misc.**
-keep class com.google.gson.examples.android.model.** { <fields>; }
-keep class * implements com.google.gson.TypeAdapterFactory
-keep class * implements com.google.gson.JsonSerializer
-keep class * implements com.google.gson.JsonDeserializer
-keepclassmembers,allowobfuscation class * {
#com.google.gson.annotations.SerializedName <fields>;
}
P.S. : This works fine with debug mode or if I run the app with Gradle version 3.3.2
Since, Gradle Plugin version 3.4.0, D8/R8 is enabled by default and obfuscation will be done by R8 instead of ProGuard.
See Stick to ProGuard Obfuscation for how to stick with Proguard.
See Android/java: Transition / Migration from ProGuard to R8?
for how to migrate to R8.

My app crashes after proguard

I added the following rules in my proguard.rules file.
Now when I am running a debug build from android-studio, it is working but when I generate a signed apk, it crashes on Launch.
#### -- Picasso --
-dontwarn com.squareup.okhttp.**
#### -- databinding --
-dontwarn android.databinding.**
#### -- Apache Commons --
-dontwarn org.apache.http.entity.**
And here are the logs
Error:Execution failed for task ':app:transformClassesAndResourcesWithProguardForQaRelease'.
Job failed, see logs for details
Warning:org.apache.http.entity.mime.content.StringBody: can't find referenced class org.apache.http.util.Args
Warning:org.apache.http.entity.mime.content.StringBody: can't find referenced class org.apache.http.entity.ContentType
Warning:com.squareup.picasso.OkHttpDownloader: can't find referenced class com.squareup.okhttp.OkHttpClient
Warning:android.databinding.DataBindingUtil: can't find referenced class android.databinding.DataBindingComponent
You can add the rules below
# Okio
-keep class sun.misc.Unsafe { *; }
-dontwarn java.nio.file.*
-dontwarn org.codehaus.mojo.animal_sniffer.IgnoreJRERequirement
-dontwarn okio.**
#databinding
-dontwarn android.databinding.**
-keep class android.databinding.** { *; }
# OkHttp
-keepattributes Signature
-keepattributes *Annotation*
-keep class com.squareup.okhttp.** { *; }
-keep interface com.squareup.okhttp.** { *; }
-dontwarn com.squareup.okhttp.**
-keep class okhttp3.** { *; }
-keep interface okhttp3.** { *; }
-dontwarn okhttp3.**

How to keep crosswalk code when obfuscate my project?

I import crosswalk in my app. To keep the crosswalk code, I add this in proguard-project.txt:
-dontwarn org.chromium.**
-dontwarn org.xwalk.core.**
-keep class com.google.common.** {*;}
-keep class com.googlecode.eyesfree.braille.** {*;}
-keep class javax.annotation.** {*;}
-keep class org.chromium.** {*;}
-keep class org.xwalk.core.** {*;}
But, it seems wrong. Who can help me? Thanks very much!
found this:
-keep class org.xwalk.core.** {
*;
}
-keep class org.chromium.** {
*;
}
-keepattributes **
from here:
https://crosswalk-project.org/documentation/about/faq.html
You need add another statement:
-keepattributes *

Release version with proguard issues - GSON

If I build my app in debug it works perfectly. However, when I build for release with proguard, I get several errors and then the build fails. The error summary:
Warning:there were 445 unresolved references to classes or interfaces.
Warning:there were 13 instances of library classes depending on program classes.
I modified my proguard-rules.txt file as shown below. This allowed the build to succeed, but when I install the app, the amazon downloads do not work (works in the debug version).
-keep class org.xmlpull.v1.**
-keep class org.apache.http.**
-keep class org.ietf.jgss.**
-keep class com.amazonaws.services.**
-keep class org.w3c.dom.bootstrap.**
-dontwarn org.xmlpull.v1.**
-dontwarn org.apache.http.**
-dontwarn org.ietf.jgss.**
-dontwarn com.amazonaws.services.**
-dontwarn org.w3c.dom.bootstrap.**
Any suggestions as to how I can get this fixed please?
Update:
Have narrowed it down to a GSON/JSONPARSER issue. For the release version, JSONPARSER does not convert downloaded json to a supplied class like it does in debug. The GSON proguard rules (see update 2 ) have also been added but the issue persists.
-keep class org.apache.commons.logging.** { *; }
-keep class com.amazonaws.services.sqs.QueueUrlHandler { *; }
-keep class com.amazonaws.javax.xml.transform.sax.* { public *; }
-keep class com.amazonaws.javax.xml.stream.** { *; }
-keep class com.amazonaws.services.**.model.*Exception* { *; }
-keep class com.amazonaws.internal.** { *; }
-keep class org.codehaus.** { *; }
-keep class org.joda.convert.* { *; }
-keepattributes Signature,*Annotation*,EnclosingMethod
-keepnames class com.fasterxml.jackson.** { *; }
-keepnames class com.amazonaws.** { *; }
-dontwarn com.amazonaws.auth.policy.conditions.S3ConditionFactory
-dontwarn org.joda.time.**
-dontwarn com.fasterxml.jackson.databind.**
-dontwarn javax.xml.stream.events.**
-dontwarn org.codehaus.jackson.**
-dontwarn org.apache.commons.logging.impl.**
-dontwarn org.apache.http.conn.scheme.**
-dontwarn org.apache.http.annotation.**
-dontwarn org.ietf.jgss.**
-dontwarn org.w3c.dom.bootstrap.**
-dontwarn org.xmlpull.v1.**
-dontwarn com.amazonaws.services.**
-libraryjars libs/aws-android-sdk-1.7.1.1-core.jar
-libraryjars libs/aws-android-sdk-1.7.1.1-s3.jar
-libraryjars libs/gson-2.2.4.jar
-libraryjars libs/ksoap2-android-assembly-3.3.0-jar-with-dependencies.jar
Update 2
# Gson uses generic type information stored in a class file when working with fields. Proguard
# removes such information by default, so configure it to keep all of it.
-keepattributes Signature
# For using GSON #Expose annotation
-keepattributes *Annotation*
# Gson specific classes
-keep class sun.misc.Unsafe { *; }
-keep class com.google.gson.stream.** { *; }
# Application classes that will be serialized/deserialized over Gson
-keep class com.google.gson.examples.android.model.** { *; }
Finally solved. GSON could not convert my JSON into a class using the fromJson method as proguard had obfuscated my class's fields. I had to add for each of my classes used during json deserialization:
-keepclassmembers class fully.qualified.path.to.class$innerclass {
private <fields>;
}
As per usual, no mention of this in the GSON docs. This was a project I took over - I personally have never used GSON and wont do so in future.
A few notes to those facing similar issues:
Always make sure when you use a library to include all the
recommended (by the library - see their web pages) entries in your
proguard-rules.text file.
They have mentioned in the comments in the second last line of update2.
# Application classes that will be serialized/deserialized over Gson
-keep class com.google.gson.examples.android.model.** { *; }
Change the last line to your actual path inside code to classes that will be serialized. Don't copy paste as it is. Example:
-keep class com.myclass.model.** { *; }
That worked for me.

How do you make a signed & obfuscated android release build from inside eclipse?

My android development process is to build and debug my app in eclipse and when I'm ready to publish I produce a signed, obfuscated (with proguard) apk by running "ant release" from the shell.
Is it possible to produce a signed, proguard release from within eclipse? I'm using eclipse indigo on windows with version 13 of the ADK
Yes. Once you enable ProGuard by adding the proguard.config=proguard.cfg entry to project.properties, Eclipse will obfuscate your code when you export an signed package. Details here.
BTW, you should upgrade to the latest ADT (15).
Use this in proguard files of yours you can able to make obfuscated build after enabling proguard in release/debug build.
Lakshay Proguard-Files entry details
# To enable ProGuard in your project, edit project.properties
# to define the proguard.config property as described in that file.
-keepclassmembers class fqcn.of.javascript.interface.for.webview {
public *;
}
-dontusemixedcaseclassnames
-dontskipnonpubliclibraryclasses
-dontpreverify
-verbose
-dontoptimize
-dontwarn android.support.**
-dontwarn com.google.**
-dontwarn com.loopj.android.http.**
-dontwarn com.worklight.androidgap.plugin.**
-dontwarn com.worklight.wlclient.**
#-injars bin/classes
#-injars libs
#-outjars bin/classes-processed.jar
# Using Google's License Verification Library
-keep class com.android.vending.licensing.ILicensingService
# Specifies to write out some more information during processing.
# If the program terminates with an exception, this option will print out the entire stack trace, instead of just the exception message.
-verbose
####################################################################################################
############################## IBM MobileFirst Platform configuration ############################
####################################################################################################
# Annotations are represented by attributes that have no direct effect on the execution of the code.
-keepattributes *Annotation*,EnclosingMethod
# For native methods, see http://proguard.sourceforge.net/manual/examples.html#native
-keepclasseswithmembernames class * {
native <methods>;
}
# keep setters in Views so that animations can still work.
# see http://proguard.sourceforge.net/manual/examples.html#beans
-keepclassmembers public class * extends android.view.View {
void set*(***);
*** get*();
}
-keepattributes InnerClasses
-keep class **.R
-keep class **.R$* {
<fields>;
}
# These options let obfuscated applications or libraries produce stack traces that can still be deciphered later on
-renamesourcefileattribute SourceFile
-keepattributes SourceFile,LineNumberTable
# Enable proguard with Cordova
-keep class org.apache.cordova.** { *; }
-keep public class * extends org.apache.cordova.CordovaPlugin
-keep class com.worklight.androidgap.push.** { *; }
-keep class com.worklight.wlclient.push.** { *; }
-keep class com.worklight.common.security.AppAuthenticityToken { *; }
# Enable proguard with Google libs
-keep class com.google.** { *;}
-dontwarn com.google.common.**
-dontwarn com.google.ads.**
# apache.http
-keep class org.apache.http.** { *; }
-keep class com.worklight.** {
*;
}
-keep class org.apache.commons.codec.** {
*;
}
-keep class net.sqlcipher.** { *; }
-dontwarn net.sqlcipher.**
-keep class org.codehaus.** { *; }
-dontwarn org.apache.http.**
-dontwarn org.apache.commons.codec.**
-optimizations !class/merging/vertical*,!class/merging/horizontal*,!code/simplification/arithmetic,!field/*,!code/allocation/variable
-keep class org.apache.http.* { *; }
-keep class org.apache.http.client.** { *; }
-keep class org.apache.http.cookie.** { *; }
-keep class org.apache.http.impl.cookie.** { *; }
-keep class org.apache.http.message.** { *; }
-keep class org.apache.http.util.** { *; }
# These classes contain references to external jars which are not included in the default MobileFirst project.
-dontwarn com.worklight.common.internal.WLTrusteerInternal*
-dontwarn com.worklight.jsonstore.**
-dontwarn org.codehaus.jackson.map.ext.**
-dontwarn com.worklight.androidgap.push.GCMIntentService
-dontwarn com.worklight.androidgap.plugin.WLInitializationPlugin
-dontwarn com.worklight.wlclient.push.GCMIntentService
-dontwarn org.bouncycastle.**
-dontwarn com.worklight.androidgap.jsonstore.security.SecurityManager
-dontwarn com.worklight.wlclient.push.WLBroadcastReceiver
-dontwarn com.worklight.wlclient.push.common.*
-dontwarn com.worklight.wlclient.api.WLPush
-dontwarn com.worklight.wlclient.api.SecurityUtils
######################################################################################################
-ignorewarnings

Categories

Resources