I want to build a secure release apk, It's mean that anyone can not mod or Tampering (hack)
There's no way to protect your app 100% from being modified, but to make it harder for hackers to understand and modify your code, change minifyEnabled to true in your build.gradle file.
You can read more about shrinking and optimizing your app here. https://developer.android.com/studio/build/shrink-code
android {
buildTypes {
release {
// Enables code shrinking, obfuscation, and optimization for only
// your project's release build type.
minifyEnabled true
}
}
}
If you sign your app, it cannot be tampered with without invalidating the signature.
However, that is not sufficient to stop someone moding your code and then running it on a "rooted" device. Or similar.
In fact, there is nothing you can do to 100% prevent that. The best you have is to use an obfuscator, and hope that the hackers are not going to try hard.
There is no technical solution that will prevent a user from tampering with a 3rd-party app on any platform that they control. This is not an Android or Java specific problem. It applies for all user-controlled platforms and all programming languages.
Related
I have read the article. The author think every Android app should use code shrinking.
I use the following code to shrink and obfuscate code, proguard-rules.pro is original and blank, and proguard-android-optimize.txt is original. it's default made by Android Studio.
You know that some project can work well in Android Studio but failed after publish to Google Play, you can see the article.
When an app run in Android Studio, I think ProGuard doesn't work and it doesn't shrink and obfuscate code, so the app works well in Android Studio.
When I generate .aab file for publish in Android Studio, the ProGuard will shrink and obfuscate code, but it maybe cause runtime error due to incorrectly shrink and obfuscate operation.
How can I test if ProGuard works correctly before I publish an app to Google Play ?
buildTypes {
release {
minifyEnabled false
shrinkResources false
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
}
debug {
}
}
Add content:
To Ryan M: Thanks!
It seems that I can test whether ProGuard works correctly in Android Studio by the article.
You can see Code A and Image A.
Is that right?
Code A
debugMini {
initWith debug
minifyEnabled true
shrinkResources true
proguardFiles getDefaultProguardFile('proguard-android.txt'),
'proguard-rules.pro'
matchingFallbacks = ['debug']
}
Image A
Install and run the minified release version of your app (see here or here for info on installing AAB files) that you upload to Google Play, not the debug version.
If you're just hitting "Run" in Studio, you're installing the debug version that doesn't (by default) have Proguard or other minification run on it. If you instead use the minified release version before uploading it to Google Play, you'll get the same behavior you will after uploading: Google Play isn't running any "extra" Proguard tasks on it after you upload.
You can also use the Alpha/Beta testing tracks in Play to test the full Play experience without publishing to a wider audience or fiddling with bundletool.
There are several ways to confirm you code is being properly minimized. One is to check the youappmodule/build/outputs/mapping/release/mapping.txt file. This will include lines like
com.example.somepackage.SomeClass -> a.b.c.d:
If you see that, you know which classes are being properly obfuscated. You can also find out which classes have been removed by making sure there is no such entry for that class.
Another good way is to inspect the output APK in Android Studio. In Android Studio 4.1 you can do this by going to Build > Analyze APK and then selecting your APK that should have had Proguard run with it. You can then inspect the classes.dex file and check its contents. You can see which classes have been obfuscated and removed by directly traversing the file structure.
I think the easiest way to test it is to build your app in the release version and install it on your device.
This is the simplest way.
I am working an a existing Android app which includes the Dropbox SDK. The SDK includes a ton of new classes which makes it necessary to use minifyEnabled true in buildsettings to avoid multidex.
While this is no problem in my release config it has a major downside when debugging the app: Most of the breakpoint do not work any more.
Even if a breakpoint works and I would like to use the "step into" feature to step through the code it happens that this is not possible. Instead of stepping to the code, the call stack shows obfuscated instead of the real code:
a.c:111,f (com.my.app.a)
xb:106,f (com.my.app.a)
onCreate:62, MyApp (com.my.app.TheClass)
...
So, I cannot set minifyEnabled false. Is there anything else I can do to still use my breakpoints?
If you only want to use ProGuard (minifyEnabled true) in order to prevent the app from requiring multidex, you can disable obfuscation and only use the shrinking feature of ProGuard (assuming that you dont use optimization e.g. when using proguard-android.txt as default config).
This should not create obfuscated stacktraces and allow you to debug the application.
Edit:
In order to disable obfuscation, just add
-dontobfuscate
to your configuration file.
I have been working on android app development from past 4 months and now I have developed my first app and as it is easy to decompile a apk so we should use dex or proguard for shrinking and protection.The problem is I have read in an article that proguard may change the code so sometimes a app may misbehave ,this is my first app and I don't want to mess up.So before using proguard in my app I have few questions -
1.What are the points to keep in mind before using proguard.
2.I read you can use keep command but proguard will not obfuscate that code and it will remain same,so I want my all code but as I will use keep it won't do anything.
3.How to make sure that the after functioning of app is same as before after using proguard.
4.Is is necessary to sign app or make key for using proguard?
Question1. What to keep in mind!
The docs state that there may be unintended events that occur from using proguard
Be aware that code shrinking slows down the build time, so you should
avoid using it on your debug build if possible. However, it's
important that you do enable code shrinking on your final APK used for
testing.
After ProGuard shrinks your code, reading a stack trace is difficult (if not impossible) because the method names are obfuscated.
I believe this answers question 3
The key word here is test, test, test! The moment you create your release apk. Test the functionality against your use cases to see if the application is still running the way it should.
If you don't have tests yet I would recommend write some at least unit tests before you release and test the proguard app against that.
Question 4: No you do not need a key to use proguard. I have used it on my debug builds before.
So your typical release build variant could look something like this:
//AndroidStudio3.0.1Canary
release {
postprocessing {
removeUnusedCode true
removeUnusedResources true
obfuscate true
optimizeCode true
proguardFile 'proguard-rules.pro'
}
}
I'm creating an app for android and ios, and i already know that it's theoretically possible to decompile an android app. The app contains sensitive information that i don't want users to have access to as the app interfaces with a webserver. If a user gained access to some information available in the source code, they could potentially spam my web server with requests.
Is there any way to authenticate a connection between the app and the server, assuming that the source code is accessible, or is there any way to obfuscate my code to prevent a malicious user from spamming my webserver.
Thankss
[UPDATE]
**
When you build your application using Android gradle plugin version > 3.4.0, the plugin chooses R8 to optimize and obfuscate the code. The rules can now be configured on proguard-rules.pro or proguard-app.conf files. the rules to indicate what to exclude from the obfuscation are similar to the ones in proguard.cfg used earlier.
You can import your proguard files in your build.gradle like
buildTypes{
...
release{
proguardFiles getDefaultProguardFile(
'proguard-android-optimize.txt'),
'proguard-rules.pro'
}
}
R8 picks up all the existing proguard rules files as long as they're included in the build.gradle. You can also configure what pieces to obfuscate for different product flavors that you may have.
**
[OLD BUT RELEVANT INFO]
Proguard is a tool that will help you obfusate your code. This comes as part of your android tools and you just need to activate it. This link and this will help further.
Proguard's default configuration (in proguard.cfg) will be enough to sufficiently obfuscate your code. However you might want to tweak your proguard configuration when you have methods/classes that are being dynamically accessed.
For instance, accessing classes/methods with Reflection will need you to have the code to be intact. You might sometimes experience ClassNotFoundException if proguard obfuscates it.
If you have classes that are being accessed in the AndroidManifest/ Layout Files, you should prevent proguard from obfuscating them.
This can be done by adding
-keep public class <MyPackage.MyClass>
to your proguard.cfg.
**
While Proguard makes static analysis harder, DexGuard protects from both static and dynamic analysis. DexGuard is specifially for android applications and is only commercially available while Proguard is open source and is for any java bytecode obfuscation / optimization.
You cannot prevent decompiling android apk, you can just increase the difficulty of decompilation, proguard is the best option.
DexGuard provides even better security then ProGuard but it is NOT free: https://www.saikoa.com/dexguard
DexGuard can even obfuscate String constants.
As my Android project getting bigger now I am facing the 64k references limit issue. I read the Configure Apps with Over 64K Methods
article, and it suggests me to reduce the methods count before diving into multidex solution. Now I successfully decreased about 12000 of methods count.
But I still have a problem that is the ProGuard can only take effect when exporing a signed App for release, but not for development. With this fact, I am afraid that I cannot put more code into Eclipse for development, because when I add more methods then I click ADT > Run, I will get the 64k limit error again. I don't want to keep exporting and checking the result during development that is really time wasted.
Will there be any solution for this? Thanks a lot for any advice!
buildTypes {
release {
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
}
This minifyEnable true. will make proguard enabled. but this is in Android studio.
I think you are using Eclipse, which google has deprecated .