I am developing one android library for that i want enable the progurad.
First thing i did is:
I have enabled the minification for my library
buildTypes {
release {
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
}
After this, I have generated the AAR file with minification. And then i used the AAR file to my testing app to check whether my library classes were available. But classes were not there, Because the pro guard removed all my classes from library as it was not used.
Second thing i did is:
-keep public interface com.example.client.** { *; }
I have added the above thing to my proguard-rules.pro. Now i can able to see all my classes with proguard applying the same class, function, variable names. (In mapping file i could see the same name getting applied)
I don't know the exact way to apply the proguard to generate the obfuscated AAR.
Is there any guideline to generate AAR with the minification/
Or in my case what is fix to generate AAR with the class available?
I am struggling for a long time... Could someone please try to help me!!!
Related
I have created a Wear OS module in our existing Android mobile application. Both application modules remain in the project like following:
Project/app
Project/wear/wear_presentation
Project/otherLibModule/other_lib_module_presentation
and we have a common.gradle that is used by app and wear_presentation:
buildTypes {
release {
minifyEnabled true
debuggable false
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
}
debug {
debuggable true
minifyEnabled false
}
}
Before Wear OS module, we had a single proguard file inside app module that handles all minifying work, but now we have 2 application modules that have separate proguard files. That forces me to copy/paste all content from app proguard file into wear_presentation proguard file and this approach seems amateurish.
I want to use a single common proguard file that is used by both app and wear_presentation modules.
Is it possible?
Importing from Libraries is supported already.
https://developer.android.com/studio/build/shrink-code#configuration-files
/proguard.txt - If an AAR library is published with its own ProGuard rules file, and you include that AAR as a compile-time dependency, R8 automatically applies its rules when compiling your project.
Using rules files that are packaged with AAR libraries is useful if certain keep rules are required for the library to function properly—that is, the library developer has performed the troubleshooting steps for you.
However, you should be aware that, because ProGuard rules are additive, certain rules that an AAR library dependency includes cannot be removed and might impact the compilation of other parts of your app. For example, if a library includes a rule to disable code optimizations, that rule disables optimizations for your entire project.
/META-INF/proguard/ - for JAR libraries
It's commonly used by libraries like OkHttp https://github.com/square/okhttp/blob/okhttp_4.10.x/okhttp/src/main/resources/META-INF/proguard/okhttp3.pro
I already made a Flutter app. The release apk is about 14MB. I searched methods to minify this and found this ons: https://flutter.io/android-release/#enabling-proguard
But my question is, how can I get to know all my used additional libraries for step 1? Are there any commands to know them or is it just all the dependencies that I added to the pubspec.yaml ?
How do I need to implement them in this file /android/app/proguard-rules.pro?
First, we will enable shrinking and obfuscation in the build file. Find build.gradle file which sits inside /android/app/ folder and add lines in bold
android {
...
buildTypes {
release {
signingConfig signingConfigs.debug
minifyEnabled true
useProguard true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
}
}
Next we will create a configuration which will preserve entire Flutter wrapper code. Create /android/app/proguard-rules.pro file and insert inside:
#Flutter Wrapper
-keep class io.flutter.app.** { *; }
-keep class io.flutter.plugin.** { *; }
-keep class io.flutter.util.** { *; }
-keep class io.flutter.view.** { *; }
-keep class io.flutter.** { *; }
-keep class io.flutter.plugins.** { *; }
Note: Use signingConfigs.release instead signingConfigs.debug to build a apk or appbundle
I will leave this answer here as an addition for any poor soul that has to deal with this issue and encounters this thread.
As of December 2021 with the latest Android Sdk, Studio and Flutter versions, if you try to douseProguard true it will not work because it's obsolete.
Sadly, Gradle will not tell you this, instead, you will get an error like this:
A problem occurred evaluating project ':app'.
> No signature of method: build_7cqkbrda1q788z3b02yxbvrx9.android() is applicable for argument types: (build_7cqkbrda1q788z3b02yxbvrx9$_run_closure2) values: [build_7cqkbrda1q788z3b02yxbvrx9$_run_closure2#41108b15]
Which as you can see it is complete gibberish and not useful. The secret is to just not use useProguard at all. By default Flutter is setup to use R8 which handles minification now on Android.
Here is a so post about this for reference: Gradle : DSL element 'useProguard' is obsolete and will be removed soon
If you are using firebase, see Flutter build crashes using ProGuard with Firebase Auth
Next, you need to consider the dependencies in pubspec.yaml You can immediately ignore any pure Dart packages - you are just looking for plugins. Of these plugins, you are just interested in ones that make use of existing libraries. You will likely have added these to gradle. Those are the ones you need to protect from name shortening.
The simplest approach may just be to try it and see what package names pop up in the NoClassDefFoundError and keep iteratively adding them.
As Remi says, your gain will be minimal, so is it really worth the hassle. You should see some improvements in APK sizes over the coming releases.
Am developing android application with some confidential data.I need to obfuscate code.I have searched for a solution long time, still am not getting solution.
You have several ways of doing this. The one you can easily integrate inside your application is to use proguard rules and gradle.
Define your proguard-rules.pro with the specifications you see fit. Below there is a link which explains the usage of most of them
http://proguard.sourceforge.net/manual/usage.html
After that, in the build gradle of your top application module, in case you have a tree of dependencies, add:
BuildTypes{
release{
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
}
In this case, every time you run a release version of your application, it will run your proguard file configuration. Have in consideration that proguard does not obfuscate the name of the activities.
Use minifyEnabled true in your app level build.gradle
I'm use in my android project gson library:
compile 'com.google.code.gson:gson:2.7'
I'm use it not in app module, but in my android library and this library added to project. Only several classes (groupA) used gson. Android library is common library and used in several android projects, but in current android project do not used classes from groupA.
I have in build.gradle of app:
android {
...
buildTypes {
release {
minifyEnabled true
shrinkResources true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
}
}
I build release apk and decompile classes.dex. I do not find classes groupA in apk. It's ok. proguard remove unused code.
Unfortunately I see gson classes. But why? Why proguard do not remove gson classes? gson really do not used in release version of project.
I think you should have a look at the proguard file of gson which is included in each build: https://github.com/google/gson/blob/master/examples/android-proguard-example/proguard.cfg Recognize the remaining classes there?
Why proguard do not remove gson classes?
Ask it:
Use the proguard option -whyareyoukeeping to find out why the gson classes are not removed
http://proguard.sourceforge.net/manual/usage.html#shrinkingoptions
This might be too broad, but I would like an explanation on how Proguard and minification configurations are passed between projects and their dependencies to understand how deeply are these operations made in my project's dependency tree.
I have on build.gradle of `themodule':
buildTypes {
release {
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
}
dependencies {
compile project(':someothermodule')
compile 'some.maven.central.library'
}
By the configuration it seems clear that the classes inside themodule will be minifyed and obfuscated, but what happens with the classes of someothermodule? Will they also be minifyed and obfuscated? Even if someothermodule has minifyEnabled true?
What happens if 'someothermodule' is just a .jar dependency?
What happens with the configurations of some.maven.central.library?
Are the Proguard configurations of the module being built cascading down to its dependencies or each of them follows its own rules?
If a module get obfuscated (minifyEnabled true) by itself, the used configuration is not automatically inherited by the consuming module (in your case the application).
There is a mechanism in the Android gradle plugin to enabled this:
consumerProguardFiles 'proguard-rules.pro'
The rules that are contained in proguard-rules.pro will be automatically included in the application project and merged with other configuration files.
This will only work for Android library projects (.aar). If you have a dependency to a .jar file on maven central for example, no such consumer rules will be available, and you have to add the needed configuration to your application project yourself.
Keep in mind that the configuration to obfuscate a module and the one used by the consuming application / module does not need to be identical. The consumer rules will in most cases only be a set of -keep rules.
Technically, it is the following :
Library projects by themselves don't run ProGuard, so they don't use
any configuration.
Application projects obfuscate the entire code base, including any
referenced libraries, so they need proper configuration for the
application code and for the library code.
I had a small case where I had a Facebook library as a gradle dependency and since we were obfuscating the code with minifyEnabled:true we had to keep all its code from being obfuscated, using the regular keep commmands such as :
-keep class com.facebook.** { *; }
Additionally, and regarding the .jar obfuscation, you can check this other post
Regards,