When I build a release build of the app Proguard runs, but on looking at the APK using APK Analyzer everything is readable with apparently no obfuscation being applied.
My intent is to apply obfuscation to the APK to make reverse engineering a little more difficult.
Gradle:
buildTypes {
release {
signingConfig signingConfigs.release
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
}
Proguard is definitely running as I can see that in the Gradle console.
proguard-rules.pro:
-dontshrink
-dontoptimize
-keep class com.squareup.picasso.** { *; }
-dontwarn com.squareup.picasso.**
-keep class com.squareup.okhttp.** { *; }
-dontwarn com.squareup.okhttp.**
-keep class kotlin.reflect.** { *; }
-dontwarn kotlin.reflect.**
-keep class javax.annotation.** { *; }
-dontwarn javax.annotation.**
-keep class org.codehaus.mojo.** { *; }
-dontwarn org.codehaus.mojo.**
The Proguard docs say obfuscation runs by default. The docs also say classes specified in keep statements will not be obfuscated, but the classes in the app itself are not specified in keep statements, but are still not obfuscated.
On looking further, there is a file in the build folder called aapt_rules.txt that contains what look like keep statements for every class in the app. I don't understand why that would be.
How do I reconfigure Proguard so it obfuscates all of the code in my app (not the libraries), without shrinking or removing any classes?
by looking at line keep class com.squareup.picasso.** { *; }and -keep class com.squareup.okhttp.** { *; } ,
you are not obfuscating anything which are part of above packages or sub packages.
Progaurd will obfuscate anything which is not part of above package and sub package.
do you have class outside of these packages.
Related
Using variety of aws-android-sdk's (version 2.22.0) (including DynamoDB).
With minifyEnabled = true, Android app crashes in DynamoDB call. App does not crash if I disable that flag.
Here are the proguard-rules I'm using:
In build.gradle (app):
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
And in the proguard-rules.pro I have the following:
# Class names are needed in reflection
-keepnames class com.amazonaws.**
-keepnames class com.amazon.**
# Enums are not obfuscated correctly in combination with Gson
-keepclassmembers enum * { *; }
# Request handlers defined in request.handlers
-keep class com.amazonaws.services.**.*Handler
# The following are referenced but aren't required to run
-dontwarn com.fasterxml.jackson.**
# Android 6.0 release removes support for the Apache HTTP client
-dontwarn org.apache.http.**
# The SDK has several references of Apache HTTP client
-dontwarn com.amazonaws.http.**
-dontwarn com.amazonaws.metrics.**
Here's the pertinent call stack:
E/AndroidRuntime: FATAL EXCEPTION: Thread-13
Process: com.icefield.eventtruly, PID: 20298
java.lang.IllegalArgumentException: Illegal query expression: No hash key condition is found in the query
at com.amazonaws.mobileconnectors.dynamodbv2.dynamodbmapper.DynamoDBMapper.processKeyConditions(:2711)
at com.amazonaws.mobileconnectors.dynamodbv2.dynamodbmapper.DynamoDBMapper.createQueryRequestFromExpression(:2671)
at com.amazonaws.mobileconnectors.dynamodbv2.dynamodbmapper.DynamoDBMapper.query(:2438)
at com.amazonaws.mobileconnectors.dynamodbv2.dynamodbmapper.DynamoDBMapper.query(:2399)
at c.f.a.g.d$b.run(:339)
at java.lang.Thread.run(Thread.java:919)
Setting minifyEnabled = false results in everything working hunky-dory.
Any ideas on what else I might add to proguard rules?
I recommend using the following ProGuard rules.
-keep class com.amazon.** { *; }
-keep class com.amazonaws.** { *; }
-keep class com.amplifyframework.** { *; }
I suspect that you'll find a
ClassNotFoundException or and/or NoClassDefFoundError elsewhere in your logs, which will be more helpful to fine-tune the rules.
The particular error you're seeing arises when there are no key Conditions included in the request being sent to DyanmoDB.
My app is completely ready to deploy and its using many libraries. I want to minify the code using Proguard and also want to remove unused classes and resources but while using proguard I am getting Runtime error
java.lang.RuntimeException: Unable to create application com.rig.onblick.App: java.lang.NullPointerException: Attempt to invoke virtual method 'int java.lang.String.hashCode()' on a null object reference
I gone through many tutorial but its seems too complicated to write proguard configuration because I have to write many rules to make sure my app will run perfectly. I have never used proguard in this kind of big project. Can anyone tell me the minimal configuration which make sure at least my code will be minified and will not get any runtime error.
My present configuration is as below.
-dontwarn com.witt.mspapp.**
-keep class com.github.mikephil.** { *; }
-dontwarn com.github.mikephil.**
-keep class com.github.mikephil.** { *; }
-dontwarn org.apache.**
-keep class com.google.gms.** { *; }
-dontwarn com.google.gms.**
-keep class com.viewpagerindicator.** { *; }
-dontwarn com.viewpagerindicator.**
-keep class org.jivesoftware.smackx.** { *; }
-dontwarn org.jivesoftware.smackx.**
I am testing in debug env. and my gradle configuration is as below
debug {
minifyEnabled true
shrinkResources true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
There is nothing "minimal configuration" for proguard configuration. You will get the proguard configuration for each library on his official repo page. So whatever dependencies you have used go through these and add proguard configuration for each of that dependency.
I have an app that works fine when debugging, but when I make a release version, with minifyEnabled true in the build.gradle file, it seems not to work at all anymore:
D/SapphirePocket( 6520): Could not serialize telegram: <init> [interface a.a.a.b.am, interface a.a.a.a, class a.a.a.e.n]
Does SimpleXML work with minified APKs, where inspection might not completely work anymore or should this just work?
When you activate minifyEnabled, you are obfuscating the code with proguard. SimpleXML should use some classes that you are obfuscating and you must not do this. You must keep the names of the classes that SimpleXML needs.
See this post about the same problem as you have (simplexml failed to compile with proguard activated).
The first thing I recommend is put this on proguard file (extracted from the post I've linked):
-keep public class org.simpleframework.** { *; }
-keep class org.simpleframework.xml.** { *; }
-keep class org.simpleframework.xml.core.** { *; }
-keep class org.simpleframework.xml.util.** { *; }
-keepattributes ElementList, Root
-keepclassmembers class * {
#org.simpleframework.xml.* *;
}
For a more detailed response, please, show us more information (proguard file, code getting the error...).
I enabled proguard for my release build and when I ran the project, I get these warnings and errors. Here is my buildTypes block:
buildTypes {
release {
minifyEnabled true
//shrinkResources true
signingConfig signingConfigs.myConfig
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
}
The build message was too long to post here so have put external link.
What is the reason for these warnings? Is there something I have done wrong? How can I fix this?
for any external library that you are using you need to add rules in your proguard.pro file.
For example in my project these are the proguard rules I added for retrofit and okhttp
# Retrofit 1.X
-keep class com.squareup.okhttp.** { *; }
-keep class retrofit.** { *; }
-keep interface com.squareup.okhttp.** { *; }
-dontwarn com.squareup.okhttp.**
-dontwarn okio.**
-dontwarn retrofit.**
-dontwarn rx.**
-keepclasseswithmembers class * {
#retrofit.http.* <methods>;
}
These rules are taken from
https://github.com/krschultz/android-proguard-snippets/blob/master/libraries/proguard-square-retrofit.pro
So you need to check similarly for each library what are the rules to be added.
Each library mentioned in the warnings has its' own proguard rules which you have to put in your proguard-rules.pro. For example you can find ButterKnife's rules at http://jakewharton.github.io/butterknife/ "Proguard" section.
I'm trying to obfuscate my package names including that one of my used libraries.
I use this build config in my gradle file:
buildTypes {
debug {
versionNameSuffix "-Development"
debuggable true
runProguard true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
#...
This is my proguard file:
# Butterknife
-dontwarn butterknife.internal.**
-keep class **$$ViewInjector { *; }
-keepnames class * { #butterknife.InjectView *;}
# OrmLite uses reflection
-keepclassmembers class com.j256.** { *; }
-keep class my.package.name.database.** { *; }
-keep class com.j256.**
#test
-repackageclasses 'qqq1'
-flattenpackagehierarchy 'qqq2'
-allowaccessmodification
-forceprocessing
I'm using this command for dumping all the dexed classes:
7z x -aoa my.apk classes.dex && dexdump classes.dex | grep "Class desc" | less
And I still see all full package names if I just grep for "qqq" I get no results so it seems that both rules repackageclasses and flattenpackagehierarchy seems to be ignored (I also tested to use only one of that lines). Any idea what I missed?
For library modules, it seems that the build system add "-keeppackagenames" by default which will lead to the package names not be obfuscated.
You can try using this WORKAROUND:
Add "-keeppackagenames !**" to disable -keeppackagenames being injected by the build system.
Via: https://code.google.com/p/android/issues/detail?id=67587
Wow this took long to fix. The butterknife rules broke everything. My solution was to grep that one from the homepage and how everything works as expected.
Here are the fixed rules:
# Butterknife
-keep class butterknife.** { *; }
-dontwarn butterknife.internal.**
-keep class **$$ViewBinder { *; }
-keepclasseswithmembernames class * {
#butterknife.* <fields>;
}
-keepclasseswithmembernames class * {
#butterknife.* <methods>;
}
# OrmLite uses reflection
-keepclassmembers class com.j256.** { *; }
-keep class my.package.name.database.** { *; }
-keep class com.j256.**
#test
-repackageclasses 'qqq1'
-flattenpackagehierarchy 'qqq2'
-allowaccessmodification
-forceprocessing