Develop Reference

How to understand why R8 doesn't obfuscate code

I'm building an Android app using Android Gradle Plugin 4.1.0 and Gradle 6.5.1. In my build.gradle file the flag minifyEnabled has the value true. This is my proguard-rules.pro file:
#rx
-dontwarn rx.**
-keep class rx.** { *; }
#retrofit / okhttp
-dontwarn retrofit.**
-keep class retrofit.** { *; }
-keep class okio.** { *; }
-keep class com.squareup.okhttp.** { *; }
-keep interface com.squareup.okhttp.** { *; }
-dontwarn com.squareup.okhttp.**
-dontwarn okhttp3.internal.platform.**
-dontwarn okio.**
-dontwarn org.conscrypt.**
#gson
-keepattributes SerializedName
-keep class com.google.gson.** { *; }
-keep class sun.misc.Unsafe { *; }
-keep class * implements com.google.gson.TypeAdapterFactory
-keep class * implements com.google.gson.JsonSerializer
-keep class * implements com.google.gson.JsonDeserializer
-keepclassmembers enum * { *; }
-keepattributes Signature
-keepattributes Exceptions
-keepattributes *Annotation*
-dontwarn javax.annotation.Nullable
-dontwarn javax.annotation.ParametersAreNonnullByDefault
-dontwarn javax.annotation.concurrent.GuardedBy
-dontwarn org.codehaus.mojo.animal_sniffer.IgnoreJRERequirement
#guava
-dontwarn afu.org.checkerframework.checker.formatter.**
-dontwarn afu.org.checkerframework.checker.nullness.**
-dontwarn afu.org.checkerframework.checker.regex.**
-dontwarn afu.org.checkerframework.checker.units.**
-keep class * implements ru.surfstudio.android.network.Transformable
-keep class * implements ru.surfstudio.android.network.response.BaseResponse
-dontwarn com.bumptech.glide.**
#firebase crashlytics
-printmapping mapping.txt
-keepattributes *Annotation*,SourceFile,LineNumberTable
-keep public class * extends java.lang.Exception
-keep class com.google.firebase.crashlytics.** { *; }
-dontwarn com.google.firebase.crashlytics.**
#kotlin-reflect
#https://stackoverflow.com/questions/45871970/kotlin-reflect-proguard-smallsortedmap
-dontwarn kotlin.reflect.jvm.internal.**
#Cashoff javascript interface
-keep class ru.sbi.android.f_analytics.analytics.CashoffInteface { *; }
-dontwarn ru.sbi.android.f_main.R$id
-keep class ru.sbi.android.ui.navigation.MainTabType
#Cross-feature navigation keeps
-keep interface ru.sbi.android.ui.fragment.CrossFeatureFragment {*;}
-keep class * implements ru.sbi.android.ui.fragment.CrossFeatureFragment
#android standard
-keep class ru.surfstudio.android.rx.extension.ConsumerSafe { *; }
-keep class ru.surfstudio.android.rx.extension.ActionSafe { *; }
#AndroidPdfViewer
-keep class com.shockwave.pdfium.util.Size
#firebase
-dontwarn com.google.firebase.messaging.**
#android material
-keep class com.google.android.material.** { *; }
-dontwarn com.google.android.material.**
#Если вы хотите применять новый API Google API для отслеживания инициаторов
-dontwarn com.android.installreferrer.com.android.installreferrer
-ignorewarnings
I see lots of minifyReleaseWithR8 tasks being executed during the build.
But when I'm decompiling the resulting APK using apktool I see that all the package, class, methods names are the same as in my Android Studio. How can I understand why R8 doesn't obfuscate the code?

You have a keep rule for every single class you use in your app. If you have a -keep rule matching a class it will be kept and not obfuscated. For obfuscation to rename items (classes/fields and methods) that either have to not be matched by a keep rule (or matched by a keep rule with modifier allowobfuscation).
Keep rules are only required for items which are looked up through reflection, so you will have to trim down your rules to a much smaller set. I suggest that you start out by an empty proguard-rules.pro and only get what getDefaultProguardFile('proguard-android-optimize.txt') generates (like here). Then your app might not work, but then you can figure out what is going wrong and start adding additional rules. One way to start there is to only keep the classes in you own application package (-keep class ru.sbi.android.** { *; }), as libraries normally does not need keep rules, and then try to trim that further.
Please take a look at Shrink, obfuscate, and optimize your app as well.

Volley always throw error after using ProGuard

I am using Volley and Gson in my project. The project is a Lib project. When I use my Lib in a demo project, the Volley always throw error response with message: "org.json.JSONException: End of input at character 0" and never has success response. I guess it is caused by ProGuard. The weird thing is when I set "minifyEnabled" in either Lib or the Demo project, everything works good. But when I set "minifyEnabled" in both Lib and Demo, volley will always fail. Does anyone now why this happen?
Sorry for missing the content...
this is the error volley throw:
org.json.JSONException: End of input at character 0
and this is my ProGuard for volley and Gson:
## ----------------------------------
## Gson
## ----------------------------------
-keepattributes Signature
-keepattributes *Annotation*
-keep class sun.misc.Unsafe { *; }
-keep class com.google.gson.** { *; }
-keep class com.google.gson.stream.** { *; }
## ----------------------------------
## Glide
## ----------------------------------
-keep class com.bumptech.glide.** {*;}
## -------------------------------------------
## volley
## -------------------------------------------
-keepclassmembers,allowshrinking,allowobfuscation class com.android.volley.NetworkDispatcher {
void processRequest();
}
-keepclassmembers,allowshrinking,allowobfuscation class com.android.volley.CacheDispatcher {
void processRequest();
}
-keep class com.android.volley.** {*;}
-keep class com.android.volley.toolbox.Volley
-keepclassmembers class com.android.volley.toolbox.Volley { *; }
-keep class com.android.volley.toolbox.** {*;}
-keep class com.android.volley.Response$* { *; }
-keep class com.android.volley.Request$* { *; }
-keep class com.android.volley.RequestQueue$* { *; }
-keep class com.android.volley.toolbox.HurlStack$* { *; }
-keep class com.android.volley.toolbox.ImageLoader$* { *; }
-keep class org.apache.http.** {*;}
The important thing is this error only happened if both Lib and Demo are obfuscated at the same time. Obfuscate with either Lib or Demo would not have this issue.
Anyone help? I am 100% sure I keep all my model classes in the ProGuard file.
2019-03-18 14:38:15.635 11276-11276 W/System.err: com.a.a.m: org.json.JSONException: End of input at character 0 of
2019-03-18 14:38:15.635 11276-11276 W/System.err: at com.a.a.a.k.a(Unknown Source:32)
While the com.a.a.a.k is "com.android.volley.toolbox.JsonObjectRequest"

put this rules in proguard,
-keep class com.android.volley.** { *; }
-keep class org.apache.commons.logging.**
-keepattributes *Annotation*
-dontwarn org.apache.**

Add following lines in your proguard-rules.pro, which you can find under Gradle Script
-keepclassmembers,allowshrinking,allowobfuscation class com.android.volley.NetworkDispatcher {
void processRequest();
}
-keepclassmembers,allowshrinking,allowobfuscation class com.android.volley.CacheDispatcher {
void processRequest();
}
You can also refer this link
Update
Then you should add these rules in your proguard-rules.pro of your library project. If you see that iamge near proguard-rules.pro it is written that this file is for app module, there should be an another proguard-rules.pro for your library module add rule there too.

Try using following configuration in your build.gradle.
android {
...
useLibrary 'org.apache.http.legacy'
}
I had similar issue with volley but different error, above configuration solved my issue. The root cause was Gradle plugin does not include all optional libraries by default anymore.

Android Studio Gradle proguard - only obfuscate the actual app code and not third libraries

Since I decompiled my app I noticed that all the members, classes are easy to read and understand, so my goal is to make it harder for someone who decompiles the app, to read the code.
The first step I did was to alter my graddle file:
release {
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-myapp.txt'
}
The file proguard-myapp.txt is located in my project.
My project uses the following:
dependencies {
compile 'com.android.support:support-v4:24.2.1'
compile 'com.android.support:design:24.2.1'
compile 'com.google.code.gson:gson:2.4'
compile 'com.android.support:appcompat-v7:24.2.1'
compile 'com.google.android.gms:play-services-ads:9.2.1'
compile 'com.github.lecho:hellocharts-library:1.5.8#aar'
compile('com.crashlytics.sdk.android:crashlytics:2.6.1#aar') {
transitive = true;
}
}
I've kept playing with proguard rules but the more I test the more it gets out of hand.
I've added the following rules:
-dontshrink
-dontoptimize
#charts
-keep class lecho.lib.hellocharts.** { *; }
#support library
-dontwarn android.support.**
-keep class android.support.** { *; }
#ads
-keep public class com.google.android.gms.ads.** {
public *;
}
-keep public class com.google.ads.** {
public *;
}
#gson
# Gson uses generic type information stored in a class file when working with fields. Proguard
# removes such information by default, so configure it to keep all of it.
-keepattributes Signature
# For using GSON #Expose annotation
-keepattributes *Annotation*
# Gson specific classes
-keep class sun.misc.Unsafe { *; }
#-keep class com.google.gson.stream.** { *; }
# Application classes that will be serialized/deserialized over Gson
-keep class com.google.gson.examples.android.model.** { *; }
# Prevent proguard from stripping interface information from TypeAdapterFactory,
# JsonSerializer, JsonDeserializer instances (so they can be used in #JsonAdapter)
-keep class * implements com.google.gson.TypeAdapterFactory
-keep class * implements com.google.gson.JsonSerializer
-keep class * implements com.google.gson.JsonDeserializer
#Crashlytics
-keep class com.crashlytics.** { *; }
-dontwarn com.crashlytics.**
-keep class io.fabric.sdk.** { *; }
My questions are:
Is it possible to only obfuscate/optimize or whatever it is called, only the files that I actually use in the app, the ones I wrote and leave all the other libraries as they are? I mean, only rename, optimize my classes and my files and ignore crashlytics, admob, support library?
2.I have tried adding as rules only:
-keep class !com.mypackage.**{*;}
While the code looks fine on decompile, the app does not work properly.

This may not seem as a proper answer but I found out the reason my compiled app did not work.
After a lot of trying to find out what's wrong, I finally got it working.
GSON as it seems in this answer https://stackoverflow.com/a/30982197/379865 needs to have the classes kept in order to properly work.
After keeping my classes for the objects related to Gson, it works.

Proguard doesnt obfuscate Class name, only methods are obfuscated

I try using Proguard in android studio, but seems like Proguard is not obfuscating the class name, for example, my app structure, and the config:
and config
but when i try trigger the exception in the app:
the exception is listed in ADB console:
only the methods are obfuscated, the MainActivity.class is not

This is an expected behaviour because the class is an activity!
All classes that are mentioned in AndroidManifest.xml have to keep their names (activities, services, providers, receivers, application, instrumentation). Otherwise the system won't be able to find them.
Gradle build automatically generates some rules for your ProGuard configuration to achieve this. It scans AndroidManifest.xml and adds rules for each class found there.
If you want to see all the rules that are used, add this line to your ProGuard rules:
-printconfiguration "build/outputs/mapping/configuration.txt"
It will create configuration.txt file containing all the rules.
There should be something like this:
# view AndroidManifest.xml #generated:50
-keep class com.github.browep.proguard.MainActivity {
<init>(...);
}

I was facing the same problems,
After updating my Android plugin for Gradle, Proguard stop obfuscating my utility and other class files.
After few searching, I found that Android studio gradle now uses newer version of Proguard.
And according to this stack-overflow answer, which stated that:
proguard automatically add rules specific for android/google package.
Therefore, After few rule changes in my app, Proguard obfuscated the class names again.
Old proguard-rules.pro:
#support-v4
##link https://stackoverflow.com/questions/18978706/obfuscate-android-support-v7-widget-gridlayout-issue
-dontwarn android.support.v4.**
-keep class android.support.v4.** { *; }
-keep class android.support.v4.app.** { *; }
-keep interface android.support.v4.app.** { *; }
#support-v7
-dontwarn android.support.v7.**
-keep class android.support.v7.** { *; }
#https://stackoverflow.com/a/34895791/4754141
-keep class !android.support.v7.view.menu.**
-keep interface android.support.v7.* { *; }
#support design
##link https://stackoverflow.com/a/31028536
-dontwarn android.support.design.**
-keep class android.support.design.** { *; }
-keep interface android.support.design.** { *; }
-keep public class android.support.design.R$* { *; }
#error : Note: the configuration refers to the unknown class 'com.google.vending.licensing.ILicensingService'
#solution : #link https://stackoverflow.com/a/14463528
-dontnote com.google.vending.licensing.ILicensingService
-dontnote **ILicensingService
#updating to Gradle 2.14.1 caused error : https://stackoverflow.com/q/17141832/4754141
-keepattributes EnclosingMethod
#render script
##link https://stackoverflow.com/questions/22161832/renderscript-support-library-crashes-on-x86-devices
-keepclasseswithmembernames class * { native <methods>; }
-keep class android.support.v8.renderscript.** { *; }
New proguard-rules.pro:
#https://stackoverflow.com/a/41901653/4754141
#https://stackoverflow.com/a/23840049/4754141
-keep class android.support.** { *; }
-keep interface android.support.** { *; }

Release version with proguard issues - GSON

If I build my app in debug it works perfectly. However, when I build for release with proguard, I get several errors and then the build fails. The error summary:
Warning:there were 445 unresolved references to classes or interfaces.
Warning:there were 13 instances of library classes depending on program classes.
I modified my proguard-rules.txt file as shown below. This allowed the build to succeed, but when I install the app, the amazon downloads do not work (works in the debug version).
-keep class org.xmlpull.v1.**
-keep class org.apache.http.**
-keep class org.ietf.jgss.**
-keep class com.amazonaws.services.**
-keep class org.w3c.dom.bootstrap.**
-dontwarn org.xmlpull.v1.**
-dontwarn org.apache.http.**
-dontwarn org.ietf.jgss.**
-dontwarn com.amazonaws.services.**
-dontwarn org.w3c.dom.bootstrap.**
Any suggestions as to how I can get this fixed please?
Update:
Have narrowed it down to a GSON/JSONPARSER issue. For the release version, JSONPARSER does not convert downloaded json to a supplied class like it does in debug. The GSON proguard rules (see update 2 ) have also been added but the issue persists.
-keep class org.apache.commons.logging.** { *; }
-keep class com.amazonaws.services.sqs.QueueUrlHandler { *; }
-keep class com.amazonaws.javax.xml.transform.sax.* { public *; }
-keep class com.amazonaws.javax.xml.stream.** { *; }
-keep class com.amazonaws.services.**.model.*Exception* { *; }
-keep class com.amazonaws.internal.** { *; }
-keep class org.codehaus.** { *; }
-keep class org.joda.convert.* { *; }
-keepattributes Signature,*Annotation*,EnclosingMethod
-keepnames class com.fasterxml.jackson.** { *; }
-keepnames class com.amazonaws.** { *; }
-dontwarn com.amazonaws.auth.policy.conditions.S3ConditionFactory
-dontwarn org.joda.time.**
-dontwarn com.fasterxml.jackson.databind.**
-dontwarn javax.xml.stream.events.**
-dontwarn org.codehaus.jackson.**
-dontwarn org.apache.commons.logging.impl.**
-dontwarn org.apache.http.conn.scheme.**
-dontwarn org.apache.http.annotation.**
-dontwarn org.ietf.jgss.**
-dontwarn org.w3c.dom.bootstrap.**
-dontwarn org.xmlpull.v1.**
-dontwarn com.amazonaws.services.**
-libraryjars libs/aws-android-sdk-1.7.1.1-core.jar
-libraryjars libs/aws-android-sdk-1.7.1.1-s3.jar
-libraryjars libs/gson-2.2.4.jar
-libraryjars libs/ksoap2-android-assembly-3.3.0-jar-with-dependencies.jar
Update 2
# Gson uses generic type information stored in a class file when working with fields. Proguard
# removes such information by default, so configure it to keep all of it.
-keepattributes Signature
# For using GSON #Expose annotation
-keepattributes *Annotation*
# Gson specific classes
-keep class sun.misc.Unsafe { *; }
-keep class com.google.gson.stream.** { *; }
# Application classes that will be serialized/deserialized over Gson
-keep class com.google.gson.examples.android.model.** { *; }

Finally solved. GSON could not convert my JSON into a class using the fromJson method as proguard had obfuscated my class's fields. I had to add for each of my classes used during json deserialization:
-keepclassmembers class fully.qualified.path.to.class$innerclass {
private <fields>;
}
As per usual, no mention of this in the GSON docs. This was a project I took over - I personally have never used GSON and wont do so in future.
A few notes to those facing similar issues:
Always make sure when you use a library to include all the
recommended (by the library - see their web pages) entries in your
proguard-rules.text file.

They have mentioned in the comments in the second last line of update2.
# Application classes that will be serialized/deserialized over Gson
-keep class com.google.gson.examples.android.model.** { *; }
Change the last line to your actual path inside code to classes that will be serialized. Don't copy paste as it is. Example:
-keep class com.myclass.model.** { *; }
That worked for me.