I have Develop one Android AAR Library which consist of all functionality that customer required, I want to apply proguard on library before deliver it to the customer in order to obfuscate the code so that code will not easy to decompile.
I googled it before posting this question and I found that Library projects by themselves don't run ProGuard, so they don't use any configuration, as mention here Click Here
I have done following configuration in order to apply proguard on my library project.
buildTypes {
debug {
shrinkResources false
minifyEnabled false
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
release {
shrinkResources true
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
}
I have applied this rules on proguard-rules.pro
-keepparameternames
-renamesourcefileattribute SourceFile
-keepattributes Exceptions,InnerClasses,Signature,Deprecated,SourceFile,LineNumberTable,*Annotation*,EnclosingMethod
-keep public class * {
public protected *;
}
-keepclassmembernames class * {
java.lang.Class class$(java.lang.String);
java.lang.Class class$(java.lang.String, boolean);
}
-keepclasseswithmembernames class * {
native <methods>;
}
-keepclassmembers enum * {
public static **[] values();
public static ** valueOf(java.lang.String);
}
-keepclassmembers class * implements java.io.Serializable {
static final long serialVersionUID;
private static final java.io.ObjectStreamField[] serialPersistentFields;
private void writeObject(java.io.ObjectOutputStream);
private void readObject(java.io.ObjectInputStream);
java.lang.Object writeReplace();
java.lang.Object readResolve();
}
but after using this aar on my demo project the library get used properly but the code is not hidden it just get visible after decompiled in android studio as we decompile method just by holding ctrl and click on that method, all containt of method just get visible without any proguard rules applied on that library.
Please suggest me relevant way or tell me what wrong steps I am taking as I am new to android.
AAR modules can be indeed obfuscated.
Add consumerProguardFiles 'proguard-rules.pro' to your AAR build.gradle configuration along with proguardFiles, so that if the app/module that's using the AAR runs ProGuard, your configuration (i.e. any excludes for public API that shouldn't be minified) will be honoured.
Android libraries (aar-files) are not obfuscated at all. The minifyEnabled option is ignored in com.android.library-projects. So everyone can easily decompile the code contained in an aar-file.
Related
I upgraded my Android Studio to 3.4 earlier today, and I am using the default shrinker R8 for the first time. I copied the contents of proguard-project.txt of a library project to its proguard-rules.pro. proguard-project.txt worked flawlessly for this project that generates an aar file for use by other app projects.
File proguard-rules.pro does not seem to be used. The project has the following in its build.gradle:
buildTypes {
release {
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'),
'proguard-rules.pro'
signingConfig signingConfigs.Release
}
debug {
signingConfig signingConfigs.Debug
}
}
proguard-rules.pro has the following:
# Preserve all public classes, and their public and protected fields and methods.
-keep public class * {
public protected *;
}
The public methods' names are not preserved at all:
Could anyone offer a tip on how to fix this?
Add this line to gradle.properties
android.enableR8 = true
And try below code inside your proguard-rules.pro
-keep public class ** {
public *;
protected *;
}
Edit #1
Check here for how to migrate Proguard to R8: Android/java: Transition / Migration from ProGuard to R8?
I have an AAR (library) project in Android Studio, to make a library we license. I need to obfuscate the library we release to make it difficult for people to decompile. But I can't seem to get the ProGuard to work. When I unzip the AAR and then the "classes.jar" underneath, all the class names are still there as well as the variables. I'm very weak at ProGuard usage, so wondering if the community can help. I have an extremely basic ProGuard file, one that was generated when Android Studio created the template for the project:
-printmapping out.map
-keepparameternames
-renamesourcefileattribute SourceFile
# -keepattributes Exceptions,InnerClasses,Signature,Deprecated,SourceFile,LineNumberTable,EnclosingMethod
-keepattributes Exceptions
# Preserve all annotations.
-keepattributes *Annotation*
# Preserve all public classes, and their public and protected fields and methods
-keep public class * {
public protected *;
}
probably it's too late but it could be helpful for anyone else.
I'm using this configuration and variables names are encrypted as well as parameters varialbes
-renamesourcefileattribute SourceFile
-keepattributes Exceptions
-keepattributes *Annotation*
-keep public class * {
public protected *;
}
I'm also using this configuration in the build types so it's not debuggable
buildTypes {
release {
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
debuggable false
jniDebuggable false
zipAlignEnabled true
}
}
Let me know if it solved your problem or if you found a better solution!
-keep,allowoptimization,allowobfuscation public class yourpackage.**
I have try many solution
e.g.
Remove all debug logging calls before publishing: are there tools to do this?
However, When I look in to the logcat. The log still shows. Log from my app is gone but the log from third-party still exist.
This is my proguard config.
-dontwarn **
-target 1.7
#-dontusemixedcaseclassnames
#-dontskipnonpubliclibraryclasses
#-dontpreverify
-verbose
-optimizations !code/simplification/arithmetic,!code/allocation/variable
-keep class **
-keepclassmembers class *{*;}
-keepattributes *
-dontskipnonpubliclibraryclasses
#-dontobfuscate
-forceprocessing
-optimizationpasses 5
-keep class * extends android.app.Activity
-assumenosideeffects class android.util.Log {
public static boolean isLoggable(java.lang.String, int);
public static int v(...);
public static int i(...);
public static int w(...);
public static int d(...);
public static int e(...);
}
This is my gradle file config
buildTypes {
release {
minifyEnabled false
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
debuggable false
jniDebuggable false
signingConfig signingConfigs.config
}
debug {
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
minifyEnabled true
debuggable false
zipAlignEnabled true
jniDebuggable false
}
}
The customer want to remove every log even the log from Third-party library or SDK for security reason
ProGuard will only be able to remove logging calls in application code, i.e. code that is being processed and included in your own application. Any logging calls being performed by the Android runtime cannot be removed because the runtime is installed on each device and cannot be modified in advance obviously.
Looking at your rules and gradle file, the setup looks correct and also works for me to remove calls to android.util.Log. Ensure that you are using a recent version of ProGuard (e.g. 5.2.1 or later). Also you have ProGuard still disabled in your release buildType, you will need to set minifyEnabled to true to enable it.
You need to check which kind of logging library your third party using and based on that you can disable the logging for each and every library.
if your third party library use Logger from java like this Logger.getLogger(LIBRARY_CLASS.class.getName()); then you can call like below in application class onCreate():
LogHelper.INSTANCE.setRootLoggerLevel(Level.OFF);
LogHelper class code:
object LogHelper {
/**
* set root logger log level
*
* #param level maximum allowed log level[Level]
*/
fun setRootLoggerLevel(level: Level) {
val rootLogger = LogManager.getLogManager().getLogger("")
rootLogger.level = level
}
}
As I know there are some classes which should not be obfuscated and also their names must persisted like 'Activities'. However I want other classes and packages inside my code be renamed.
here is build.gradle inside app folder:
apply plugin: 'com.android.application'
android {
compileSdkVersion 23
buildToolsVersion "23.0.3"
defaultConfig {
applicationId "apt.eve.good.morning"
minSdkVersion 14
targetSdkVersion 23
versionCode 1
versionName "1.0"
}
buildTypes {
release {
minifyEnabled true
shrinkResources true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
}
}
dependencies {
compile fileTree(include: ['*.jar'], dir: 'libs')
testCompile 'junit:junit:4.12'
compile 'com.android.support:support-v4:23.4.0'
compile 'com.android.support:appcompat-v7:23.4.0'
compile 'com.android.support:design:23.4.0'
}
I use this proguard configuration for my application (app\proguard-rules.pro):
-dontusemixedcaseclassnames
-dontskipnonpubliclibraryclasses
-useuniqueclassmembernames
-verbose
-keepattributes *Annotation*
-keep public class com.google.vending.licensing.ILicensingService
-keep public class com.android.vending.licensing.ILicensingService
# For native methods, see http://proguard.sourceforge.net/manual/examples.html#native
-keepclasseswithmembernames class * {
native <methods>;
}
# keep setters in Views so that animations can still work.
# see http://proguard.sourceforge.net/manual/examples.html#beans
-keepclassmembers public class * extends android.view.View {
void set*(***);
*** get*();
}
-allowobfuscations class *
# We want to keep methods in Activity that could be used in the XML attribute onClick
-keepclassmembers class * extends android.app.Activity {
public void *(android.view.View);
}
# For enumeration classes, see http://proguard.sourceforge.net/manual/examples.html#enumerations
-keepclassmembers enum * {
public static **[] values();
public static ** valueOf(java.lang.String);
}
-keepclassmembers class * implements android.os.Parcelable {
public static final android.os.Parcelable$Creator CREATOR;
}
-keepclassmembers class **.R$* {
public static <fields>;
}
# The support library contains references to newer platform versions.
# Don't warn about those in case this app is linking against an older
# platform version. We know about them, and they are safe.
-dontwarn android.support.**
# Understand the #Keep support annotation.
-keep class android.support.annotation.Keep
-keep #android.support.annotation.Keep class * {*;}
-keepclasseswithmembers class * {
#android.support.annotation.Keep <methods>;
}
-keepclasseswithmembers class * {
#android.support.annotation.Keep <fields>;
}
-keepclasseswithmembers class * {
#android.support.annotation.Keep <init>(...);
}
It do optimization but as I checked inside my classses.dex all class names remained unchanged. So I want to know what I missed in my configuration file which is not obfuscating class/method names?
P.S.1 I have searched several questions but I can't imagine what's wrong here.
P.S.2 I have properly configured my android studio and changes on proguard configuration applies without no problem on my released .apk file.
Make sure you check the obfuscated .dex files.
With common gradle build script the build/** folders may contain several unobfuscated versions of .dex/.class files.
Ultimately the resulting .apk/.aar should be obfuscated, so if you are unzipping that one, and the the classes are not obfuscated, then something doesn't work as expected.
As OP noted, it's also important to verify your [disassembly] tools work correctly.
Viewing binary form of .dex from .apk is usually enough to spot [un]obfuscated symbols (try with unobfuscated .class, the symbols are easily readable even in text editor, in obfuscated .dex the chain of symbols like "aa", "ab", ... is often well visible too).
Also running gradle proguard task manually with verbose option on may help to identify if the proguard was run and upon what files.
Based on your gradle file (minifyEnabled=true) and proguard config. You appear to be in good shape already.
To quickly confirm that your app obfuscating your classes, check the resulting mapping.txt file when you make release builds. This file "provides a translation between the original and obfuscated class, method, and field names."
Here is an example of a mapping.txt that obsfucates a hockeyapp library :
net.hockeyapp.android.tasks.AttachmentDownloader -> net.hockeyapp.android.d.a:
java.util.Queue queue -> a
boolean downloadRunning -> b
67:67:net.hockeyapp.android.tasks.AttachmentDownloader getInstance() -> a
Lots more info can be found in the "Shrink Your Code and Resources" article here : https://developer.android.com/studio/build/shrink-code.html
Do you already changed
minifyEnabled=true
Inside app -> build.gradle?
buildTypes {
release {
minifyEnabled false
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
}
My Project has few classes that extends Parcelable.
Do I need to 'keep' them in proguard rules while obfuscating.
What is the general practice for parcelables?
No, the default android rules include this:
-keepclassmembers class * implements android.os.Parcelable {
public static final android.os.Parcelable$Creator CREATOR;
}
These default rules will be applied if you leave the default generated gradle definition in place:
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
If you are using Kotlin #Parcelize with proguard you can add this to proguard-rules.pro:
-keep #kotlinx.android.parcel.Parcelize public class *