Develop Reference

Android R8 not obfuscating class names

I have been researching this for the past few hours without any luck. Class names are not obfuscated no matter what. These are just regular classes, not Activities, Services, or something else which is also in Android Manifest (I know those don't get obfuscated). What am I missing here?
Android Gradle Plugin version: 4.0.0
Gradle version: 6.1.1
Android Studio version: 4.0
With these versions, R8 should be enabled by default. Here is my buildType config:
buildTypes {
release {
//useProguard false // even tried this without luck
minifyEnabled true
shrinkResources true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
signingConfig signingConfigs.release
}
}
Here is my proguard-rules.pro
-ignorewarnings
# --- Glide ---
-keep public class * implements com.bumptech.glide.module.GlideModule
-keep public class * extends com.bumptech.glide.module.AppGlideModule
-keep public enum com.bumptech.glide.load.ImageHeaderParser$** {
**[] $VALUES;
public *;
}
# --- Billing library ---
-keep class com.android.vending.billing.**
# --- Retrofit2 ---
# Retrofit does reflection on generic parameters. InnerClasses is required to use Signature and
# EnclosingMethod is required to use InnerClasses.
-keepattributes Signature, InnerClasses, EnclosingMethod
# Retrofit does reflection on method and parameter annotations.
-keepattributes RuntimeVisibleAnnotations, RuntimeVisibleParameterAnnotations
# Retain service method parameters when optimizing.
-keepclassmembers,allowshrinking,allowobfuscation interface * {
#retrofit2.http.* <methods>;
}
# Ignore annotation used for build tooling.
-dontwarn org.codehaus.mojo.animal_sniffer.IgnoreJRERequirement
# Animal Sniffer compileOnly dependency to ensure APIs are compatible with older versions of Java.
-dontwarn org.codehaus.mojo.animal_sniffer.*
# Ignore JSR 305 annotations for embedding nullability information.
-dontwarn javax.annotation.**
# With R8 full mode, it sees no subtypes of Retrofit interfaces since they are created with a Proxy
# and replaces all potential values with null. Explicitly keeping the interfaces prevents this.
-if interface * { #retrofit2.http.* <methods>; }
-keep,allowobfuscation interface <1>
# --- TwitterKit ---
#Picasso Proguard Config https://github.com/square/picasso
-dontwarn com.squareup.okhttp.**
# --- GSON ---
# Gson uses generic type information stored in a class file when working with fields. Proguard
# removes such information by default, so configure it to keep all of it.
-keepattributes Signature
# For using GSON #Expose annotation
-keepattributes *Annotation*
# Gson specific classes
-dontwarn sun.misc.**
#-keep class com.google.gson.stream.** { *; }
# Application classes that will be serialized/deserialized over Gson
-keep class com.google.gson.examples.android.model.** { <fields>; }
# Prevent proguard from stripping interface information from TypeAdapter, TypeAdapterFactory,
# JsonSerializer, JsonDeserializer instances (so they can be used in #JsonAdapter)
-keep class * implements com.google.gson.TypeAdapter
-keep class * implements com.google.gson.TypeAdapterFactory
-keep class * implements com.google.gson.JsonSerializer
-keep class * implements com.google.gson.JsonDeserializer
# Prevent R8 from leaving Data object members always null
-keepclassmembers,allowobfuscation class * {
#com.google.gson.annotations.SerializedName <fields>;
}
# --- SciChart ---
# ignore warnings and save classes required for syntax highlighting
-dontwarn java.awt.**
-dontwarn javax.swing.**
-dontwarn syntaxhighlight.**
-keep public class java.awt.** { *; }
-keep public class javax.swing.** { *; }
-keep public class syntaxhighlight.** { *; }
-keep public class prettify.** { *; }
# need to keep these classes and their methods because they are used by resampling code
-keep public class com.scichart.core.model.DoubleValues { *; }
-keep public class com.scichart.core.model.FloatValues { *; }
-keep public class com.scichart.core.model.IntegerValues { *; }
-keep public class com.scichart.data.model.Point2DSeries { *; }
# repack obfuscated classes into single package so it would be hard to find their originall package
-repackageclasses ''
-allowaccessmodification
Similar questions which I checked but didn't offer any solutions to this:
Android studio 3.4.2 R8 obfuscator does not obfuscate class names, but only java code inside
Class no longer obfuscated after upgrading to Android Gradle plugin 3.4.0
Android/java: Transition / Migration from ProGuard to R8?

As per WorkManager's proguard file, it is expected that all classes that extend ListenableWorker (and its subclasses, such as Worker) are kept. This is because the name of the class is the unique key in WorkManager's internal database.

Why is Proguard not obfuscating my code?

When I build a release build of the app Proguard runs, but on looking at the APK using APK Analyzer everything is readable with apparently no obfuscation being applied.
My intent is to apply obfuscation to the APK to make reverse engineering a little more difficult.
Gradle:
buildTypes {
release {
signingConfig signingConfigs.release
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
}
Proguard is definitely running as I can see that in the Gradle console.
proguard-rules.pro:
-dontshrink
-dontoptimize
-keep class com.squareup.picasso.** { *; }
-dontwarn com.squareup.picasso.**
-keep class com.squareup.okhttp.** { *; }
-dontwarn com.squareup.okhttp.**
-keep class kotlin.reflect.** { *; }
-dontwarn kotlin.reflect.**
-keep class javax.annotation.** { *; }
-dontwarn javax.annotation.**
-keep class org.codehaus.mojo.** { *; }
-dontwarn org.codehaus.mojo.**
The Proguard docs say obfuscation runs by default. The docs also say classes specified in keep statements will not be obfuscated, but the classes in the app itself are not specified in keep statements, but are still not obfuscated.
On looking further, there is a file in the build folder called aapt_rules.txt that contains what look like keep statements for every class in the app. I don't understand why that would be.
How do I reconfigure Proguard so it obfuscates all of the code in my app (not the libraries), without shrinking or removing any classes?

by looking at line keep class com.squareup.picasso.** { *; }and -keep class com.squareup.okhttp.** { *; } ,
you are not obfuscating anything which are part of above packages or sub packages.
Progaurd will obfuscate anything which is not part of above package and sub package.
do you have class outside of these packages.

Android Proguard unable to obfuscate libaary aar package name

I'm trying to Obfuscate using proguard ,
I use some library Projects and aar libs. For both of these the pacakge name is visible. I need to obfuscate the package name.
Proguard
# This is a configuration file for ProGuard.
# http://proguard.sourceforge.net/index.html#manual/usage.html
-dontusemixedcaseclassnames
-dontskipnonpubliclibraryclasses
-verbose
# Optimization is turned off by default. Dex does not like code run
# through the ProGuard optimize and preverify steps (and performs some
# of these optimizations on its own).
-dontoptimize
-dontpreverify
# Note that if you want to enable optimization, you cannot just
# include optimization flags in your own project configuration file;
# instead you will need to point to the
# "proguard-android-optimize.txt" file instead of this one from your
# project.properties file.
-keepattributes *Annotation*
-keep public class com.google.vending.licensing.ILicensingService
-keep public class com.android.vending.licensing.ILicensingService
# For native methods, see http://proguard.sourceforge.net/manual/examples.html#native
-keepclasseswithmembernames class * {
native <methods>;
}
# keep setters in Views so that animations can still work.
# see http://proguard.sourceforge.net/manual/examples.html#beans
-keepclassmembers public class * extends android.view.View {
void set*(***);
*** get*();
}
# We want to keep methods in Activity that could be used in the XML attribute onClick
-keepclassmembers class * extends android.app.Activity {
public void *(android.view.View);
}
# For enumeration classes, see http://proguard.sourceforge.net/manual/examples.html#enumerations
-keepclassmembers enum * {
public static **[] values();
public static ** valueOf(java.lang.String);
}
-keepclassmembers class * implements android.os.Parcelable {
public static final android.os.Parcelable$Creator CREATOR;
}
-keepclassmembers class **.R$* {
public static <fields>;
}
# The support library contains references to newer platform versions.
# Don't warn about those in case this app is linking against an older
# platform version. We know about them, and they are safe.
-dontwarn android.support.**
# Understand the #Keep support annotation.
-keep class android.support.annotation.Keep
-keep #android.support.annotation.Keep class * {*;}
-keepclasseswithmembers class * {
#android.support.annotation.Keep <methods>;
}
-keepclasseswithmembers class * {
#android.support.annotation.Keep <fields>;
}
-keepclasseswithmembers class * {
#android.support.annotation.Keep <init>(...);
}
-dontwarn org.apache.http.**
-dontnote org.apache.http.**
-dontwarn microsoft.aspnet.signalr.**
-dontwarn okio.**
-dontnote okio.**
-dontnote com.fasterxml.jackson.**
-dontwarn com.fasterxml.jackson.**
-dontwarn com.squareup.picasso.**
-dontwarn android.net.http.AndroidHttpClient
-dontwarn retrofit2.**
-dontwarn okhttp3.**
-dontnote retrofit2.**
-dontnote okhttp3.**
-dontnote android.net.http.**
Build.gradle
debug {
shrinkResources false
debuggable true
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
I have referred to :
Android Archive (AAR) package obfuscation
Android Archive (AAR) package obfuscation
How to obfuscate android library(.aar) using proguard?
Thanks

Android Volley always fails with Proguard

The goal is to deploy an application with obfuscation and minification applied. Usual builds without minification work fine. But when minifyEnabled is switched to true, everything compiles too, but all Volley requests fail with error callback (onErrorResponse) regardless on successful result.
Minification config in build.gradle:
buildTypes {
release {
minifyEnabled true
shrinkResources true
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
}
debug {
debuggable true
}
}
proguard-rules.pro:
##---------------Begin: proguard configuration for Gson ----------
# Gson uses generic type information stored in a class file when working with fields. Proguard
# removes such information by default, so configure it to keep all of it.
-keepattributes Signature
# For using GSON #Expose annotation
-keepattributes *Annotation*
# Gson specific classes
-keep class sun.misc.Unsafe { *; }
#-keep class com.google.gson.stream.** { *; }
# Application classes that will be serialized/deserialized over Gson
-keep class com.google.gson.examples.android.model.** { *; }
# Prevent proguard from stripping interface information from TypeAdapterFactory,
# JsonSerializer, JsonDeserializer instances (so they can be used in #JsonAdapter)
-keep class * implements com.google.gson.TypeAdapterFactory
-keep class * implements com.google.gson.JsonSerializer
-keep class * implements com.google.gson.JsonDeserializer
##---------------End: proguard configuration for Gson ----------
##---------------Begin: proguard configuration for Spongy Castle ----------
-keep class org.spongycastle.crypto.* {*;}
-keep class org.spongycastle.crypto.digests.* {*;}
-keep class org.spongycastle.crypto.encodings.* {*;}
-keep class org.spongycastle.crypto.engines.* {*;}
-keep class org.spongycastle.crypto.macs.* {*;}
-keep class org.spongycastle.crypto.modes.* {*;}
-keep class org.spongycastle.crypto.paddings.* {*;}
-keep class org.spongycastle.crypto.params.* {*;}
-keep class org.spongycastle.crypto.prng.* {*;}
-keep class org.spongycastle.crypto.signers.* {*;}
-keep class org.spongycastle.jcajce.provider.digest.** {*;}
-keep class org.spongycastle.jcajce.provider.keystore.** {*;}
-keep class org.spongycastle.jcajce.provider.symmetric.** {*;}
-keep class org.spongycastle.jcajce.spec.* {*;}
-keep class org.spongycastle.jce.** {*;}
-dontwarn javax.naming.**
##---------------End: proguard configuration for Spongy Castle ----------
# Configuration for Guava 18.0
#
# disagrees with instructions provided by Guava project: https://code.google.com/p/guava-libraries/wiki/UsingProGuardWithGuava
-keep class com.google.common.io.Resources {
public static <methods>;
}
-keep class com.google.common.collect.Lists {
public static ** reverse(**);
}
-keep class com.google.common.base.Charsets {
public static <fields>;
}
-keep class com.google.common.base.Joiner {
public static com.google.common.base.Joiner on(java.lang.String);
public ** join(...);
}
-keep class com.google.common.collect.MapMakerInternalMap$ReferenceEntry
-keep class com.google.common.cache.LocalCache$ReferenceEntry
# http://stackoverflow.com/questions/9120338/proguard-configuration-for-guava-with-obfuscation-and-optimization
-dontwarn javax.annotation.**
-dontwarn javax.inject.**
-dontwarn sun.misc.Unsafe
# Guava 19.0
-dontwarn java.lang.ClassValue
-dontwarn com.google.j2objc.annotations.Weak
-dontwarn org.codehaus.mojo.animal_sniffer.IgnoreJRERequirement
# Security classes for keystore support
-dontwarn java.awt.**, javax.security.**, java.beans.**
# Volley
-dontwarn com.android.volley.**
-dontwarn com.android.volley.error.**
-keep class com.android.volley.** { *; }
-keep class com.android.volley.toolbox.** { *; }
-keep class com.android.volley.Response$* { *; }
-keep class com.android.volley.Request$* { *; }
-keep class com.android.volley.RequestQueue$* { *; }
-keep class com.android.volley.toolbox.HurlStack$* { *; }
-keep class com.android.volley.toolbox.ImageLoader$* { *; }
-keep interface com.android.volley.** { *; }
-keep class org.apache.commons.logging.*
All used dependencies:
compile 'com.android.support:appcompat-v7:23.4.0'
compile 'com.android.support:design:23.4.0'
compile 'com.google.code.gson:gson:2.7'
compile 'com.android.volley:volley:1.0.0'
compile 'com.google.guava:guava:19.0'
compile 'org.apache.directory.studio:org.apache.commons.io:2.4'
compile 'com.madgag.spongycastle:core:1.54.0.0'
compile 'com.madgag.spongycastle:prov:1.54.0.0'
compile 'com.madgag.spongycastle:pkix:1.54.0.0'
compile 'com.madgag.spongycastle:pg:1.54.0.0'
And in addition to Volley failures, EventBus from Guava doesn't work correctly too (subscribe events are not fetching). Do we have any solutions for these troubles? Should I add any additional information here?

Should admit, that even with all information provided, my question was very difficult to analyze, because of many possible sources of described errors.
I'll begin from the end of my question. Guava didn't work correctly, because ProGuard just excluded Guava's Subscribe-methods from my code to be packed. ProGuard removes unused code, and as far as Subscribe-methods are analyzed as unused (even IDE don't highlight them as used ones) ProGuard has decided to remove these methods. To solve this issue, we should keep Subscribe-methods from ProGuard's processing:
# Keep subscribe-methods from deletion
-keepclassmembers class ** {
#com.google.common.eventbus.Subscribe <methods>;
}
And my first problem - when Volley always calls onErrorResponse callbacks in all requests being fired. I used a custom deserializer for Json-repsonses which also checks, if server has provided some required fields (marked with a corresponding annotation). And, of course, ProGuard by default could not work correctly with these annotations and deserializer - that's why I had to keep these entities too:
# To make right deserialization
-keepclassmembers class ** {
#com.some.package.server.JsonDeserializerWithOptions$FieldRequired public *;
}
-keep #interface com.some.package.server.JsonDeserializerWithOptions$FieldRequired
-keep class com.some.package.server.JsonDeserializerWithOptions

Its difficult the pinpoint any error with the logs, however you should try it without using proguard. skip the proguard file syntax and see if it works fine.
Make sure you have multidex enabled, else your project will fail to execute.
android {
compileSdkVersion 21
buildToolsVersion "21.1.0"
defaultConfig {
...
minSdkVersion 14
targetSdkVersion 21
...
// Enabling multidex support.
multiDexEnabled true
}
...
}
dependencies {
compile 'com.android.support:multidex:1.0.0'
}
More details : https://developer.android.com/studio/build/multidex.html

How do you make a signed & obfuscated android release build from inside eclipse?

My android development process is to build and debug my app in eclipse and when I'm ready to publish I produce a signed, obfuscated (with proguard) apk by running "ant release" from the shell.
Is it possible to produce a signed, proguard release from within eclipse? I'm using eclipse indigo on windows with version 13 of the ADK

Yes. Once you enable ProGuard by adding the proguard.config=proguard.cfg entry to project.properties, Eclipse will obfuscate your code when you export an signed package. Details here.
BTW, you should upgrade to the latest ADT (15).

Use this in proguard files of yours you can able to make obfuscated build after enabling proguard in release/debug build.
Lakshay Proguard-Files entry details
# To enable ProGuard in your project, edit project.properties
# to define the proguard.config property as described in that file.
-keepclassmembers class fqcn.of.javascript.interface.for.webview {
public *;
}
-dontusemixedcaseclassnames
-dontskipnonpubliclibraryclasses
-dontpreverify
-verbose
-dontoptimize
-dontwarn android.support.**
-dontwarn com.google.**
-dontwarn com.loopj.android.http.**
-dontwarn com.worklight.androidgap.plugin.**
-dontwarn com.worklight.wlclient.**
#-injars bin/classes
#-injars libs
#-outjars bin/classes-processed.jar
# Using Google's License Verification Library
-keep class com.android.vending.licensing.ILicensingService
# Specifies to write out some more information during processing.
# If the program terminates with an exception, this option will print out the entire stack trace, instead of just the exception message.
-verbose
####################################################################################################
############################## IBM MobileFirst Platform configuration ############################
####################################################################################################
# Annotations are represented by attributes that have no direct effect on the execution of the code.
-keepattributes *Annotation*,EnclosingMethod
# For native methods, see http://proguard.sourceforge.net/manual/examples.html#native
-keepclasseswithmembernames class * {
native <methods>;
}
# keep setters in Views so that animations can still work.
# see http://proguard.sourceforge.net/manual/examples.html#beans
-keepclassmembers public class * extends android.view.View {
void set*(***);
*** get*();
}
-keepattributes InnerClasses
-keep class **.R
-keep class **.R$* {
<fields>;
}
# These options let obfuscated applications or libraries produce stack traces that can still be deciphered later on
-renamesourcefileattribute SourceFile
-keepattributes SourceFile,LineNumberTable
# Enable proguard with Cordova
-keep class org.apache.cordova.** { *; }
-keep public class * extends org.apache.cordova.CordovaPlugin
-keep class com.worklight.androidgap.push.** { *; }
-keep class com.worklight.wlclient.push.** { *; }
-keep class com.worklight.common.security.AppAuthenticityToken { *; }
# Enable proguard with Google libs
-keep class com.google.** { *;}
-dontwarn com.google.common.**
-dontwarn com.google.ads.**
# apache.http
-keep class org.apache.http.** { *; }
-keep class com.worklight.** {
*;
}
-keep class org.apache.commons.codec.** {
*;
}
-keep class net.sqlcipher.** { *; }
-dontwarn net.sqlcipher.**
-keep class org.codehaus.** { *; }
-dontwarn org.apache.http.**
-dontwarn org.apache.commons.codec.**
-optimizations !class/merging/vertical*,!class/merging/horizontal*,!code/simplification/arithmetic,!field/*,!code/allocation/variable
-keep class org.apache.http.* { *; }
-keep class org.apache.http.client.** { *; }
-keep class org.apache.http.cookie.** { *; }
-keep class org.apache.http.impl.cookie.** { *; }
-keep class org.apache.http.message.** { *; }
-keep class org.apache.http.util.** { *; }
# These classes contain references to external jars which are not included in the default MobileFirst project.
-dontwarn com.worklight.common.internal.WLTrusteerInternal*
-dontwarn com.worklight.jsonstore.**
-dontwarn org.codehaus.jackson.map.ext.**
-dontwarn com.worklight.androidgap.push.GCMIntentService
-dontwarn com.worklight.androidgap.plugin.WLInitializationPlugin
-dontwarn com.worklight.wlclient.push.GCMIntentService
-dontwarn org.bouncycastle.**
-dontwarn com.worklight.androidgap.jsonstore.security.SecurityManager
-dontwarn com.worklight.wlclient.push.WLBroadcastReceiver
-dontwarn com.worklight.wlclient.push.common.*
-dontwarn com.worklight.wlclient.api.WLPush
-dontwarn com.worklight.wlclient.api.SecurityUtils
######################################################################################################
-ignorewarnings