I am seeing some weird crashes on my Android application when I turn on proguard obfuscation. I understand I can debug this and skip obfuscation for those classes but my question is - Is it worth the risk of having the application crash on some phone or some code path that I might not have tested/exercised. For e.g this link talks about one such device specific error due to proguard.
I am close to release and am now wondering is it worth introducing proguard at this point. I understand I should have tested with it right from the start ..made a mistake.
Usually, the common problems with Proguard is not setting the correct parameters for third party libraries.
Make sure you've followed the instructions given by the third party providers as to the additions to the proguard.cfg file.
Anyhow, to disable proguard, you can always edit your project.properties file and remove the proguard.config=proguard.cfg line
Related
I'm a new Proguard user and I read number of articles about it.
As I understood, the name proguard.cfg is referring to the proguard-project.txt file. Am I correct or is there such a file called proguard.cfg?
The next thing what I want to know is how could I know proguard is working well for my project? I did not add any extra comments to proguard-project.txt. I saw in some postings they said that without using the command " -dontwarn android.support.** " in proguard-project.txt will give warnings. But I did not get any warning or any exceptions in my LogCat.
Where are those warnings/exceptions displaying at? What I need to know whether it is working well.
Well, the proguard configuration is in the projects.properties file.
proguard.config=proguard-android-optimize.txt
So, whatever file you would specify here, the configurations will be picked up from that file.
I guess, the .cfg extension was being used earlier, and the documentations haven't been updated after they changed it to this file name inside android sdk tools.
Proguard is working well?
Depends on how you are building your app. Eclipse doesn't generally show all the verbose warnings, may be a few, but not all.
So, if you are building with Eclipse, you just need to assume that it worked, unless eclipse fails creating a build, and then you would see a message. To confirm, either decompile the APK, or run the app, while checking the logs. If you can crash the app, and there's a stack trace, you can clearly see the method names are obfuscated.
If you want to see all the warnings for proguard during the build process, try building your app through ant. And in the console, you can see all the details (general + proguard) warnings also.
I have enabled Proguard by uncommenting the following line in project.properties file:
proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt
When I tried to extract the classes and resources using dex2jar , I was able to extract them as it is. Do I have to change some other files / properties / configurations in my project to prevent direct extraction of classes? Should I add some configuration parameters in the project.properties(project root location) or proguard.android file(SDK location)?
It seems you're using the "standard" Proguard obfuscator properties file. Try using the "advanced" Proguard obfuscator properties file. It's here:
proguard.config=${sdk.dir}/tools/proguard/proguard-android-optimize.txt
Your codes will be obfuscated a bit further, but not all. For example, activities, services, Java classes you've declared in the manifest file, or declared with -keep directives in Proguard, will not be completely obfuscated.
On a side note: Even if you use the commercial DexGuard, you're still not 100% protected from decompilation. Experienced hackers can use smali/baksmali techniques to reverse engineer your codes, read it, modify it at will. Remember, if codes can be read as 0s and 1s, it can be hacked.
Did this occur after you built your application in release mode and exported it using valid certificate and the Export Wizard in Eclipse ? If no - do the steps: right click on your project, choose "Export", type "export android application", Next, then choose "Use existing keystore" or "Create new keystore", finish the wizard. ProGuard runs only when you build your application in release mode.
There is no way to prevent the decompilation of classes and resources. Obfuscation, such as proguard, are tools to make reverse engineering of java harder through name munging, string munging, and flow control changing. Though as stated before, everything can always be reverse engineered. Obfuscation is used to make the barrier to entry higher, and to deter people from wanting to reverse engineer your code due to level of effort.
I got a simple question: from several sources I learned that using Proguard to remove calls to the Andriod logging framework using the optimization steps "assumenosideeffects" is a very clean and easy way.
I wanted to get rid of all my if's in my code related to if-logging-is-on.
But then:
I learned I have to switch to proguard-android-optimize.txt settings for optimizations to work.
Already there, a warning states that Dex does not like Proguard to fiddle with the code!
It does not work. I get a Dalvik error, I guess that's exactly why it is not recommended to use Proguard's optimization features.
But then: why on earth do I encounter all these "helpful" ideas to go the Proguard way of removing log calls?
Has it been working in the past?
Can I do anything to make it work? Because I really like the idea of cleaning my code, removing all the useless String constants only used for logging, etc.
ProGuard generally works fine, but it's always possible that you've run into a bug. You should check that you are using the latest version -- ProGuard 4.10 at this time of writing. You should see the version in the console log, or by typing
java -jar android-sdk/tools/proguard/lib/proguard.jar
The Android SDK often doesn't come with the latest version, but you can manually replace the jar with a recent copy from the ProGuard site. All versions are backward compatible.
For the moment I am developing small Android projects to practice with the Android prorgramming. However, once on the market, I would like to obfuscate / optimise the APK thanks to ProGuard. But this tool renames classes to obfuscate the code, so:
Is it safe to use tools like Android Query to write the code?
If it is not safe, what are some framework examples that can be used safely with Pro Guard?
What could be a solution to the problem? Or should I write everything using the good old Android style and forget about a "write less, do more" approach?
How do I identify the tools that are ProGuard-safe from the ones that are not?
I assume you want to use third party libraries (jar files). You could use a 3 step approach:
If the third party jar explicitly supports Android, it will have a proguard configuration. Usually this is a snippet that you merge into your proguard-project.txt.
If there is no such explicit support, you may still try to use the jar, obfuscate and test your app. If errors occur, gradually exclude classes from obfuscation until it works. A common problem is that libraries use reflection to instantiate classes and call methods which breaks after obfuscation.
Exclude the whole library from obfuscation. This will work in any case and proguard will not touch the library at all. (The Android toolchain will still repackage the contents of the jar into your apk which might cause problems.) This will also produce the least obfuscated result and should really be your last resort.
In any case, obfuscation is not a switch that you simply toggle. You'll need to get familiar with proguard config files which involves a learning curve.
I have an Android project that I recently published to the market after running it through obfuscation with ProGuard.
The project exported without any complications, but how do I know it's been obfuscated? Is there anything I could do to verify that obfuscation was successful?
Look for dump.txt, mapping.txt, seeds.txt and usage.txt. They will probably be in a proguard folder at your project directory. These are created when ProGuard is run on your code.
These are filled with information about the obfuscation, especially useful is mapping.txt which shows what ProGuard turned your various member names in to.
Try to reverse engineer your own application. See what you can read in the code.
Use the following questions:
decompiling DEX into Java sourcecode
http://www.taranfx.com/decompile-reverse-engineer-android-apk
DISCALIMER: I am not the owner of decompileandroid.com and I am not paid to promote it. I am a develper, who is satisfied with this service.
There is actually an easier way than acquiring several different tools and passing the output of one of them to the other (this of course gives you a better control of what's going on). You can use the service
decompileandroid.com
Basically you upload and .apk file and it does all of these steps for you.
Then you can download a .zip file, which contains the decompiled sources.
You can first upload your .apk built in debug mode, then upload an .apk built in release mode. Just make sure that the flag minifyEnabled is set to true in your build.gradle file for the release build.
The difference was pretty obvious in my case - most of my classes were named a,b,c, etc in the minified build.