I searched around the net a simple example of how to use ProGuard to protect your Android app from "code thieves". And I ended doing like this and you tell me if this is all it takes:
I opened project.properties file of my project in Eclipse, and uncomment and left this line: proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt
Then I went to my project's Android Tools => Export Signed Application Package...
and export it with existing keystore which I made earlier when I was exporting app to test it in my phone.
In my project, above project.properties appeared to be created a new file proguard-project.txt, which I expected because the above line: ...proguard-android.txt:proguard-project.txt.
And that's it?
Or no? Do I have to add something else because I've seen that others are adding some classes to inculde in file, ... Is that not included?
Help me to learn how to protect my app. Thanks in advance!
Yeas, that's all if you want to protect your code only.
if you have resources that have copyrights, consider using the Android Copy protection.
When pubishing your app : go to section Publishing options subsection Copy Protection
Check Copy Protection : On
This prevent hackers to export the apk and by the way, prevent your resources from most of hackers.
For the most part, that is all you need to do. If you use any external libraries, you may have to modify your config file in order to export your app. You should test your protected app on your device to before publishing.
Related
I am trying to obfuscate my simple HelloWorld project (that I just created) with ProGuard.
The configuration files are below.
[project.properties]
proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt
target=android-20
[proguard-project.txt]
Nothing valid. all the lines are commented.
Lastly, I created signed apk file through the menu, File - Export - Export Android Application,
with a new key.
To make sure that the apk is obfuscated properly, I unzip the apk and decompiled classes.dex to view the inner class files. but NOT obfuscated at all. all the function names in MainActivity.java are
still the same.
Anything I missed out?
Thank you.
Look at the "Enabling ProGuard" section at http://developer.android.com/tools/help/proguard.html to see exactly how ProGuard determines which configuration file(s) to use. Look carefully at the different ways to specify the file(s) for Eclipse builds vs. Android Studio (or Gradle) builds. The ProGuard configuration files delivered with the SDK are simple starting points (examples) that almost certainly will not do exactly what you want. You should copy them to an appropriate location and change them as needed for your particular needs.
I would like to use proguard in my application. Can anyone tell me the steps should I follow to create the cfg file. Like what is the first step I have to do, where should I create the file..etc
On Android Developer's site there is a great documentation:
http://developer.android.com/tools/help/proguard.html
In short:
In your project directory find project.properties file. You should have similar line:
proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt:proguard-google-api-client.txt
In txt files you should have proguard configuration.
You should know one thing that proguard is disable (by default) if you run application in debug mode. Proguard will "start" while exporting signed app.
I am developing an android email client application and Calling webservices using ksoap2 library and also writing some encryption algorithm to encrypt data in my client.
In some websites I have read "It is possible to decompile the apk using some decompilers". (i.e.) get the source code from apk file.
But I want to secure my code. Don't show the encryption algorithm code after decompilation or don't want to decomplile my apk file. Is it possible to do that? please can you give some suggestions?
Edit the file (in the project root) project.propierties and add the line
proguard.config=proguard.cfg
And its done. When you try to generate the signed apk of your app it will take a little longer and it will be obfuscated.
If you receive the "Conversion to dalvik error" when generating the apk you need to update the proguard of your sdk. For doing it you need to go to the ProGuard page to the download section. Download the last stable version and put it content in
SDK_ROOT/tools/proguard
Deleting the existing content before of course.
You can check the Proguard manual at their page (link is above) and the Android's Proguard page for more info about ProGuard
This process is known as Obfuscating the code.
EDIT:
Steps to get obfusticated apk:
1) Download latest proguard from "http://sourceforge.net/projects/proguard/files/". Current latest version is proguard4.7
2) Replace "bin" and "lib" folder of "C:\Program Files (x86)\Android\android-sdk\tools\proguard" with latest downloaded proguard folders.
3) Check SDK location in eclipse for blank spaces in it and for that go to window > Preferences > Android. If there is blank space then replace it with:
c:\Progra~2\android\android-sdk (for windows 64-bit)
c:\Progra~1\android\android-sdk (for windows 32-bit)
4) Check that proguard.cfg file is in your project's root folder and add "proguard.config=proguard.cfg" in project.properties file of android project.
5) Now export your project to get obfusticated apk.
I hope that it will help.
You must not rely on security through obsurity.
If you feel that the encrypted data would be compromised by the knowledge of the encryption algorithm, then you're NOT doing security.
It will always be possible to decompile any file, if the "hacker" knows how to do so. That's why there are still cracks for paid applications, because people take their spare time to decompile/crack applications. All you can do is to make them have a hard time by using as many tools as you can. The first choice (and that comes disabled by default) is ProGuard
My project does not enable proguard when creating it. Therefore I need to manually add proguard and enable it via project.properties.
Is there any way I can know whether my application has been obfuscated or not aside from reverse engineering?
If your application has been obfuscated you will see a new folder called proguard in you project folder.
It should contain four text files: dump, mapping, seeds and usage.
Note that your project will not be obfuscated unless you build it in release mode.
Just for records, if you want to check if your code was really obfuscated, you can generate the APK and analyse it in this webpage: http://www.javadecompilers.com/apktool
You can check using Android Studio as well by generating the APK and later going to Build -> Analyze APK... -> select your APK to analyze.
I hope this help.
I have an Android project that I recently published to the market after running it through obfuscation with ProGuard.
The project exported without any complications, but how do I know it's been obfuscated? Is there anything I could do to verify that obfuscation was successful?
Look for dump.txt, mapping.txt, seeds.txt and usage.txt. They will probably be in a proguard folder at your project directory. These are created when ProGuard is run on your code.
These are filled with information about the obfuscation, especially useful is mapping.txt which shows what ProGuard turned your various member names in to.
Try to reverse engineer your own application. See what you can read in the code.
Use the following questions:
decompiling DEX into Java sourcecode
http://www.taranfx.com/decompile-reverse-engineer-android-apk
DISCALIMER: I am not the owner of decompileandroid.com and I am not paid to promote it. I am a develper, who is satisfied with this service.
There is actually an easier way than acquiring several different tools and passing the output of one of them to the other (this of course gives you a better control of what's going on). You can use the service
decompileandroid.com
Basically you upload and .apk file and it does all of these steps for you.
Then you can download a .zip file, which contains the decompiled sources.
You can first upload your .apk built in debug mode, then upload an .apk built in release mode. Just make sure that the flag minifyEnabled is set to true in your build.gradle file for the release build.
The difference was pretty obvious in my case - most of my classes were named a,b,c, etc in the minified build.