My project does not enable proguard when creating it. Therefore I need to manually add proguard and enable it via project.properties.
Is there any way I can know whether my application has been obfuscated or not aside from reverse engineering?
If your application has been obfuscated you will see a new folder called proguard in you project folder.
It should contain four text files: dump, mapping, seeds and usage.
Note that your project will not be obfuscated unless you build it in release mode.
Just for records, if you want to check if your code was really obfuscated, you can generate the APK and analyse it in this webpage: http://www.javadecompilers.com/apktool
You can check using Android Studio as well by generating the APK and later going to Build -> Analyze APK... -> select your APK to analyze.
I hope this help.
Related
I am trying to obfuscate my simple HelloWorld project (that I just created) with ProGuard.
The configuration files are below.
[project.properties]
proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt
target=android-20
[proguard-project.txt]
Nothing valid. all the lines are commented.
Lastly, I created signed apk file through the menu, File - Export - Export Android Application,
with a new key.
To make sure that the apk is obfuscated properly, I unzip the apk and decompiled classes.dex to view the inner class files. but NOT obfuscated at all. all the function names in MainActivity.java are
still the same.
Anything I missed out?
Thank you.
Look at the "Enabling ProGuard" section at http://developer.android.com/tools/help/proguard.html to see exactly how ProGuard determines which configuration file(s) to use. Look carefully at the different ways to specify the file(s) for Eclipse builds vs. Android Studio (or Gradle) builds. The ProGuard configuration files delivered with the SDK are simple starting points (examples) that almost certainly will not do exactly what you want. You should copy them to an appropriate location and change them as needed for your particular needs.
I have enabled Proguard by uncommenting the following line in project.properties file:
proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt
When I tried to extract the classes and resources using dex2jar , I was able to extract them as it is. Do I have to change some other files / properties / configurations in my project to prevent direct extraction of classes? Should I add some configuration parameters in the project.properties(project root location) or proguard.android file(SDK location)?
It seems you're using the "standard" Proguard obfuscator properties file. Try using the "advanced" Proguard obfuscator properties file. It's here:
proguard.config=${sdk.dir}/tools/proguard/proguard-android-optimize.txt
Your codes will be obfuscated a bit further, but not all. For example, activities, services, Java classes you've declared in the manifest file, or declared with -keep directives in Proguard, will not be completely obfuscated.
On a side note: Even if you use the commercial DexGuard, you're still not 100% protected from decompilation. Experienced hackers can use smali/baksmali techniques to reverse engineer your codes, read it, modify it at will. Remember, if codes can be read as 0s and 1s, it can be hacked.
Did this occur after you built your application in release mode and exported it using valid certificate and the Export Wizard in Eclipse ? If no - do the steps: right click on your project, choose "Export", type "export android application", Next, then choose "Use existing keystore" or "Create new keystore", finish the wizard. ProGuard runs only when you build your application in release mode.
There is no way to prevent the decompilation of classes and resources. Obfuscation, such as proguard, are tools to make reverse engineering of java harder through name munging, string munging, and flow control changing. Though as stated before, everything can always be reverse engineered. Obfuscation is used to make the barrier to entry higher, and to deter people from wanting to reverse engineer your code due to level of effort.
I have typed proguard.config=proguard.cfg and renamed keepclasseswithmembernames to keepclasseswithmembers and it has successfully exported signed .apk.
How to find out if proguard was successful in obfuscating the code?
Am I missing something or is it good to go to market?
This thread should not be limited to source code suggestions. ANY and ALL suggestions about posting an app to the android market would be appreciated by not only me, but any other nooobs that might be posting their first app to the market and researching this topic on SO.
Look in the proguard folder : You will see files like mapping.txt, dump.txt, usage.txt etc. Also if you look in the logcat you will see that Class names and Method names are obfuscated.
For more details go here.
Another hardcore way will be to use dex2jar and java decompiler to decompile your app and see how much you'll suceed. If obfuscation went well you'll see that it's impossible.
ProGuard will run when you build your app in Release mode. You can tell it successfully obfuscated the code if the following files are generated
dump.txt
mapping.txt
seeds.txt
usage.txt
The location of these files are:
<project_root>/bin/proguard if you are using Ant.
<project_root>/proguard if you are using Eclipse.
For more details and to learn about the contents of these files look at http://developer.android.com/tools/help/proguard.html
Convert apk to jar and extract it. if you see file names are not changed proguard not affect on code
Goodluck
Use this gradle task. This gradle task will allow you to automate the detection of files as mentioned by Binoy Babu and monkybonk05. This needs no visual inspection. Your build will fail if the files don't exist. Generally proguarding in done on the release version of the application
tasks.whenTaskAdded { task ->
if (task.name == 'assembleFlavorRelease') {
task.finalizedBy checkProguardFlavor
}
}
task checkProguardFlavor << {
assert file("./build/outputs/mapping/Flavor/release/dump.txt").exists()
assert file("./build/outputs/mapping/Flavor/release/mapping.txt").exists()
}
I have been working on one project which is too complex and contain very much space with so many images and Java files as well.
Somewhere I have read about the proguard which optimizes the code.
I have used it, but it's still does not have an effect on my final APK file.
It might be I have made a mistake somewhere. I have the following this like http://developer.android.com/guide/developing/tools/proguard.html.
How can I optimize my code?
You can add it to the default.properties. I've been adding manually without having a problem so far.
If you add the line:
proguard.config=proguard.cfg
As said it will only use ProGuard when exporting signed application (Android Tools => Export Signed Application)
If you start the project with the SDK before Android 2.3 the proguard.cfg file will not be created (next to default.properties as in 2.3>).
To enable automatic creation of it, just simply update to the SDK of Android 2.3 and create a new project with existing sources (which are the sources of the project you currently have).
Automagically the proguard.cfg fill will be created.
Without optimizations the compiler produces very dumb code - each command is compiled in a very straightforward manner, so that it does the intended thing.
The Debug builds have optimizations disabled by default, because without the optimizations the produced executable matches the source code in a straightforward manner.
Please refer this one
From documentation:
ProGuard is integrated into the Android build system, so you do not have to invoke it manually. ProGuard runs only when you build your application in release mode, so you do not have to deal with obfuscated code when you build your application in debug mode.
I have an Android project that I recently published to the market after running it through obfuscation with ProGuard.
The project exported without any complications, but how do I know it's been obfuscated? Is there anything I could do to verify that obfuscation was successful?
Look for dump.txt, mapping.txt, seeds.txt and usage.txt. They will probably be in a proguard folder at your project directory. These are created when ProGuard is run on your code.
These are filled with information about the obfuscation, especially useful is mapping.txt which shows what ProGuard turned your various member names in to.
Try to reverse engineer your own application. See what you can read in the code.
Use the following questions:
decompiling DEX into Java sourcecode
http://www.taranfx.com/decompile-reverse-engineer-android-apk
DISCALIMER: I am not the owner of decompileandroid.com and I am not paid to promote it. I am a develper, who is satisfied with this service.
There is actually an easier way than acquiring several different tools and passing the output of one of them to the other (this of course gives you a better control of what's going on). You can use the service
decompileandroid.com
Basically you upload and .apk file and it does all of these steps for you.
Then you can download a .zip file, which contains the decompiled sources.
You can first upload your .apk built in debug mode, then upload an .apk built in release mode. Just make sure that the flag minifyEnabled is set to true in your build.gradle file for the release build.
The difference was pretty obvious in my case - most of my classes were named a,b,c, etc in the minified build.