How To Obfuscate In Android With ProGuard
An APK, as you may or may not know, can be unpacked and decompiled easily using different tools. This post is a detailed guide on how to give hackers a hard time decoding your app thru the process called obfuscation.
Sooo what is Obfuscation?
To obfuscate, as defined by Dictionary.com, is to to confuse, bewilder, or stupefy. In Software world, obfuscation is a process of creating source code in a form that is hard for human to understand.
But why do we need to obfuscate?
Anyone who has knowledge in Java can easily picture out how your app is coded once an APK is unpacked. Though obfuscation won’t guarantee code security, this process would give hackers a hard time reversed-engineering your android app! It is still advisable though to add layers of security to your code such as implementing encryption, avoiding saving of credentials to device local storage etc.
Okay I get it now. So how to obfuscate code in Android?
1. Configure your gradlefile
In your app/build.gradle file, set minifyEnabled to true, see snippet below:
android {
buildTypes {
release {
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt')
}
}
...
}2. Use Android default Proguard rules or create your own.
In Android, default proguard-rules is set at sdk/tools/proguard/proguard-rules.txt. Most of the time, you need to customize proguard rules, let’s say if you are using a 3rd party library. You should consider checking your 3rd party lib’s documentation regarding obfuscation and include it in your custom proguard rules.
If you are using Android’s default proguard:
android {
buildTypes {
release {
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt')
}
}
...
}If you are creating your own proguard-rule:
android {
buildTypes {
release {
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'),
'proguard-rules.pro'
}
}
...
}3. Edit your proguard-rules.pro
Third party libraries provide info on how to obfuscate a project in which they are included, example is SQLCipher:
-libraryjars libs/commons-codec.jar
-libraryjars libs/guava-r09.jar
-libraryjars libs/sqlcipher.jar
-optimizationpasses 5
-dontusemixedcaseclassnames
-dontskipnonpubliclibraryclasses
-dontskipnonpubliclibraryclassmembers
-dontpreverify
-verbose
-optimizations !code/simplification/arithmetic,!field/*,!class/merging/*,!code/allocation/variable
-keep public class * extends android.app.Activity
-keep public class * extends android.app.Application
-dontwarn javax.annotation.**
-dontwarn android.app.**
-dontwarn android.support.**
-dontwarn android.view.**
-dontwarn android.widget.**
-dontwarn com.google.common.primitives.**
-dontwarn **CompatHoneycomb
-dontwarn **CompatHoneycombMR2
-dontwarn **CompatCreatorHoneycombMR2
-keepclasseswithmembernames class * {
native <methods>;
}
-keepclasseswithmembers class * {
public <init>(android.content.Context, android.util.AttributeSet);
}
-keepclasseswithmembers class * {
public <init>(android.content.Context, android.util.AttributeSet, int);
}
-keepclassmembers class * extends android.app.Activity {
public void *(android.view.View);
}
-keepclassmembers enum * {
public static **[] values();
public static ** valueOf(java.lang.String);
}
-keep class * implements android.os.Parcelable {
public static final android.os.Parcelable$Creator *;
}
-keepclassmembers class **.R$* {
public static <fields>;
}
-keep public class net.sqlcipher.** {
*;
}
-keep public class net.sqlcipher.database.** {
*;
}4. Release your app and test
Important: Test your apk! You may encounter app crash when customizing your own proguard file because there are some files that you need to save from being obfuscated. Again, check step no. 3
5. Check if your code is obfuscated
Checkout my next post: Reverse Engineering APKS: Guide To See If Obfuscation Works
