Smarter way to secure Android App| Dexguard

The modern era of Mobile Application Development extensively focuses on Application Security. Everyday thousands of application are getting published on Google Playstore, security of the applications has been a major concern these days. By default when building Android Application using Android Studio IDE, by default we get some configuration alreday provided by the IDE in Codebase. We can check this file in below given path with the name proguard-rules.pro.

/home/demo/AndroidStudioProject/MyApplication/app/proguard-rules.pro

We can write code inside this file according to our project security needs to secure our code from getting decompiled by attackers. I am assuming, you are already hands on writing efficient proguard rules. So, I’ll skip it and jump on it’s more robust version to obfuscate code.

DexGuard is a paid software which is developed by Guardsquare, designed specifically for improving the protection of Android applications against reverse engineering, and other security threats. It’s particularly useful for developers and organizations looking to safeguard their intellectual property, sensitive data, and proprietary algorithms in Android apps.

Why Dexguard over Proguard?

This is first question would come in your mind as soon you start reading this article. So, there are many factors comes into the picture:

a) Advanced Protection Features: DexGuard offers advanced features over ProGuard, such as string encryption, class encryption, resource encryption, and runtime checks.

b) Root Detection and Response: DexGuard includes features for detecting rooted devices and implementing appropriate responses to mitigate risks associated with running on compromised environments.

c) License Checking: DexGuard supports the implementation of robust license checking mechanisms to prevent unauthorized distribution or usage of the application.

d) Dynamic Code Loading Protection: DexGuard helps in securing applications that utilize dynamic code loading mechanisms by applying appropriate safeguards.

Thus, this strengthen the fact that Dexguard is better for applications which aiming as Users’ data security as first priority. Let’s implement the Dexguard in our Android Application now:

Android App Security and Obfuscation | DexGuard

Steps to implement Dexguard in Android Application:

a) Acquiring DexGuard License: First of all, we need to get a license for DexGuard from Guardsquare. We can do this by contacting Guardsquare through their official website or sales channels.

b) Integrating DexGuard Plugin: DexGuard provides a Gradle plugin for seamless integration with Android projects. You need to add the DexGuard plugin to your project’s build.gradle file.

buildscript {
    repositories {
        jcenter()
    }
    dependencies {
        classpath 'com.android.tools.build:gradle:xxx'
        classpath 'com.guardsquare:dexguard-gradle-plugin:xxx'
    }
}

c) Applying DexGuard Configuration: Create a DexGuard configuration file (usually named dexguard-project.txt), where you specify the settings for code obfuscation, encryption, and other security features. You can customize this file according to your project's requirements. Check this sample code, you can modify it according to your app security need.

# DexGuard configuration file

# Optimization and Obfuscation Settings
-optimizationpasses 5
-dontusemixedcaseclassnames
-dontskipnonpubliclibraryclasses
-dontpreverify
-verbose
-optimizations !code/simplification/arithmetic,!code/simplification/cast,!field/*,!class/merging/*

# Code Obfuscation
-repackageclasses ''
-allowaccessmodification
-keepattributes *Annotation*

# String Encryption
-encryptstrings
-encryptresources

# Class Encryption
-encryptpackage com.example.package

# Resource Encryption
-encryptassetfiles

# Runtime Checks
-checks

# Anti-Debugging and Anti-Tampering Measures
-dontobfuscate
-dontoptimize
-keepattributes *Annotation*,InnerClasses
-assumenosideeffects class android.util.Log {
    public static *** d(...);
    public static *** v(...);
}

# Root Detection and Response
-keeppackagenames com.example.rootcheck

d) Configuring DexGuard in build.gradle: Configure the DexGuard plugin in your module’s build.gradle file by applying the DexGuard configuration and specifying the location of the configuration file.

android {
    ...
    buildTypes {
        release {
            minifyEnabled true
            proguardFile getDefaultDexGuardFile('dexguard-project.txt')
            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'dexguard-project.txt'
            signingConfig signingConfigs.release
        }
    }
}

e) Running DexGuard: Once we have configured DexGuard in our project, we can build our Android application using the release build type. DexGuard will automatically apply the specified obfuscation, encryption, and other security transformations during the build process.

f) Testing and Debugging: After building the protected APK, it’s essential to thoroughly test the application to ensure that DexGuard hasn’t introduced any unintended side effects or issues. We may also need to debug any potential problems that arise during testing.

g) Deploying the Protected Application: Once we’re satisfied with the testing results, we can deploy the protected version of your Android application to users through the Google Play Store or other distribution channels.

Thank you for reading this article, hope you have enjoyed it. Please give clap, share, bookmark if you liked it. Share your thoughts through comments or you can write me at vikasacsoni9211@gmail.com

Happy Coding :)