Obfuscating and Optimizing android app : “Proguard can do it all”

chandan bhandari
Nov 7, 2016 · 5 min read

Yes! You got it right .Your android app is so vulnerable to theft, that a beginner level android developer can reuse your code.An android app .APK can be decompiled back its original code.This can lead to reuse of your code by hackers or by developers in their apps or misuse the same. So there is a need to optimize your code to remove unwanted code from inbuilt libraries and then obfuscate the code to in order hide it and safe it from potential hackers.

What exactly an APK is ?

I believe it won’t be any surprise to say that an APK is basically a zip file. We can extract it with any zip file archiver and find almost all files we put there in unchanged form.Now think someone demcompiling your APK ,extracting the code and publishing it to google play store with slight modifications.

What is obfuscation?

In order to make potential attacker’s life harder and hide our code, we need to perform a process called obfuscation. Obfuscation is a deliberate act of creating code that is difficult for humans to understand.It can be done in various ways: renaming all variables and class names so that they are a gibberish, flattening the directory structure, moving methods between files, adding garbage code, changing strings to int/hex array equivalents etc. There are many tools that such as Proguard and DexGuard that are responsible for obfuscation and optimization of our code.

PROGUARD

It is quite easy to reverse engineer Android applications, so if you want to prevent this from happening, yes, you should use ProGuard for its main function: obfuscation.

ProGuard has also two other important functions: shrinking which eliminates unused code and is obviously highly useful and also optimization. Optimization operates with Java bytecode, though, and since Android runs on Dalvik bytecode which is converted from Java bytecode, some optimizations won’t work so well. So you should be careful there.

Steps to use proguard in your project

Proguard is being added to android studio as a default tool. You just have to enable it from build.gradle file in your project.Proguard configuration needs to be declared in proguard-rules.pro file and has a wide variety of options, but we have to be careful which ones we want to pick. I’m not going to elaborate in detail, just one remark: be sure to thoroughly test your application in release mode, especially after changing ProGuard config. ProGuard can sometimes break your code up if used improperly. It can cause errors e.g. in code that uses reflection or in libraries that do — e.g. json parsers.

Enable Proguard in build.gradle file

buildTypes {
release {
minifyEnabled true
shrinkResources true
proguardFiles getDefaultProguardFile(‘proguard-android.txt’), ‘proguard-rules.pro’
}
}

Modify proguard-rules.pro file

code to enable optimization

-optimizations   code/simplification/arithmetic,!code/simplification/cast,!field/*,! class/merging/*,!method/inlining/*
-optimizationpasses 5
-allowaccessmodification

Note: if you want to disable optimization then use these commands against above commands

-dontoptimize
-dontpreverify

code to remove log commands from code

-assumenosideeffects
class android.util.Log {
public static *** d(...);
public static *** i(...);
public static *** v(...);
}

Customize which code to keep

Alternatively,you can add the @Keepannotation to the code you want to keep. Adding @Keepon a class keeps the entire class as-is. Adding it on a method or field will keep the method/field (and it's name) as well as the class name intact. Note that this annotation is available only when using
the Annotations Support Library.

Example: -keep public class MyClass

Code that I added in Proguard-rules.pro file for optimization and obfuscation in my app

# This is a configuration file for ProGuard. 
# http://proguard.sourceforge.net/index.html#manual/usage.html

Below is unobfuscated and obfuscated java code to give you an idea how proguard works.

input code

public class MainActivity extends Activity implements RecognitionListener { 
private String LOG_TAG;
int MY_DATA_CHECK_CODE;
private TextToSpeech mTts;
private ProgressBar progressBar;
private Intent recognizerIntent;
private TextView returnedText;
private SpeechRecognizer speech;
private ToggleButton toggleButton;
/* renamed from: com.example.consultadd.speechreconizer.MainActivity.1 */
class C01481 implements OnCheckedChangeListener {
C01481() {
}
public void onCheckedChanged(CompoundButton buttonView, boolean isChecked) {
if (isChecked) {
MainActivity.this.progressBar.setVisibility(0); MainActivity.this.progressBar.setIndeterminate(true); MainActivity.this.speech.startListening(MainActivity.this.recognizerIntent);
return;
}
MainActivity.this.progressBar.setIndeterminate(false); MainActivity.this.progressBar.setVisibility(4); MainActivity.this.speech.stopListening();
}
}

output code

public class MainActivity extends Activity implements RecognitionListener { 
int f2031a;
private TextView f2032b;
private ToggleButton f2033c;
private ProgressBar f2034d;
private SpeechRecognizer f2035e;
private Intent f2036f; private String f2037g;
/* renamed from: com.example.consultadd.speechreconizer.MainActivity.1 */
class C06811 implements OnCheckedChangeListener {
final /* synthetic */ MainActivity f2030a;
C06811(MainActivity mainActivity) {
this.f2030a = mainActivity;
}

you can clearly see the difference variables and functions name has been changed to some ids.This makes hard for the hacker to understand the code.

Things To Remember

ProGuard can sometimes break your code up if used improperly.So ,it is highly recommended to go through all the functionalities of the app before releasing app.

Thecodinghouse

Let’s launch your product. Together.

chandan bhandari

Written by

Thecodinghouse

Let’s launch your product. Together.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade