Essential Android ProGuard - Obfuscating and Shrinking your code edit forum

Protecting your code from hackers

Obfuscation is often considered as a magic solution for code protection, by making your code harder to understand if it ever gets de-compiled by hackers.

But if you’re thinking that removing the Log.x(..) actually removes the information the hackers need, you’ll have a nasty surprise.

Removing all your log calls with:

-assumenosideeffects class android.util.Log {
    public static *** d(...);
    ...etc
}

will indeed remove the Log call itself, but usually not the Strings you put into them.

If for example inside your log call you type a common log message such as: Log.d(MyTag,"Score="+score);, the compiler converts the \+ to a ‘new StringBuilder()’ outside the Log call. ProGuard doesn’t change this new object.

Your de-compiled code will still have a hanging StringBuilder for "Score=", appended with the obfuscated version for score variable (let’s say it was converted to b). Now the hacker knows what is b, and make sense of your code.

A good practice to actually remove these residuals from your code is either not put them there in the first place (Use String formatter instead, with proguard rules to remove them), or to wrap your Log calls with:

if (BuildConfig.DEBUG) {
    Log.d(TAG,".."+var);
}

Tip:

Test how well protected your obfuscated code is by de-compiling it yourself!

  1. dex2jar - converts the apk to jar
  2. jd - decompiles the jar and opens it in a gui editor

Table Of Contents
39 ACRA
64 Menu
112 Loader
113 ProGuard - Obfuscating and Shrinking your code
119 Xposed
132 Colors
135 Fresco
140 AdMob
147 Button
156 Vk SDK
170 XMPP
176 OpenCV
200 FileIO
203 Moshi
217 Paint
231 AIDL
241 JCodec
243 Okio
255 Looper
  ↑ ↓ to navigate     ↵ to select     Esc to close