Android ProGuard - Obfuscating and Shrinking your code suggest change

Protecting your code from hackers

Obfuscation is often considered as a magic solution for code protection, by making your code harder to understand if it ever gets de-compiled by hackers.

But if you’re thinking that removing the Log.x(..) actually removes the information the hackers need, you’ll have a nasty surprise.

Removing all your log calls with:

-assumenosideeffects class android.util.Log {
    public static *** d(...);
    ...etc
}

will indeed remove the Log call itself, but usually not the Strings you put into them.

If for example inside your log call you type a common log message such as: Log.d(MyTag,"Score="+score);, the compiler converts the \+ to a ‘new StringBuilder()’ outside the Log call. ProGuard doesn’t change this new object.

Your de-compiled code will still have a hanging StringBuilder for "Score=", appended with the obfuscated version for score variable (let’s say it was converted to b). Now the hacker knows what is b, and make sense of your code.

A good practice to actually remove these residuals from your code is either not put them there in the first place (Use String formatter instead, with proguard rules to remove them), or to wrap your Log calls with:

if (BuildConfig.DEBUG) {
    Log.d(TAG,".."+var);
}

Tip:

Test how well protected your obfuscated code is by de-compiling it yourself!

  1. dex2jar - converts the apk to jar
  2. jd - decompiles the jar and opens it in a gui editor

Feedback about page:

Feedback:
Optional: your email if you want me to get back to you:



Table Of Contents