ProGuardTomáš Kypta

ProGuard

• free tool

• shrinker, optimizer, obfuscator

ProGuard

Configuration

Configuration

• Empty configuration?

• You have to specify '-keep' options for the shrinking step.

Configuration

• define entry points

Inputs & Outputs

-injars

-libraryjars

-outjars

Keep rules-keep

• keep class and class members

-keepclassmembers

• keep class members if their class is kept

-keepclasseswithmembers

• keep class with members if all the class members are present

Keep rules

-keepnames

• short for -keep,allowshrinking class_specification

-keepclassmembernames

-keepclasseswithmembernames

Keep Attributes

• -keepattributes Signature

• for generics (JDK 5.0 and higher)

• -keepattributes Exceptions

• for exceptions

Keep Attributes

-keepattributes *Annotation*

*Annotation* = RuntimeVisibleAnnotations, RuntimeInvisibleAnnotations, RuntimeVisibleParameterAnnotations, RuntimeInvisibleParameterAnnotations, AnnotationDefault

Keep Attributes-keepattributes EnclosingMethod

• specified the method in which the class was defined

-keepattributes InnerClasses

• if you have inner class that can be reference from outside of the library

Other

-keepparameternames

• keeps parameter names in LocalVariableTable and LocalVariableTypeTable

• might be useful for IDEs

Keep Modifiersallowshrinking

• Specifies whether the entry points specified in the keep tag may be shrunk.

allowoptimization

• Specifies whether the entry points specified in the keep tag may be optimized.

allowobfuscation

• Specifies whether the entry points specified in the keep tag may be obfuscated.

Output Filesdump.txt

• internal structure of code

mapping.txt

• obfuscation mapping

seeds.txt

• unobfuscated code

usage.txt

• stripped code

Notes & Warnings

• Notes

• -dontnote <filter>

• Warnings

• -dontwarn <filter>

Problems

• Reflection!!! • missing attributes

ProGuard & Android

Output files

• created in build/outputs/mapping

Gradle config

Gradle config

buildTypes { release { minifyEnabled true proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro' } }

Gradle configbuildTypes { debug { minifyEnabled true proguardFiles getDefaultProguardFile('proguard-android.txt'), ‘proguard-rules.pro’, ‘proguard-rules-debug.pro' } release { minifyEnabled true proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro' } }

Gradle config

productFlavors { flavor1 { proguardFile ‘proguard-rules-flavor1.pro' } }

ProGuard & Android Libraries

Gradle config - library

defaultConfig { consumerProguardFiles ‘proguard-rules-lib.pro’}

• packed into aar

• proguard.txt

Generated ProGuard config

• build/intermediates/proguard-rules

• components in AndroidManifest.xml

• custom views in layouts

• only when minifyEnabled true

Config merging

-printconfiguration configuration.txt

• merging is a bit stupid

-keepattributes *Annotation*,SourceFile,LineNumberTable,Signature,Exceptions,*Annotation*,Exceptions,*Annotation*,Exceptions,*Annotation*,Signature,Exceptions,*Annotation*,Exceptions,Signature,*Annotation*,Signature,Exceptions,*Annotation*,Exceptions,*Annotation*,Signature,Exceptions,*Annotation*,Signature,Signature,Exceptions,*Annotation*,Signature

Apk build

• ProGuard output in apk build

• build/intermediates/classes-proguard/{variant}/classes.jar

Deobfuscation• ReTrace

• retrace.sh mapping.txt [<stacktrace_file>]

• completeness depends on presence of line number tables • -keepattributes SourceFile,LineNumberTable

• ambiguous without these attributes - it will list all possible original method names

• -renamesourcefileattribute MyApp

• resolve unknown source

Deobfuscation

Frequent library configs

Some library configs• Retrofit

-dontwarn retrofit.** -keep class retrofit.** { *; } -keepattributes Signature -keepattributes Exceptions

• ButterKnife -keep class butterknife.** { *; } -dontwarn butterknife.internal.** -keep class **$$ViewBinder { *; } -keepclasseswithmembernames class * { @butterknife.* <fields>; } -keepclasseswithmembernames class * { @butterknife.* <methods>; }

Some library configs

• Otto -keepattributes *Annotation* -keepclassmembers class ** { @com.squareup.otto.Subscribe public *; @com.squareup.otto.Produce public *; }

Some library configs

• Dagger 2

• doesn’t require anything

• Rx

• dependency compile 'com.artemzin.rxjava:proguard-rules:1.0.14.2'

Tips, Tricks & Traps

Tips, Tricks & Traps

• never use

-dontwarn **

-dontnote **

Tips, Tricks & Traps• in library projects, in customerProguardFiles don’t

use: • -printconfiguration configuration.txt

• -dontobfuscate, -dontoptimize, …

• -keepattributes SourceFile,LineNumberTable,LocalVariableTable,LocalVariableTypeTable

• declare the bare minimum

Tips, Tricks & Traps-applymapping <file>

• reuse previous mapping

-obfuscationdictionary <file>

• custom dictionary

• you can e.g. use Java keywords there (not that helpful)

Tips, Tricks & Traps

-repackageclasses 'com.example.obfuscated'

• in Java there can be a problem when class tries to load resource in the same directory

DexGuard• comercial

• extra features

• resource obfuscation

• string encryption

• class encryption

• dex splitting

• native code obfuscation

Links

• http://proguard.sourceforge.net/

• https://www.guardsquare.com/dexguard

Q&A

THE END