ProGuard

ProGuard
Edward Dale
@scompt
Freeletics
https://www.freeletics.com
August 31, 2017
© Edward Dale, 2017 1

View Slide

Agenda
• Overview
• Steps
• Problems
• Future

View Slide

Purpose
ProGuard is the most popular optimizer for Java bytecode. It
makes your Java and Android applications up to 90% smaller and
up to 20% faster. ProGuard also provides minimal protection
against reverse engineering by obfuscating the names of classes,
ﬁelds and methods.
— https://www.guardsquare.com/en/proguard

View Slide

Purpose
ProGuard is the most popular optimizer for Java bytecode. It
makes your Java and Android applications up to 90% smaller
and up to 20% faster. ProGuard also provides minimal protection
against reverse engineering by obfuscating the names of
classes, ﬁelds and methods.
— https://www.guardsquare.com/en/proguard

View Slide

Highlights 1
• ProGuard is a command-line tool with an optional graphical
user interface.
• ProGuard is easy to configure. A few intuitive command line
options or a simple configuration file is all it takes. All
available options are detailed in the user manual.
1 https://www.guardsquare.com/en/proguard

View Slide

Highlights 1 (continued)
• ProGuard is fast. It processes small Android applications and
entire run-time libraries in seconds.
• ProGuard is the default tool in development environments
like Oracle’s Wireless Toolkit, NetBeans, EclipseME, Intel’s
TXE SDK and Google’s Android SDK.
1 https://www.guardsquare.com/en/proguard

View Slide

Highlights (annotated)
• ProGuard is easy to configure. A
few intuitive command line options
or a simple configuration file is all it
takes. All available options are
detailed in the user manual.
• ProGuard is fast. It processes small
Android applications and entire run-
time libraries in seconds.

View Slide

Steps
start shrink end
optimize obfuscate preverify

View Slide

Shrink Step
• Enabled by default
• Disabled with -dontshrink
• Removes all classes, methods, resources not reachable from
from an entry point (seeds)
• Dynamically referenced classes/methods need to be "kept"
using -keep or -keepclasseswithmembers

View Slide

Example Class Diagram
LoginActivity
UserManager
UserApi
FeedActivity
FeedApi OldUserManager
OldUserApi

View Slide

After Shrinking
• No seeds
LoginActivity
UserManager
UserApi
FeedActivity
OldUserApi

View Slide

After Shrinking
• -keep MainActivity
• -keep SecondActivity
LoginActivity
UserManager
UserApi
FeedActivity
OldUserApi

View Slide

After Shrinking
• -keep public class * extends android.app.Activity
LoginActivity
UserManager
UserApi
FeedActivity
OldUserApi

View Slide

Keep Options
-keep
Specifies classes and class members (fields and methods) to be preserved as
entry points to your code.
-keepclassmembers
Specifies class members to be preserved, if their classes are preserved as well.
-keepclasseswithmembers
Specifies classes and class members to be preserved, on the condition that all of
the specified class members are present.

View Slide

Optimize Step
• Disabled with -dontoptimize
• Performs lots of different bytecode-level optimizations to
the code

View Slide

Optimize Step
• -optimizationpasses declares how many times to
optimize/shrink
• Freeletics does 5 passes

View Slide

Optimize Step
• -optimizations can be used to disable speciﬁc
optimizations
• Freeletics disables optimizations that cause problems on
Android
• More information in $ANDROID_HOME/tools/proguard/
proguard-android-optimize.txt

View Slide

Example Optimizations 2
• Marks methods as ﬁnal, whenever possible.
• Removes unused method parameters.
• Propagates the values of method parameters from method invocations to the
invoked methods.
• Propagates the values of method return values from methods to their invocations.
• Inlines short methods.
• Inlines methods that are only called once.
2 https://www.guardsquare.com/en/proguard/manual/optimizations

View Slide

Obfuscate Step
• Disabled with -dontobfuscate
• Classes and class members receive new short random
names, except for the ones listed by the various
-keep options
• Internal attributes that are useful for debugging are
removed

View Slide

After Obfuscation
LoginActivity
A
B
FeedActivity
C
OldUserManager
OldUserApi

View Slide

Preverification Step
• Disabled with -dontpreverify
• When loading class ﬁles, the class loader performs some
sophisticated veriﬁcation of the byte code.
• Unnecessary on Android

View Slide

Problems

View Slide

Problem 1
Class is unintentionally removed/obfuscated
Symptom: Runtime crash
java.lang.NoClassDefFoundError: Failed resolution of: Lcom/freeletics/LoginActivity;

View Slide

Problem 1
Class is unintentionally removed/obfuscated
Symptom: Runtime crash
java.lang.NoClassDefFoundError: Failed resolution of: Lcom/freeletics/LoginActivity;
Solution: Ensure class is kept
-keep com.freeletics.LoginActivity

View Slide

Problem 2
Code references a class not available
Symptom:: Build failure
Warning: rx.internal.util.unsafe.ConcurrentCircularArrayQueue: can't find referenced class sun.misc.Unsafe
...
Warning: there were 47 unresolved references to classes or interfaces.

View Slide

Problem 2
Code references a class not available
Symptom:: Build failure
Warning: rx.internal.util.unsafe.ConcurrentCircularArrayQueue: can't find referenced class sun.misc.Unsafe
...
Warning: there were 47 unresolved references to classes or interfaces.
Solution: Don't warn about classes unavailable on Android
-dontwarn sun.misc.Unsafe

View Slide

Problem 3
Adding a new library breaks build
Symptom: Build failure

View Slide

Problem 3
Adding a new library breaks build
Symptom: Build failure
Solution: Google
Should only happen with non-Android-specific libraries.
Android-specific Libraries can add a ProGuard configuration
that should be used.

View Slide

The Future
we are also working on R8, which is a Proguard replacement for
whole program miniﬁcation and optimization3
— James Lau, Product Manager
3 https://android-developers.googleblog.com/2017/08/next-generation-dex-compiler-now-in.html

View Slide

The Future
• D8 is a dexer that converts java byte code to dex code.
• R8 is a java program shrinking and miniﬁcation tool that
converts java byte code to optimized dex code.
• R8 is a Proguard replacement for whole-program
optimization, shrinking and miniﬁcation. R8 uses the
Proguard keep rule format for specifying the entry points for
an application.

View Slide

Questions?
Edward Dale
@scompt
Freeletics
https://www.freeletics.com

View Slide

Citations
• http://knowyourmeme.com/memes/yao-ming-face-bitch-
please

View Slide

ProGuard

ProGuard

Edward Dale

More Decks by Edward Dale

Other Decks in Technology

Featured

Transcript