ProGuard

Transcript

1. ProGuard Tomáš Kypta

2. ProGuard • free tool • shrinker, optimizer, obfuscator

3. ProGuard

4. Configuration

5. Configuration • Empty configuration? • You have to specify '-keep'

   options for the shrinking step.

6. Configuration • define entry points

7. Inputs & Outputs -injars -libraryjars -outjars

8. Keep rules -keep • keep class and class members -keepclassmembers

   • keep class members if their class is kept -keepclasseswithmembers • keep class with members if all the class members are present

9. Keep rules -keepnames • short for -keep,allowshrinking class_specification -keepclassmembernames -keepclasseswithmembernames

10. Keep Attributes • -keepattributes Signature • for generics (JDK 5.0

    and higher) • -keepattributes Exceptions • for exceptions

11. Keep Attributes -keepattributes *Annotation* *Annotation* = RuntimeVisibleAnnotations, RuntimeInvisibleAnnotations, RuntimeVisibleParameterAnnotations, RuntimeInvisibleParameterAnnotations,

    AnnotationDefault

12. Keep Attributes -keepattributes EnclosingMethod • specified the method in which

    the class was defined -keepattributes InnerClasses • if you have inner class that can be reference from outside of the library

13. Other -keepparameternames • keeps parameter names in LocalVariableTable and LocalVariableTypeTable

    • might be useful for IDEs

14. Keep Modifiers allowshrinking • Specifies whether the entry points specified

    in the keep tag may be shrunk. allowoptimization • Specifies whether the entry points specified in the keep tag may be optimized. allowobfuscation • Specifies whether the entry points specified in the keep tag may be obfuscated.

15. Output Files dump.txt • internal structure of code mapping.txt •

    obfuscation mapping seeds.txt • unobfuscated code usage.txt • stripped code

16. Notes & Warnings • Notes • -dontnote <filter> • Warnings

    • -dontwarn <filter>

17. Problems • Reflection!!! • missing attributes

18. ProGuard & Android

19. Output files • created in build/outputs/mapping

20. Gradle config

21. Gradle config buildTypes {
 release {
 minifyEnabled true
 proguardFiles getDefaultProguardFile('proguard-android.txt'),

    'proguard-rules.pro'
 }
 }

22. Gradle config buildTypes {
 debug {
 minifyEnabled true
 proguardFiles getDefaultProguardFile('proguard-android.txt'),

    ‘proguard-rules.pro’, ‘proguard-rules-debug.pro'
 } release {
 minifyEnabled true
 proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
 }
 }

23. Gradle config productFlavors { flavor1 {
 proguardFile ‘proguard-rules-flavor1.pro'
 }
 }

24. ProGuard & Android Libraries

25. Gradle config - library defaultConfig {
 consumerProguardFiles ‘proguard-rules-lib.pro’
 } •

    packed into aar • proguard.txt

26. Generated ProGuard config • build/intermediates/proguard-rules • components in AndroidManifest.xml •

    custom views in layouts • only when minifyEnabled true

27. Config merging -printconfiguration configuration.txt • merging is a bit stupid

    -keepattributes *Annotation*,SourceFile,LineNumberTable,Signature,Excepti ons,*Annotation*,Exceptions,*Annotation*,Exceptions,*Anno tation*,Signature,Exceptions,*Annotation*,Exceptions,Sign ature,*Annotation*,Signature,Exceptions,*Annotation*,Exce ptions,*Annotation*,Signature,Exceptions,*Annotation*,Sig nature,Signature,Exceptions,*Annotation*,Signature

28. Apk build • ProGuard output in apk build • build/intermediates/classes-

    proguard/{variant}/classes.jar

29. Deobfuscation • ReTrace • retrace.sh mapping.txt [<stacktrace_file>] • completeness depends

    on presence of line number tables • -keepattributes SourceFile,LineNumberTable • ambiguous without these attributes - it will list all possible original method names • -renamesourcefileattribute MyApp • resolve unknown source

30. Deobfuscation

31. Frequent library configs

32. Some library configs • Retrofit -dontwarn retrofit.** -keep class retrofit.**

    { *; } -keepattributes Signature -keepattributes Exceptions • ButterKnife -keep class butterknife.** { *; } -dontwarn butterknife.internal.** -keep class **$$ViewBinder { *; } -keepclasseswithmembernames class * { @butterknife.* <fields>; } -keepclasseswithmembernames class * { @butterknife.* <methods>; }

33. Some library configs • Otto -keepattributes *Annotation* -keepclassmembers class **

    { @com.squareup.otto.Subscribe public *; @com.squareup.otto.Produce public *; }

34. Some library configs • Dagger 2 • doesn’t require anything

    • Rx • dependency compile 'com.artemzin.rxjava:proguard- rules:1.0.14.2'

35. Tips, Tricks & Traps

36. Tips, Tricks & Traps • never use -dontwarn ** -dontnote

    **

37. Tips, Tricks & Traps • in library projects, in customerProguardFiles

    don’t use: • -printconfiguration configuration.txt • -dontobfuscate, -dontoptimize, … • -keepattributes SourceFile,LineNumberTable,LocalVariableTable,L ocalVariableTypeTable • declare the bare minimum

38. Tips, Tricks & Traps -applymapping <file> • reuse previous mapping

    -obfuscationdictionary <file> • custom dictionary • you can e.g. use Java keywords there (not that helpful)

39. Tips, Tricks & Traps -repackageclasses 'com.example.obfuscated' • in Java there

    can be a problem when class tries to load resource in the same directory

40. DexGuard • comercial • extra features • resource obfuscation •

    string encryption • class encryption • dex splitting • native code obfuscation

41. Links • http://proguard.sourceforge.net/ • https://www.guardsquare.com/dexguard

42. Q&A

43. THE END