Android MinifyEnabled, Obfuscation and Shrink
Hello there,
One of the issues we should be aware of when developing an Android application is code security as well as the size of the project we create. By decompiling our project with 3rd party applications, intruders can clone it or, seizing the rest ser-vices, listen to and manipulate the outgoing requests. In today’s topic, we will learn how to ensure code reliability as well as delete unused resources in our project re-ducing its size as much as possible.
For starters we can use Proguard. ProGuard is a tool that helps us minimize, hide and optimize our code. It can be enabled by using the minifyEnabled option for re-lease or debug types. If we want to define Proguard as default, we can add the fol-lowing lines of code to the app gradle.
android {
buildTypes {
dev {
minifyEnabled true // enables ProGuard
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
}
}
** The minifyEnabled property does not work when Instant Run is on
By default, if you run proguard this way, the source code gets compressed, but the ob-fuscation process is still incomplete, meaning our code is not yet fully secure.
The Android SDK comes with Proguard built in and the default settings are specifiedin proguard-android.txt. The Proguard-rules.pro file is the file you need to configure.
shrinkResources:
Reduces application size by removing unused alternative sources (images, xml, and so on) and combining duplicate resources.
android {
...
buildTypes {
release {
shrinkResources true
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'),proguard-rules.pro'
}
}
}
Obfuscation options
-keep:
The various -keep
options for shrinking and obfuscation may seem a bit confusing at first, but there’s actually a pattern behind them. The following table summarizes how they are related:
-dontobfuscate
Specifies not to obfuscate the input class files. By default, ProGuard obfuscates the code: it assigns new short random names to classes and class members. It removes internal attributes that are only useful for debugging, such as source files names, variable names, and line numbers.
-dontshrink
Specifies not to shrink the input. By default, ProGuard shrinks the code: it removes all unused classes and class members. It only keeps the ones listed by the various -keep
options, and the ones on which they depend, directly or indirectly. It also applies a shrinking step after each optimization step, since some optimizations may open up the possibility to remove more classes and class members.
Common Proguard Usages
These options shrink, optimize, and obfuscate the single Android activity
com.example.MyActivity
:
-keep public class com.example.MyActivity
If you’re using Google’s optional License Verification Library, you can obfuscate its code along with your own code. You do have to preserve its
ILicensingService
interface for the library to work:
-keep public interface com.android.vending.licensing.ILicensingService
If you’re using the Android Compatibility library, you should add the following line, to let ProGuard know it’s ok that the library references some classes that are not available in all versions of the API:
-dontwarn android.support.**
These options shrink, optimize, and obfuscate a serialization code.
-keepclassmembers class * implements java.io.Serializable {
static final long serialVersionUID;
private static final java.io.ObjectStreamField[] serialPersistentFields;
private void writeObject(java.io.ObjectOutputStream);
private void readObject(java.io.ObjectInputStream);
java.lang.Object writeReplace();
java.lang.Object readResolve();
}
Auxiliary resources