Android Code Obfuscation

What is code obfuscation

Java is a cross-platform, interpreted language in which Java source code is compiled into an intermediate "bytecode" stored in a class file. Because of the cross-platform requirements, Java bytecode contains a lot of source code information, such as variable name, method name, and through these names to access variables and methods, these symbols with a lot of semantic information, it is easy to decompile the Java source code. To prevent this, we can use Java obfuscation to confuse Java bytecode.

Confusion is the re-organization and processing of the published program, so that the processed code and the pre-processing code to complete the same function.

The confusing code is hard to decompile, and even if it succeeds, it is difficult to derive the true semantics of the program.

The obfuscated program code, still in accordance with the original file format and instruction set, the execution result is the same as before, but the confusion of all the variables, functions, classes in the code to the name of the short English letter code, in the absence of the corresponding function name and program comments, even if it is anti-compilation, it will be difficult to read.

At the same time, confusion is irreversible, in the process of confusion, some information that does not affect the normal operation will be lost permanently, the loss of this information makes the program more difficult to understand.

The role of the obfuscation is not only to protect the code, it also has the function of simplifying the size of the compiled program.

Because of the shortened variables and function names described above, and the reasons for missing some information, the size of the jar file can be reduced by approximately 25%, which makes sense for the current cost of the wireless network transmission is more expensive.

confusing file proguard.cfg parameters  

2. # Specify the compression level of the Code
4. -optimizationpasses 5
8. # Whether to use case blending
10. -dontusemixedcaseclassnames
14. # whether to confuse third-party jars
16. -dontskipnonpubliclibraryclasses
20. # whether to do pre-calibration when confusing
22. -dontpreverify
26. # whether the log is logged when confused
28. -verbose
32. # algorithms used in obfuscation
34. -optimizations!code/simplification/arithmetic,!field/*,!class/merging/*
38. # Keep What classes are not confused
40. -keep public class * extends Android.app.Activity
42. -keep public class * extends Android.app.Application
44. -keep public class * extends Android.app.Service
46. -keep public class * extends Android.content.BroadcastReceiver
48. -keep public class * extends Android.content.ContentProvider
50. -keep public class * extends Android.app.backup.BackupAgentHelper
52. -keep public class * extends Android.preference.Preference
54. -keep public class Com.android.vending.licensing.ILicensingService
58. # Keep The native method not to be confused
60. -keepclasseswithmembernames class * {native <methods>;}
64. # Keep your custom control classes from being confused
66. -keepclasseswithmembers class * {
68. Public <init> (Android.content.Context, Android.util.AttributeSet);
70. }
74. # Keep your custom control classes from being confused
76. -keepclasseswithmembers class * {
78. Public <init> (Android.content.Context, Android.util.AttributeSet, int.);
80. }
84. # Keep your custom control classes from being confused
86. -keepclassmembers class * extends Android.app.Activity {
88. public void * (Android.view.View);
90. }
94. # keep Enum enum class not to be confused
96. -keepclassmembers enum * {
98. public static **[] values ();
100. public static * * VALUEOF (java.lang.String);
102. }
106. # Keep Parcelable not be confused
108. -keep class * Implements Android.os.Parcelable {
110. public static final Android.os.parcelable$creator *;
112. }
116. # Keep your defined classes from being confused
118. -keep class MyClass;

Note (I test income): 1. When you use this type of configuration, and then export the APK, there will often be many red warning prompts, at this time, use-ignorewarnings ignore the hint.

2. The normal export is successful, but can not run, by looking at the log, find out which class reference error, such as the following error message

2. E/androidruntime (19866): FATAL exception:thread-103
4. E/androidruntime (19866): Java.lang.ExceptionInInitializerError
6. E/androidruntime (19866): at COM.A.A.A.B.B.A (Unknown Source)
8. E/androidruntime (19866): at Tv.hisense.android.mps.service.ay.run (Unknown Source)
10. E/androidruntime (19866): caused by:b.a.a.c.b:the chosen logfactory implementation does not extend Logfactory.
12. Please check your configuration.
14. (Caused by java.lang.ClassCastException:
16. The application has specified, a custom logfactory implementation should is used but Class
18. Org.apache.commons.logging.impl.LogFactoryImpl cannot is converted to ' b.a.a.c.c '.
20. Please check the custom implementation.
22. Help can be found @http://commons.apache.org/logging/troubleshooting.html.)
24. E/androidruntime (19866): at B.A.A.C.C.A (Unknown Source)
26. E/androidruntime (19866): at B.a.a.c.e.run (Unknown Source)
28. E/androidruntime (19866): at Java.security.AccessController.doPrivileged (accesscontroller.java:45)
30. E/androidruntime (19866): at B.A.A.C.C.A (Unknown Source)
32. E/androidruntime (19866): at B.A.A.C.C.A (Unknown Source)
34. E/androidruntime (19866): at B.a.a.c.c.b (Unknown Source)
36. E/androidruntime (19866): at b.a.a.b.p.<clinit> (Unknown Source)
38. E/androidruntime (19866): ... 2 more

The above information indicates that
Org.apache.commons.logging.impl.LogFactoryImpl
class reference error, find the jar package where this class resides, resolve this issue by following three sentences  

1. -libraryjars Libs/commons-logging-1.1.1.jar #忽略jar包
2. -dontwarn org.apache.** #不警告此包
3. -keep class org.apache.** {*;} #保留此包下代码不进行混淆

Keep in mind that it is important to determine which jar packages are ignored and which classes are kept based on the log information, and the packages that do not go wrong are not ignored and retained, otherwise they may produce outofmemoryerror

Method of code obfuscation

Depending on the version of the SDK, there are 2 different code obfuscation, the above proguard.cfg parameter in the details of the information is in the lower version of the SDK under the confusion of the script, in fact, in the high version of the SDK confusing principle and parameters are similar to the lower version, There is a difference in the way that confusing scripts are introduced in different SDK versions. Here's how:

• Under the low version SDK, the project contains both the proguard.cfg and project.properties files, you only need to add proguard.config= at the end of the project.properties file. Proguard.cfg to export the project again.
• under the high-version SDK, the project contains both Proguard-project.txt and project.properties files, In this case, you need to configure the following information in the Proguard-project.txt file, and then export the project. The following is a demonstration of a real file.  

2. # This file was automatically generated by Android Tools.
4. # Do not modify the this file--YOUR changes'll be erased!
6. #
8. # This file must is checked in Version Control Systems.
10. #
12. # to customize properties used by the Ant build system edit
14. # "Ant.properties", and override values to adapt the script to your
16. # project structure.
18. #
20. # to enable Proguard to shrink and obfuscate your code, uncomment this (available Properties:sdk.dir, user.home):
22. #proguard. Config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt
26. Proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt
30. # You can also use a configuration file within a project
32. # Proguard.config=proguard-project.txt
36. # Project Target.
38. target=android-

The configuration information above is the contents of the Project.Properties file, and the blue text is the configuration information we need to add during the code obfuscation, where: Sdk.dir is your installation path to the SDK on the current machine. If you want to keep the files under a package from being confused, you can include a statement that retains the corresponding package name in the Proguard-project.txt file.

Android Code Obfuscation