Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Android Obfuscation for code as well as resources

Tags:

android

android-manifest

decompiling

obfuscation

resource-files

Google recommends and packs in ProGuard for code obfuscation. However the default configuration that it comes with seems minimal and one can reverse engineer to certain extent. Most people looking to reverse engineer are not really looking for detail code, but may be extract the logic. Are there any guidelines so as to configure ProGuard more efficiently ?(Something to the extent Javascript is minimized would be good.)

Secondly, there are tools like apktool that enable extracting the Manifest as well as the resource files. And there is no level of obfuscation in them. These can certainly reveal few things. Are there any ways to avoid this from happening ?

like image 279
advantej Avatar asked Apr 14 '11 16:04

advantej

2 Answers

For the first part, I suggest you to check this question: Android Game Keeps Getting Hacked . It does not address directly ProGuard, but it does give you some ideas on how to reduce pirating.

For the second part, I'm afraid no, it's not really possible, since those are plain xml files. What you can do is to reduce the use of resources and create the logic directly in java. That will reduce the exposure of your code in three ways:

(1) the obvious, it shows less easy-to-read xml code

(2) it creates much longer smali files, which are not easy to follow to begin with: consider that the variables in the smali file do not have names, but numbers, and are reused several times, thus making them even harder to understand. V1 can be a TextView first, and then an int, and then a private static method.

(3) it reduces the use of hex IDs that are very easily searchable on the smali file using the table from public.xml.

When I was porting the TouchWiz framework to some custom ROMs, I even made a small java app to automate the ID recognition (the xda-developers post is here), so you can imagin how easy is to follow them.

like image 72
Aleadam Avatar answered Sep 18 '22 21:09

Aleadam

You can now use a new gradle plugin + library to effectively obfuscate Strings in a class, Please check it here

https://github.com/MichaelRocks/paranoid

Also now there is a new plugin which can obfuscate resources also, please check it below

https://github.com/shwenzhang/AndResGuard

And help share this great information, so more developers can use it and thus more and more developers will contribute for further development of these plugins, and thus we can collectively improve these plugins.

like image 44
Vaishakh Avatar answered Sep 19 '22 21:09

Vaishakh
Sign in to Comment

Related questions

SAXParser fails to parse some characters
Unable to retrieve intent's extras
Error Message-The source attachment does not contain the source for the file ListView.class
Android exception in dalvikvm
Widget onUpdate() is not called when Android home screen rotates
disable the notification of sms in android [duplicate]
Is it possible set a hint for android buttons?
Show affordance/hover/tooltip on a long-clicked View
My Android App shows as "this item is not compatible with your device"
Latest ant in Fedora 14 is 1.7 but I need ant 1.8
imap_fetchbody - Encoded body error
How do I return an image from OpenCV and display it in Android Java code?
Controlling Tab colour-state / size in a TabActivity?
org.w3c.dom.Document to String without javax.xml.transform
Has anyone implemented (or got more info) on Android SyncObserver
Block outgoing SMS by contentObserver
How can I fix this fatal exception?
Where to store password?
Android, delete files in my data directory?
Why can't I get an HPROF dump from certain devices?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!