Cordova android 5.1.1 APK obfuscation with proguard confusion

Question

With tools like dex2jar and jdgui2 it is very easy to inspect the contents of the APK.

We are trying to use Proguard in our Cordova project to "protect" a few classes that contain information we want to keep secret (Mainly keys to decrypt some content we try to protect for our client).

We cannot get it right. The app crashes, or it isn't obfuscated.

We added to our build.gradle :

buildTypes {
   release {
      signingConfig signingConfigs.release
      minifyEnabled true
      proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
           }
}

Our proguard.pro contains:

-keep class !com.smartmobilesoftware.** ( *; }

smartmobilesoftware is an inAppPurchases plugin.

In that package we modified a few classes, which works great without proguard.

I found the following "Proguard support missing": https://issues.apache.org/jira/browse/CB-9269

Here Joe Bowser claims the following: "OK, you shouldn't use ProGuard with Cordova, or at least, there's no good reason to use it, since you can't use it with minifyEnabled, which is what actually makes ProGuard work properly. Since Cordova uses Reflection all over the place, this is a good way to blow up Cordova without a proguard-rules.pro file."

We tried to avoid that issue by telling proguard that ALL classes should be left intact except the ones in the com.smartmobilesoftware (-keep class !com.smartmobilesoftware.** ( *; })

I am not sure if this is a problem witih our code (but the code works fine without proguard), the plugin, or proguard itself.

We do not see any meaningful errors.

We released apps before built with Cordova 2.2.0, which used ANT and proguard and another plugin, which worked fine. So we wonder if Cordove is changed in respect to proguard.

Can anybody maybe shed some light on this issue?

Answer 1

It looks like the code in package com.smartmobilesoftware implements a Cordova plugin. In this case you need to keep at least a few more classes, otherwise Cordova will not properly find them at runtime (for a recent Cordova release):

-keep class * extends org.apache.cordova.CordovaPlugin

Answer 2

Cordova application will crash after obfuscation because of the main activity and cordova classes will get obfuscate. So at runtime failed to create the webview and application will crash.

To resolve this you have to add :

-keep class org.apache.cordova.** {
    *;
}

-keep public class * extends org.apache.cordova.CordovaPlugin