Proguard not obfuscating Android apps

Question

According to this link: http://developer.android.com/guide/developing/tools/proguard.html, they state:

ProGuard makes your application harder to reverse engineer, it is important that you use it when your application utilizes features that are sensitive to security like when you are Licensing Your Applications.

But that's not true! I'm using the newest Proguard (4.7) included in ADT 17 preview 4. I use proguard while exporting my app by adding

proguard.config=proguard-android.txt

Into my project.properties (proguard-android.txt is just the default setup included in ADT 17).

But I can easily reverse engineer my apk, returning it to it's original code using these steps:

1. Use apk-tool to extract the apk.

2. Use smali to convert the .smali files into a .dex (you point smali to the folder containing the .smali files, normally inside /src/com/[companyname]/[appname])

3. Use dex2jar to convert the resulting .dex file into a .jar

4. Use jd-gui to view the resulting .jar file

So my question is: am I doing something wrong? Or is proguard just completely useless at obfuscating code?

Answer 1

If you're using android.support.* compatibility libraries this can be a root of a problem. Add the following lines to your proguard config file:

-dontwarn android.support.**
-keep class android.support.** { *; }

The easiest way to diagnose proguard issues is building an app with apache ant. You'll see all warnings and errors in stderr.

This is appliable to all libraries that use dynamic class loading, reflection and multiple implementations of the same class dependent of API version.