Protected Android IDs in R.java

Question

For those of use who have spent any amount of time in the Android source code, it's not news that the IDs generated in the android.R class do not 1:1 reflect the actual resources found in the res/ directories of the supplied JAR. Many of the drawables/styles/layouts are not "public" and accessible to applications by referencing android.R.xxx.

My question is does anyone know the mechanism by which Android is able to generate an R.java class that differs from the actual resource graph? Secondarily, is it a mechanism (using build rules, etc.) that we as developers could leverage to partially protect the ids that get made public in applications used as libraries?

Thanks in advance!

Answer 1

Android packages resources using aapt, and generates the R file using this tool during the build process. In this step, XML files are compiled to binary and other resources are just packaged as they are. You can open up a .apk file as a zip archive and access all the resource files as is. Library projects simply contain source files and resources that are added into the project at compile time, so they would exist somehow in the .apk file. Probably the layouts are not 1:1 because the XML is already compiled for the library project. There is probably a way you could use aapt to remove the files from the library project from being included at build time, but then they wouldn't be accessible in your project. There also might be a way to obfuscate your resource names at compile time using aapt and ant, but then that doesn't stop them from being able to access them.

I'm not sure why you would want to want an R.java class that differs from the actual resource graph. Either don't include those resources at build time or they are going to be in the apk. Your layouts are compressed as binary files in the output, so I'm not sure how easy they are to decompile or reuse in another project.

What is the endgame here? If it is to protect your resources, it will be hard. Android is extremely insecure if someone has the ability to root their phone. If you want to protect your IP, which I'm assuming is the endgame here, I would try and compile my project into an apk and see if I can decompile or extract the critical resources from the apk. Maybe try some obfuscation, but again, I don't know enough about the compiled XML files to know if they get obfuscated enough to not be easily decompiled.

Someone feel free to correct me if I'm wrong, but this is just my 2 cents.