Montag, 19. Januar 2015

Proguard android obfuscation

To prevent your android app from decompilation and analyzation it is highly recommended to obfuscate the APK file before deployment to play store. Proguard is the proposed tool for this job and already contained in the SDK.

To use Proguard with an Android application a special configuration is required. The JDC already contains an example for a simple Android app. But in combination with Roboguice dependency injection or Gson JSON serialization an extended configuration is required.

Roboguice

If you choose Roboguice for dependency injection in you android app, I recommend to use only the obfuscation functions of Proguard. Also make sure the Roboguice classes are not obfuscated and attributes are not changed. Try the following example configuration:

-ignorewarnings
-dontshrink
-keep class roboguice.** { *; }

-keepattributes *Annotation*
-keep public class roboguice.** { *; }

-keep class **.Finalizer
-keepclassmembers class ** { *** startFinalizer( ... ); }

-keepclassmembers class * {
  void *(**On*Event);
}

-keepattributes **

GSON JSON serialization

The serialization of java objects makes often problems in combination with obfuscation. The produce a consistent object serialization it is required to prevent attribute names of objects and enumerations from obfuscation.


One possibility is to use @SerializedName annotation do set a static name for an attribute, which is not affected from obfuscation.

class TestObject {
  
  @SerializedName("staticName") 
  private String testField;
}

An other solution is the usage of a marker interface e.g. GsonSerializable:

public interface GsonSerializable {}


Use this interface to mark classes and enumerations which should be serialized by Gson. The following pro guard configuration ensures that the deserialize objects are always serialized in the same way:

# keep GsonSerializable interface, it would be thrown away by proguard since it is empty
-keep class de.havre.copymeter.model.GsonSerializable

# member fields of serialized classes, including enums that implement this interface
-keepclassmembers class * implements de.havre.copymeter.model.GsonSerializable {
    <fields>;
}

# also keep names of these classes. not required, but just in case.
-keepnames class * implements de.havre.copymeter.model.GsonSerializable

Links

https://sites.google.com/site/gson/
https://github.com/roboguice/roboguice/
http://proguard.sourceforge.net/