Mobile applications today are susceptible to a range of security threats compelling developers to adopt security best practices to thwart attacks. Less than 50% of the financial apps on the Android Marketplace have proper security measures installed. This means apps are vulnerable to a variety of threats including IP theft, app clones, sensitive data loss and reputational damage among others. App performance is another important factor to be taken into account. Removing unnecessary codes and elements from applications can yield apps that are smaller and faster. Code obfuscation is critical for open-source applications.
There are several tools for Android Studio that facilitate code obfuscation such as ProGuard and DexGuard. This article sheds light on ProGuard, one of the open-source obfuscators in Java that can shrink, optimize and obfuscate apps. By the end of it, you’ll learn everything you need to know about ProGuard.
ProGuard serves three main functions: Shrinking, optimization and obfuscation. It is a free tool that can shrink, optimize, obfuscate and preverify Java class files. ProGuard is used in Android applications as well as large Java applications and libraries. It makes reverse engineering difficult, if not impossible.
Android applications are easy targets for reverse engineering which makes it absolutely essential for developers to deploy ProGuard as a basic security measure. A built-in tool in the SDK, ProGuard is an effective way to guard your app’s codebase with minimal configurations.
It is important to note that ProGuard is a basic security tool and should not be viewed as a comprehensive and multi-layered approach towards security. ProGuard safely removes unused variables and reduces the application size which is a notable feature of this command-line tool.
Features of ProGuard
ProGuard is critical to reduce app size and optimize the applications. It achieves these through a variety of techniques. Shrinking, optimization, obfuscation and preverification are important features of ProGuard that block reverse engineering attempts, reduce app size and enhance app performance to some extent. Let’s understand each of these in detail.
Shrinking refers to reducing the size of APKs. ProGuard enables detection of unused variables, methods, and classes. Unused codes are removed both from application and the libraries. Shrinking is achieved through two phases:
- Code shrinking – Removing unused variables, methods, classes and attributes from the application and its library dependencies refers to code shrinking
- Resource shrinking : Removing unused resource files from the application and its library dependencies refer to resource shrinking.
Optimization refers to optimizing the bytecode. Unused instructions can negatively influence app performance. Redundant instructions in a small segment of the generated code are eliminated through peephole optimization techniques. Duplicate code is removed at this stage and instructions that can be replaced with shorter instructions are identified and removed.
Obfuscation is the process of making the code unintelligible to read. A third party who has gained unauthorized access won’t be able to make sense of the code. After removing unused codes, the remaining classes, fields, and methods are renamed using random characters. Obfuscation is employed to hide the original intent of code segments from hackers.
Pre-verification refers to inserting pre-verification information to class files for certain Java versions (Java 6 or Java Micro Edition) to take maximum advantage of faster class loading.
How to Enable ProGuard?
ProGuard is used to shield the application with minimal configurations. It is an open-source software that is appropriate for use in release mode. Here are a few pointers to help understand how ProGuard works:
- Use the minifyEnabled property in the build.gradle file to enable and disable ProGuard for release builds.
- Avoid enabling ProGuard for Debug builds. Debugging will become extremely complex with ProGuard for Debug builds.
- To activate ProGuard, the minifyEnabled property must be set to true.
- The minifyEnabled property is responsible for controlling the settings of release builds.
- The default ProGuard settings can be obtained from the Android SDK tools by using the getDefaultProGuardFile.
- For ProGuard optimization, the proguard-android-optimise.txt configuration file should be chosen rather than proguard-android.txt.
- You can also choose to add custom ProGuard rules. Android Studio faciliates this with a proguard-rules.pro file at the root of the module.
- ProGuard rules help determine which codes need to be isolated from the obfuscation, optimization and shrinking process.
For detailed information on enabling ProGuard, have a look at this link
Benefits of Implementing ProGuard
ProGuard is an open-line command source tool that is highly recommended for Android applications. It decreases the readability of the code thus enhancing the security of the applications. In addition to enhancing security, it shrinks applications to deliver a compact package. Listed below are the major benefits of using ProGuard in your applications.
ProGuard has a template-based configuration in comparison with other Java obfuscators. This is one of the biggest advantages of ProGuard. You can either use a few intuitive command line options or a simple configuration file to enable ProGuard.
Protection Against Static Analysis
Hackers use static analysis to gain access to the source code of the application. With static analysis, the app’s source code and control flow can be analyzed by hackers to figure out how the app works without running the app. ProGuard can shield the application from decompilers.
Reverse Engineering is Tougher
By applying appropriate ProGuard rules, reverse engineering can be made difficult. ProGuard shrinks and obfuscates the code with obscure names. Critical data can be leaked and exposed if hackers successfully gain access to the application for nefarious purposes. ProGuard’s obfuscation capabilities are a deterrent to reverse engineering attempts.
Increases Efficiency of Applications
The codebase of applications are made more efficient with ProGuard. It enhances the performance of the applications with its optimization features and removes all the unnecessary elements of the application. Applications with ProGuard enabled are comparatively faster.
Lists Dead Code
ProGuard can identify dead code that your application is no longer using and remove them from the source code.
Reduces Size of the Applications
Using ProGuard can result in smaller size APK & AAB files. ProGuard can reduce application size by 20% to 90%. It discards unused codes and resources from your application and library dependencies resulting in a compact package with smaller memory footprints.
Another important benefit of ProGuard is that it can process several megabytes within a matter of few seconds along with providing an optional graphical user interface and plugins for Ant and JME Wireless Toolkit.
Drawbacks of ProGuard
Though ProGuard offers multiple benefits, there are certain drawbacks or limitations that one must be aware of. ProGuard may be a great start to mobile app security but it should be applied in conjunction with other security measures. Depending solely on ProGuard is not recommended. Let’s have a look at some of the drawbacks of ProGuard in this section.
- There are chances that your application may crash in case of misconfiguration. Such unexpected outcomes can have a negative impact
- It requires additional testing
- Obfuscated method names make it difficult to decipher stacktraces
- Applying ProGuard doesn’t mean your application is inaccessible by hackers. There might be certain parts of your application that are still vulnerable to attacks
- ProGuard optimizes Java bytecode, hence it is a generic optimizer and not designed exclusively to protect Android applications
- ProGuard only offers protection against static analysis. It is unable to thwart dynamic analysis during runtime
- ProGuard utilizes name obfuscation techniques to rename classes but doesn’t obfuscate arithmetic and logical expressions in the code
- Bytecode is the primary area of focus for ProGuard. It’s functionality doesn’t extend to other components of the application
- It is recommended to use -dontskipnonpubliclibraryclasses option or -dontskipnonpubliclibraryclassmembers option since ProGuard has a tendency to overlook private or package visible library classes while reading library jars
- You may have to disable optimization with the -dontoptimize option in some cases
Most developers utilize ProGuard for its obfuscation capabilities but ProGuard’s benefits aren’t restricted to the security aspect of it. ProGuard can reduce app size to a great extent. It discards unused codes and renames classes and their members to random characters.
Enabling ProGuard leads to a slimmer and more optimized application. Along with removing unused codes, it removes resources that are no longer referenced. ProGuard doesn’t require additional dependencies. It can shorten identifiers, merge classes and inline methods and eliminate unnecessary parameters. Without changing the source code, ProGuard can eliminate logging code.
Hackers can access information about back-end servers, ciphers and perform code modification once they are successful with reverse engineering. ProGuard provides basic protection from static analysis. Though it doesn’t guarantee absolute protection from hackers, it can discourage them by making the application tougher to reverse engineer.
Appsealing is a next-generation application security solutions provider that enables app protection with zero coding. From gaming applications to Fintech apps that deal with highly confidential data, it helps add runtime security features to secure, optimize and encrypt manifest files, native libraries, resources, resource files, and asset files in the apps. With robust security solutions that don’t compromise your app performance, your business can easily win a competitive edge in the app market. Contact our team today to safeguard your iOS, Android and hybrid applications against data theft, manipulation and their subsequent consequences.
Frequently Asked Questions
1. What is ProGuard and DexGuard?
ProGuard is a generic optimizer for Java bytecode that helps in shrinking, optimizing and obfuscating mobile Android applications, desktop and embedded applications. Dexguard is a security tool solely focused on protection of Android applications. DexGuard ensures protection against static and dynamic analysis whereas ProGuard only safeguards against static analysis.
2. Is ProGuard open source?
Yes. ProGuard is an open line tool command that can be used freely to shrink, optimize and obfuscate Java code. It removes unused instructions which makes applications smaller, faster and better protected against reverse engineering.