Mobile applications today are susceptible to a range of security threats compelling developers to adopt security best practices to thwart attacks. Less than 50% of the financial apps on the Android Marketplace have proper security measures installed. This means apps are vulnerable to a variety of threats including IP theft, app clones, sensitive data loss and reputational damage among others. App performance is another important factor to be taken into account. Removing unnecessary codes and elements from applications can yield apps that are smaller and faster. Code obfuscation is critical for open-source applications.
There are several tools for Android Studio that facilitate code obfuscation such as ProGuard and DexGuard. This article sheds light on ProGuard, one of the open-source obfuscators in Java that can shrink, optimize and obfuscate apps. By the end of it, you’ll learn everything you need to know about ProGuard.
ProGuard
ProGuard serves three main functions: Shrinking, optimization and obfuscation. It is a free tool that can shrink, optimize, obfuscate and preverify Java class files. ProGuard is used in Android applications as well as large Java applications and libraries. It makes reverse engineering difficult, if not impossible.
Android applications are easy targets for reverse engineering which makes it absolutely essential for developers to deploy ProGuard as a basic security measure. A built-in tool in the SDK, ProGuard is an effective way to guard your app’s codebase with minimal configurations.
It is important to note that ProGuard is a basic security tool and should not be viewed as a comprehensive and multi-layered approach towards security. ProGuard safely removes unused variables and reduces the application size which is a notable feature of this command-line tool.
Features of ProGuard
ProGuard is critical to reduce app size and optimize the applications. It achieves these through a variety of techniques. Shrinking, optimization, obfuscation and preverification are important features of ProGuard that block reverse engineering attempts, reduce app size and enhance app performance to some extent. Let’s understand each of these in detail.
Shrinking
Shrinking refers to reducing the size of APKs. ProGuard enables detection of unused variables, methods, and classes. Unused codes are removed both from application and the libraries. Shrinking is achieved through two phases:
- Code shrinking – Removing unused variables, methods, classes and attributes from the application and its library dependencies refers to code shrinking
- Resource shrinking : Removing unused resource files from the application and its library dependencies refer to resource shrinking.
Optimization
Optimization refers to optimizing the bytecode. Unused instructions can negatively influence app performance. Redundant instructions in a small segment of the generated code are eliminated through peephole optimization techniques. Duplicate code is removed at this stage and instructions that can be replaced with shorter instructions are identified and removed.
Obfuscation
Obfuscation is the process of making the code unintelligible to read. A third party who has gained unauthorized access won’t be able to make sense of the code. After removing unused codes, the remaining classes, fields, and methods are renamed using random characters. Obfuscation is employed to hide the original intent of code segments from hackers.
Preverification
Pre-verification refers to inserting pre-verification information to class files for certain Java versions (Java 6 or Java Micro Edition) to take maximum advantage of faster class loading.
How to Enable ProGuard?
To enable ProGuard for obfuscation in an Android app, you need to follow these steps:
Step #1: Add the Proguard rules file to your project:
A Proguard rules file is a text file that contains a set of rules that instruct the Proguard tool how to obfuscate, optimize, and shrink the code of an Android app during the build process
The rules file specifies which classes, methods, and fields should be kept, renamed, or removed in the final APK. It also defines exceptions to the obfuscation and optimization process, such as classes and methods that should not be modified.
Create Proguard rules file in your project’s “app” directory with the name “proguard-rules.pro”. This file should contain the rules for obfuscating and optimizing your code.
However, without fully testing ProGuard on your development builds, you may encounter unexpected crashes or situations where the app does not function as expected.
Read a detailed comparison between Proguard and AppSealing.
AppSealing verifies the uploaded apk files and ensures their compatibility with Firebase and Crashlytics packages, so that crash reports can be sent accurately.
And to get Obfuscation working properly, following rules should be included in your proguard-rules.pro file.
-keep class com.google.firebase.crashlytics.** {*;}
-keep interface com.google.firebase.crashlytics.** {*;}
Step #2: Enable Proguard in your project’s build.gradle file:
The build.gradle file is a configuration file in an Android Studio project that specifies the build settings and dependencies for the app. In the context of obfuscation, the build.gradle file typically contains configuration options for the ProGuard tool, which is used to obfuscate, optimize, and shrink the app’s code. The file includes properties such as “minifyEnabled” to enable or disable ProGuard, “proguardFiles” to specify the ProGuard configuration file, and “proguardTestFiles” to specify the ProGuard configuration file for the app’s test code. The build.gradle file can also include other configuration settings, such as the app’s version code and name, signing configuration for release builds, and dependencies for external libraries or modules.
The “minifyEnabled” property in the build.gradle file is used to enable or disable code obfuscation, optimization, and shrinking using ProGuard. When set to “true” for a specific build type, it enables ProGuard to remove unused classes, fields, and methods, optimize the bytecode, and obfuscate the code by renaming classes, methods, and fields to make it harder to reverse engineer. This helps reduce the size of the APK and improve the app’s performance, but may cause issues with certain libraries or dependencies that rely on reflection or dynamic class loading. Therefore, it is important to thoroughly test the app after enabling ProGuard with the “minifyEnabled” property.
Open your project’s build.gradle file and add the following lines to the “buildTypes” section:
buildTypes {
release {
minifyEnabled true
proguardFiles getDefaultProguardFile(‘proguard-android-optimize.txt’), ‘proguard-rules.pro’
}
}
This will enable Proguard for the “release” build type and use the default Proguard configuration file in addition to your custom rules file.
NB: Regarding usage of third-party libraries, you should take a look at the “consumer-proguard-rules.pro” file is a ProGuard rules file that can be used by libraries or SDKs that are distributed to other developers for use in their own apps. This file contains ProGuard rules that specify which classes, methods, and fields should be kept or excluded from obfuscation to ensure that the library or SDK functions correctly when integrated into the developer’s app. The “consumer-proguard-rules.pro” file is typically included in the “META-INF” directory of the library or SDK, and it is automatically merged with the developer’s own ProGuard rules file during the build process. This helps ensure that the library or SDK works correctly and that any conflicts or issues with ProGuard obfuscation are resolved.
SQLCipher says:
-libraryjars libs/commons-codec.jar
-libraryjars libs/guava-r09.jar
-libraryjars libs/sqlcipher.jar
-optimizationpasses 5
-dontusemixedcaseclassnames
-dontskipnonpubliclibraryclasses
-dontskipnonpubliclibraryclassmembers
-dontpreverify
-verbose
-optimizations !code/simplification/arithmetic,!field/*,!class/merging/*,!code/allocation/variable
-keep public class * extends android.app.Activity
-keep public class * extends android.app.Application
-dontwarn javax.annotation.**
-dontwarn android.app.**
-dontwarn android.support.**
-dontwarn android.view.**
-dontwarn android.widget.**
-dontwarn com.google.common.primitives.**
-dontwarn **CompatHoneycomb
-dontwarn **CompatHoneycombMR2
-dontwarn **CompatCreatorHoneycombMR2
-keepclasseswithmembernames class * {
native <methods>;
}
-keepclasseswithmembers class * {
public <init>(android.content.Context, android.util.AttributeSet);
}
-keepclasseswithmembers class * {
public <init>(android.content.Context, android.util.AttributeSet, int);
}
-keepclassmembers class * extends android.app.Activity {
public void *(android.view.View);
}
-keepclassmembers enum * {
public static **[] values();
public static ** valueOf(java.lang.String);
}
-keep class * implements android.os.Parcelable {
public static final android.os.Parcelable$Creator *;
}
-keepclassmembers class **.R$* {
public static <fields>;
}
-keep public class net.sqlcipher.** {
*;
}
-keep public class net.sqlcipher.database.** {
*;
}
Step #3: Build your project:
Once you have added the Proguard rules and enabled Proguard in your build.gradle file, you can build your project using the “release” build type. Proguard will automatically run during the build process to obfuscate and optimize your code.
Benefits of Implementing ProGuard
ProGuard is an open-line command source tool that is highly recommended for Android applications. It decreases the readability of the code thus enhancing the security of the applications. In addition to enhancing security, it shrinks applications to deliver a compact package. Listed below are the major benefits of using ProGuard in your applications.
Compact Configuration
ProGuard has a template-based configuration in comparison with other Java obfuscators. This is one of the biggest advantages of ProGuard. You can either use a few intuitive command line options or a simple configuration file to enable ProGuard.
Protection Against Static Analysis
Hackers use static analysis to gain access to the source code of the application. With static analysis, the app’s source code and control flow can be analyzed by hackers to figure out how the app works without running the app. ProGuard can shield the application from decompilers.
Reverse Engineering is Tougher
By applying appropriate ProGuard rules, reverse engineering can be made difficult. ProGuard shrinks and obfuscates the code with obscure names. Critical data can be leaked and exposed if hackers successfully gain access to the application for nefarious purposes. ProGuard’s obfuscation capabilities are a deterrent to reverse engineering attempts.
Increases Efficiency of Applications
The codebase of applications are made more efficient with ProGuard. It enhances the performance of the applications with its optimization features and removes all the unnecessary elements of the application. Applications with ProGuard enabled are comparatively faster.
Lists Dead Code
ProGuard can identify dead code that your application is no longer using and remove them from the source code.
Reduces Size of the Applications
Using ProGuard can result in smaller size APK & AAB files. ProGuard can reduce application size by 20% to 90%. It discards unused codes and resources from your application and library dependencies resulting in a compact package with smaller memory footprints.
Another important benefit of ProGuard is that it can process several megabytes within a matter of few seconds along with providing an optional graphical user interface and plugins for Ant and JME Wireless Toolkit.
Drawbacks of ProGuard
Though ProGuard offers multiple benefits, there are certain drawbacks or limitations that one must be aware of. ProGuard may be a great start to mobile app security but it should be applied in conjunction with other security measures. Depending solely on ProGuard is not recommended. Let’s have a look at some of the drawbacks of ProGuard in this section.
- There are chances that your application may crash in case of misconfiguration. Such unexpected outcomes can have a negative impact
- It requires additional testing
- Obfuscated method names make it difficult to decipher stacktraces
- Applying ProGuard doesn’t mean your application is inaccessible by hackers. There might be certain parts of your application that are still vulnerable to attacks
- ProGuard optimizes Java bytecode, hence it is a generic optimizer and not designed exclusively to protect Android applications
- ProGuard only offers protection against static analysis. It is unable to thwart dynamic analysis during runtime
- ProGuard utilizes name obfuscation techniques to rename classes but doesn’t obfuscate arithmetic and logical expressions in the code
- Bytecode is the primary area of focus for ProGuard. It’s functionality doesn’t extend to other components of the application
- It is recommended to use -dontskipnonpubliclibraryclasses option or -dontskipnonpubliclibraryclassmembers option since ProGuard has a tendency to overlook private or package visible library classes while reading library jars
- You may have to disable optimization with the -dontoptimize option in some cases
Final Thoughts
Most developers utilize ProGuard for its obfuscation capabilities but ProGuard’s benefits aren’t restricted to the security aspect of it. ProGuard can reduce app size to a great extent. It discards unused codes and renames classes and their members to random characters.
Enabling ProGuard leads to a slimmer and more optimized application. Along with removing unused codes, it removes resources that are no longer referenced. ProGuard doesn’t require additional dependencies. It can shorten identifiers, merge classes and inline methods and eliminate unnecessary parameters. Without changing the source code, ProGuard can eliminate logging code.
Hackers can access information about back-end servers, ciphers and perform code modification once they are successful with reverse engineering. ProGuard provides basic protection from static analysis. Though it doesn’t guarantee absolute protection from hackers, it can discourage them by making the application tougher to reverse engineer.
Appsealing is a next-generation application security solutions provider that enables app protection with zero coding. From gaming applications to Fintech apps that deal with highly confidential data, it helps add runtime security features to secure, optimize and encrypt manifest files, native libraries, resources, resource files, and asset files in the apps. With robust security solutions that don’t compromise your app performance, your business can easily win a competitive edge in the app market. Contact our team today to safeguard your iOS, Android and hybrid applications against data theft, manipulation and their subsequent consequences.
Frequently Asked Questions
1. What is ProGuard and DexGuard?
ProGuard is a generic optimizer for Java bytecode that helps in shrinking, optimizing and obfuscating mobile Android applications, desktop and embedded applications. Dexguard is a security tool solely focused on protection of Android applications. DexGuard ensures protection against static and dynamic analysis whereas ProGuard only safeguards against static analysis.
2. Is ProGuard open source?
Yes. ProGuard is an open line tool command that can be used freely to shrink, optimize and obfuscate Java code. It removes unused instructions which makes applications smaller, faster and better protected against reverse engineering.
3. What is ProGuard used for?
ProGuard is a tool used in Android development to optimize bytecode, reduce the size of the APK, and obfuscate the application’s code. It can remove unused code, rename classes and fields for obfuscation, and make the bytecode smaller and more efficient. Additionally, it can improve the code by inlining functions and other optimizations.
4. Does ProGuard obfuscate code?
Yes, ProGuard obfuscates code by renaming classes, methods, and fields to make the code more difficult to understand. It also performs code shrinking to remove unused code from the project. To enable ProGuard, you can set “minifyEnabled true” in the buildTypes tag of the gradle.build file. Additionally, custom ProGuard rules can be created in a proguard-rules.pro file to specify which classes or methods should be kept.
5. What is ProGuard and R8?
ProGuard and R8 are tools used in Android development for code shrinking, obfuscation, and optimization. ProGuard has been used in earlier versions of Android, while R8 has been the default compiler since Android Gradle Plugin v 3.4.0. R8 provides faster processing, better output results, and a 10% reduction in app size, compared to ProGuard’s 8.5% reduction. R8 also offers more Kotlin support than ProGuard.
6. What is ProGuard obfuscation?
ProGuard obfuscation is the process of renaming classes, fields, and methods with short, non-descriptive names to make the codebase difficult to understand. This makes it more challenging for attackers to comprehend the code, enhancing its security. ProGuard also helps in reducing unused code and improving code efficiency in Android development.
7. What is the ProGuard tool?
ProGuard is a free Java app for Android that helps in code shrinking (removing unused code), code obfuscation (renaming classes and fields), and code optimization (improving code). It is used to enhance app performance, reduce file size, and improve security in Android development.
8. What is the meaning of app security?
Application sеcurity rеfеrs to thе procеss of idеntifying and rеpairing vulnеrabilitiеs in application softwarе to prevent unauthorized access, modification, or misusе. It involvеs dеvеloping, adding and testing security features to minimize wеaknеssеs against possible threats from unauthorized access. Application sеcurity includes measures at the application level to prevent data or code within thе app from bеing hijackеd. It is essential for protecting applications from еxtеrnal thrеats.