ProGuard - Secure your APK from Reverse Engineering in Android

ProGuard

Following are words from http://proguard.sourceforge.net who are inventor of it.

ProGuard is a free Java class file shrinker, optimizer, obfuscator, and preverifier. It detects and removes unused classes, fields, methods, and attributes.

  1. Shrinker : It will remove all the classes and methods which are not used by you from classes you developed and library you have used.
  2. Optimizer : to improve performance and size of your application
  3. Obfuscator : It will rename all classes, methods, object names and jumble them. This will make your application harder to reverse engineer.

So, now you get idea about what ProGarud means. But how we can use it in Android application?

Answer is,

ProGuard is integrated into the Android Build system. So you don't need to take those libraries and manually use those. You can not run ProGuard every time. When you release your build, then and only it runs and perform its task. 

Step 1: Use ProGuard in Android Application

To enable ProGuard, you need to open your "<project_root>/project.properties" file. It will look like below.

# This file is automatically generated by Android Tools.
# Do not modify this file -- YOUR CHANGES WILL BE ERASED!
#
# This file must be checked in Version Control Systems.
#
# To customize properties used by the Ant build system edit
# "ant.properties", and override values to adapt the script to your
# project structure.
#
# To enable ProGuard to shrink and obfuscate your code, uncomment this (available properties: sdk.dir, user.home):
#proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt# Project target.
target=android-18

You can see that WARNING at the beginning of line. But you can ignore it. Now come to 3rd line from bottom. It says

# To enable ProGuard to shrink and obfuscate your code, uncomment this (available properties: sdk.dir, user.home):

So, what you need to do is, remove comment from its immediate below line. This will enable ProGuard in your application.

Step 2: Release Build

After completing Step-1, you can now release your build. To do that 

Right Click your Project -> Export -> Export Android Application -> Perform Next Step

And follow steps.

If your application successfully compiled and build, you can see one Directory added in your Project named "ProGuard". This contains following files.

  1. dumb.txt : this describes the internal structure of all the class file in the .apk file
  2. mapping.txt : Lists the mapping between the original and obfuscated class, methods and object names.
  3. seeds.txt : Lists the classes and members those are not obfuscated
  4. usage.txt : Lists the code that was stripped from the .apk

Step 3: If Warning from ProGuard and return 0

This step is optional if you not found any error from ProGuard. But if you found some error messages in console regarding your library classes, you need to follow this step.

Open <project_root>/proguard-project.txt

Then at bottom of file, you need to write following line

-dontwarn twitter4j.internal.logging.**
-dontwarn org.apache.http.**

What this defines? If you have warning like twitter4j.internal.logging.XYZ class not referenced, then you need to take parent package name to stop warning from build. 

Summary

In this article, we learned what is ProGuard? How it will help to protect our application from Reverse Engineering.