Foreword:
One-on-one Android project, recently used ring letter for instant messaging, there is an official saying when integrating sdk
Add the following keep to the ProGuard file.
-keep class com.hyphenate.** {* ;} -dontwarn com.hyphenate.**
Namely: obfuscation rules. I haven't written an article about obfuscated packaging, so I'll add it here.
Let's learn about the operation of project obfuscation and packaging in the Android studio environment.
----------------------------------------------------------------------------------------
1. Packaging:
The Android project will generate .apk files for users to install.
1. Toolbar Build->Generate Signed APK..
2. This interface appears. If you enter for the first time, the edit box is empty, and then click the Crete new... button
3. Here, fill in some relevant information, the specific content will not be detailed
4. Then go back to the first step. At this time, click the button Next, select release Finish for Build Type, and then generate the apk package of the project in the APK Destination Folder directory.
The packaging process is as above, over.
----------------------------------------------------------------------------------------
2. Confusion
Anyone who does development knows that we can decompile an Apk through some tools and get the resources in it. Maybe it is to refer to the excellent code in your project with good intentions. Those with bad intentions may decompile Apk to find vulnerabilities in your project and threaten the security of the project.
So now, before we package a project, we must obfuscate the project so that Apk cannot be easily decompiled and improve the security of the product.
Obfuscation requires some configuration.
Modify the code in the android{} area in the build.gradle file in the app directory
1、
// Perform lint check, if there is any error or warning prompt, it will stop building lintOptions { abortOnError false }
2、
buildTypes { debug { // 显示Log buildConfigField "boolean", "LOG_DEBUG", "true" versionNameSuffix "-debug" minifyEnabled false zipAlignEnabled false shrinkResources false signingConfig signingConfigs.debug } release { // Do not display Log buildConfigField " boolean " , " LOG_DEBUG " , " false " // Confuse minifyEnabled true // Zipalign optimizes zipAlignEnabled true // Remove useless resource files shrinkResources true // The former part represents the obfuscated file of the system's default android program, which already contains the basic obfuscation declaration, and the latter file is its own definition obfuscation file proguardFiles getDefaultProguardFile( ' proguard-android .txt ' ), ' proguard-rules.pro ' } }
3. Modify proguard
First some fixed
-keepclassmembers class fqcn.of.javascript.interface.for.webview { public *; } #Specify the compression level of the code -optimizationpasses 5 #Package is not mixed case -dontusemixedcaseclassnames #Do not ignore non-public library classes -dontskipnonpubliclibraryclasses #Optimize class files that do not optimize input -dontoptimize # pre-check -dontpreverify #Whether to record log when obfuscated -verbose # The algorithm used for obfuscation -optimizations !code/simplification/arithmetic,!field/*,!class/merging/* #protect annotations -keepattributes *Annotation* # Keep which classes are not obfuscated -keep public class * extends android.app.Fragment -keep public class * extends android.app.Activity -keep public class * extends android.app.Application -keep public class * extends android.app.Service -keep public class * extends android.content.BroadcastReceiver -keep public class * extends android.content.ContentProvider -keep public class * extends android.app.backup.BackupAgentHelper -keep public class * extends android.preference.Preference -keep public class com.android.vending.licensing.ILicensingService #If there is a reference to the v4 package, you can add the following line -keep public class * extends android.support.v4.app.Fragment # ignore warnings -ignorewarning ##Record the generated log data and output it in the root directory of the project during gradle build## The internal structure of all classes in the #apk package -dump proguard/class_files.txt # unobfuscated classes and members -printseeds proguard/seeds.txt #List the code removed from the apk -printusage proguard/unused.txt #Mapping before and after obfuscation -printmapping proguard/mapping.txt ########Record the generated log data, output -end###### in the root directory of the project during gradle build #If v4 or v7 package is referenced -dontwarn android.support.** ####Confuse and protect part of the code of your own project and the referenced third-party jar package library-end#### #Keep native methods from being obfuscated -keepclasseswithmembernames class * { native <methods>; } #Keep custom control classes from being confused -keepclasseswithmembers class * { public <init>(android.content.Context, android.util.AttributeSet); } #Keep custom control classes from being confused -keepclassmembers class * extends android.app.Activity { public void *(android.view.View); } -keep public class * extends android.view.View { public <init>(android.content.Context); public <init>(android.content.Context, android.util.AttributeSet); public <init>(android.content.Context, android.util.AttributeSet, int); public void set*(...); } #Keep Parcelable from being obfuscated -keep class * implements android.os.Parcelable { public static final android.os.Parcelable$Creator *; } #Keep Serializable from being obfuscated -keepnames class * implements java.io.Serializable #Keep Serializable not obfuscated and enum classes not obfuscated -keepclassmembers class * implements java.io.Serializable { static final long serialVersionUID; private static final java.io.ObjectStreamField[] serialPersistentFields; !static !transient <fields>; !private <fields>; !private <methods>; private void writeObject(java.io.ObjectOutputStream); private void readObject(java.io.ObjectInputStream); java.lang.Object writeReplace(); java.lang.Object readResolve(); } #Keep enum classes from being obfuscated -keepclassmembers enum * { public static **[] values(); public static ** valueOf(java.lang.String); } -keepclassmembers class * { public void *ButtonClicked(android.view.View); } #Do not obfuscate resource classes -keepclassmembers class **.R$* { public static <fields>; } #Avoid confusing generics If you are confused and report an error, it is recommended to turn it off #-keepattributes Signature
Then it is additionally added according to the third party added in the project, generally in the third-party documentation
for example:
#gson #If the Gson parsing package is used, just add the following lines to successfully confuse it, otherwise an error will be reported. -keepattributes Signature # Gson specific classes -keep class sun.misc.Unsafe { *; } # Application classes that will be serialized/deserialized over Gson -keep class com.google.gson.** { *; } -keep class com.google.gson.stream.** { *; } #mob -keep class android.net.http.SslError -keep class android.webkit.**{*;} -keep class cn.sharesdk.**{*;} -keep class com.sina.**{*;} -keep class m.framework.**{*;} -keep class **.R$* {*;} -keep class **.R{*;} -dontwarn cn.sharesdk.** -dontwarn **.R$* #butterknife -keep class butterknife.** { *; } -dontwarn butterknife.internal.** -keep class **$$ViewBinder { *; } -keepclasseswithmembernames class * { @butterknife.* <fields>; } -keepclasseswithmembernames class * { @butterknife.* <methods>; } ######Other modules referenced can be configured directly in this obfuscated file of the app # If a tool such as Gson is used, the JavaBean class parsed by it, that is, the entity class, should not be confused. -keep class com.matrix.app.entity.json.** { *; } -keep class com.matrix.appsdk.network.model.** { *; } #####Confuse and protect part of the code of your own project and the referenced third-party jar package library######## #If a third-party library is used in the current application module or dependent library module, there is no need to explicitly add rules #-libraryjars xxx #Added the error that it is possible to encounter the same jar specified multiple times during packaging. Generally, it is only necessary to add a statement that ignores warnings and keeps certain classes from being confused. #The open source project is referenced in the form of libaray. If you don't want to confuse keep out, set minifyEnabled = false in the imported module's build.gradle -keep class com.nineoldandroids.** { * ; } -keep interface com.nineoldandroids.* * { * ; } -dontwarn com.nineoldandroids.** # Pull down to refresh -keep class in.srain.cube.** { *; } -keep interface in.srain.cube.** { *; } -dontwarn in.srain.cube.** # observablescrollview:tab fragment -keep class com.github.ksoichiro.** { *; } -keep interface com.github.ksoichiro.** { *; } -dontwarn com.github.ksoichiro.**
At this point, perform the first step of packaging, and the obfuscated Apk can be generated.
----------------------------------------------------------------------------------------
3. Decompile the Apk and verify whether the Apk is obfuscated
Use a tool here
dex2jar (source source file acquisition) download
After downloading there are these two files
1. Manually change the file type of the packaged apk file to .zip, and then unzip it, you will get a series of files
Find the classes.dex file in it (it is the java file compiled and packaged by the dx tool) and copy it to the dex2jar-2.0 file we downloaded
2. Navigate to the directory where dex2jar.bat is located on the command line and enter
d2j-dex2jar.bat classes.dex
Note that the first command needs to correspond to the d2j-dex2jar.bat file in your folder
In this directory, a classes_dex2jar.jar file will be generated, and then open jd-gui.exe in the jd-gui folder of the tool,
Then use the tool to open the classes_dex2jar.jar file generated before, you can see the source code, the effect is as follows: The name becomes a, b, c, d, etc., indicating success
