How to obfuscate an Android application

There is no easy way to obfuscate Java classes of an Android app. This is no Eclipse plugin, nor even a working ant script.

Maybe there are working ant scripts. But for Android SDK 1.5, it seems like no one has supplied a proper one, yet. And hence, I spent half a day hacking out a script that works. There are more effort and hurdles than what are presented here.. but for a simple working script, here it is how I did it:

 

1 Create a Project

From the Terminal, in /android-sdk/tools/, run:

./android create project –target 2 –path /PATH/TO/ObfuscatedApp –activity MyActivity –package com.just2me.obfapp

 

2 Edit build.xml

Replace the build.xml with my modified build.xml, which is the most important item in this tutorial. The obfuscation work is in the optimize target as seen below.

ant build.xml

Some points to note in the build.xml ant script:

  • Edit the properties for the path to your Android SDK and Proguard
  • If you use any libraries, copy them to /lib and add -libraryjars ${library-jar}/some_lib_used.jar accordingly
  • -dontoptimize is needed for Android
  • For all classes that are declared in AndroidManifest.xml Application nodes (Activities, Receviers, etc), add an arg to tell proguard not to obfuscate. Exampe: "-keep public class com.just2me.obfapp.activity.*"

 

3 Run ant

The last step is to simply run the ant script!

To package a debug version that is signed with a debug key, run "ant debug-obf".

To package a release version that is unsigned, run "ant release-obf".

If all is well, then you will find the products in /bin. ObfuscatedApp-debug.apk would be the debug package that could be installed on simulator/devices.

Share and Enjoy
    Tagged with:
    Posted in Android, Development, How-to
    • http://www.just2me.com samwize

      “Everybody at some point thinks they need to obfuscate their code, but in almost all cases, it’s simply not true. It won’t stop people pirating your software, it won’t actually stop people reverse-engineering your code, it’ll only make it more difficult, and, biggest of all, it won’t stop people nicking your ideas. Unless you’ve got some extremely sexy, spanking new algorithms or something, it’s not worth the bother. Even then, legal protection is more important than technically prohibiting the reverse-engineering.”

      - georgemc
      http://forums.sun.com/thread.jspa?threadID=5339989

    • Pingback: eclipse obfuscation plugin for android development on OSX – Afraha ! The Next Big Thing!

    • Urboss

      Where should I find the target package-resources? It is on the dependency list of the target release-obf but missing in the file.

    • ken

      Quick note on your build.xml…the sdk-location in the android.antlibs definition should be either sdk-folder or sdk.dir…

      Thanks for writing this up…

    • aryan

      Can you provide some help, on build.xml?
      I am getting an error on every target,
      Target package-resources does not exist in this project?
      what is target-resources?

    • Catherine

      I found the same problem too

    • http://www.facebook.com/lassikin Lassi Kinnunen

      you fail at understanding why to squeeze every byte out.

    • android developer

      isn’t it possible to use proguard from within eclipse without Ant?
      as the manual of android says, all i need to do is just add the path to the “proguard.cfg” file into “default.properties” file :proguard.config=../proguard.cfgthis only seems to work for classes names, but not for variables names. i know it since i’ve tried using dex2jar and java decompiler , and i can see the real names of the variables.here are the reference links:http://java.decompiler.free.fr/http://code.google.com/p/dex2jar/downloads/listhttp://developer.android.com/guide/developing/tools/proguard.html

    • android developer

      from some reason, my comment had its new lines removed. sorry. hope it’s still readable.