Does proguard work to obfuscate static string constants?

Question

Will proguard work to obfuscate static string constants?

Here is sample of simple string hiding using `build.gradle` file: https://gist.github.com/shomeser/68f4fe360be0edac95e4 — Oleksii K., Mar 24 '15 at 15:07
@OleksiiKropachov I think above comment should be posted as an Answer, coz it is of help. — Harmeet Singh, May 09 '16 at 07:22
Proguard don't obfuscate static strings [enter link description here](http://stackoverflow.com/questions/7435980/protect-string-constant-against-reverse-engineering/38050992#38050992) — Anuj Jindal, Jun 27 '16 at 10:19
@auspicious99 GitHub nickname was changed: https://gist.github.com/ok3141/68f4fe360be0edac95e4 — Oleksii K., May 08 '20 at 15:16

score 78 · Answer 1 · answered Sep 30 '12 at 21:47

78

ProGuard doesn't obfuscate string constants, as mentioned in its FAQ. Its more recent specialized closed-source sibling for Android, DexGuard, provides additional application protection techniques, like string encryption and class encryption.

(I am the developer of ProGuard and DexGuard)

answered Sep 30 '12 at 21:47

Eric Lafortune

45,150
8
114
106

2

+1 DexGuard is the commercial product for protecting strings in your application. Personally I use a bitshift operation, but wouldn't advocate that for values that MUST stand up to an attacker. – Syntax May 28 '13 at 06:57
1

@Syntax I wouldn't advocate obfuscation at all for something that must stand up to an attacker. Those strings shouldn't even be in your code if they're that important. I have yet to see a Java obfuscator where the string encryption isn't easy to break, and I've looked at quite a few. – Antimony Jul 28 '13 at 06:59
1

As I said :P I would NOT advocate use of obfuscation for anything which hackers must not be allowed to access. I bitshift my public key for the Android billing API and am not too concerned if people break the obfuscation and have access to it. – Syntax Jul 28 '13 at 08:11
1

what can be done to avoid the explicit strings all over the classes instead of only being "translated" where they were defined? I mean: class A defines public static String MYCONS="no session" but this is actually what you see in class B instead of someView.setText(A.MYONCS) – Ed_ Oct 21 '14 at 20:43
ProGuard is very time consuming and is there any way that without building an apk we can run the app and see the errors because I am facing that problem its working in build apk and nothing work in release apk so I do not know how to catch the error – Muhammad Younas Dec 04 '17 at 07:11
⁠–⁠1, self-promotion of commercial proprietary tool. – Adam Williams Dec 07 '22 at 11:35

Ivan Kinash · Answer 2 · 2012-09-27T15:54:39.237

11

No, ProGuard doesn't encrypt strings constants (Proguard FAQ Link)

But there are some commercial products which will help you with that. I would recommend the Stringer Java Obfuscator because it has the check call context and integrity controls features which makes reverse engineering as hard as possible. IMHO Stringer is the best string encryptor for Java and Android on the market today.

Also see Allatori Java Obfuscator.

N.B. I'm CEO at Licel LLC. Developer of Stringer Java Obfuscator.

edited Sep 27 '12 at 15:54

answered May 17 '12 at 10:34

Ivan Kinash

884
7
9

Stringer Java Obfuscator is non free – sarah.ferguson Jan 29 '16 at 10:57
8

@sarah.ferguson A commercial product is inherently not free, yes. – Sipty Apr 14 '16 at 16:14
⁠–⁠1, self-promotion of commercial proprietary tool. – Adam Williams Dec 14 '22 at 10:09

score 8 · Answer 3 · answered Apr 19 '12 at 01:10

8

What ProGuard does (if configured correctly to do so) is in-line string constants. It wouldn't make much sense to obfuscate them, think of it, a string constant could be used for representing a message to the user, and what good would it do if it were obfuscated?

answered Apr 19 '12 at 01:10

Óscar López

232,561
37
312
386

Proguard is used to make compiled code difficult to read and understand, if each point of a method shows plaintext user messages to the user I think each line of code becomes quite easy to be understood. If in cases like mine where I log.debug("fun()") the start of each method is shown in the compiled code the stripping of method names is quite useless! So it's a big problem... – sarah.ferguson Jan 29 '16 at 10:54
1

@sarah.ferguson You can [configure ProGuard to strip out the log calls](http://stackoverflow.com/questions/13218772/removing-log-call-using-proguard), too. – Matt Gibson Apr 04 '16 at 12:10

Stephen C · Answer 4 · 2012-04-19T08:33:19.090

3

Based on my reading of the obfuscation options in the manual, the answer is No.

String literal obfuscation is theoretically possible, but it would be necessary to use a special classloader that de-obfuscated the String literals as they are read from the class file. This would be tricky. On top of that it doesn't achieve much, since someone can easily recover the original strings by running your application with a Java debugger attached.

edited Apr 19 '12 at 08:33

answered Apr 19 '12 at 01:05

Stephen C

698,415
94
811
1,216

1

You don't have to use a custom classloader, you can just insert functions into the class to unscramble the strings at runtime. That's what Zelix Klassmater does. Of course it's easy to bypass if you know what you're doing, but obfuscation is only good for deterring the casual user anyway. – Antimony Nov 30 '12 at 04:21

Does proguard work to obfuscate static string constants?

4 Answers4

Linked

Related