0

I have used proguard to perform obfuscation of classes and methods. Upon researching, I came across this tool which does class name deobfuscation from penetration tester's prospective.

https://github.com/HamiltonianCycle/ClassNameDeobfuscator

In the recommendation section, author suggests to remove below line from the source code:

-keepattributes SourceFile LineNumberTable

Now this will now allow an attacker to do a proper reverse engineer and thereby gaining all original class names of the java file.

Up to here, fair enough. However, implementing this solution creates one problem for me. My developers are managing exception handling in fabric like below:

enter image description here

If I implement this solution, then developers will not get exact file name in order to track and resolve errors. They will get obfuscated file names in the exception list and hence they will have lot of huddles in tracking down the exceptions and to resolve it.

Is there any other way around through which I can accomplish these both tasks?

FrOgY
  • 151
  • 5

2 Answers2

2

They will get obfuscated file names in the exception list and hence they will have lot of huddles in tracking down the exceptions and to resolve it.

You cannot have cake and eat cake at the same time. Still, I assume you care about release builds here and if so, I'd recommend archiving proguard map files for each released build. That would allow you to figure out what exactly is class a.c.d.e just by looking at this map file. With each build, ProGuard outputs the following files:

  • dump.txt - Describes the internal structure of all the class files in the APK.
  • mapping.txt - Provides a translation between the original and obfuscated class, method, and field names.
  • seeds.txt - Lists the classes and members that were not obfuscated.
  • usage.txt - Lists the code that was removed from the APK.

These files are saved at <MODULE-NAME>/build/outputs/mapping/<FLAVOUR>/.

Also see this documentation: Shrink Your Code and Resources

Marcin Orlowski
  • 72,056
  • 11
  • 123
  • 141
0

You can't. Public classes in java have to be defined in files which are named after them. If you have to expose the file names for stack traces, you'll necessarily expose public class names.

Of course, you could modify your source code and avoid using public classes as much as possible, but I assume you want to obfuscate your existing code, without losing time on pre-obfuscating it manually.

Technically, it should be possible to create an obfuscator which works at source code level, and mangles both filenames and class names. ProGuard seems to offer such a feature.

Community
  • 1
  • 1
Dmitry Grigoryev
  • 3,156
  • 1
  • 25
  • 53