3

Right now, on reverse engineering the android application APK file, I can see the data model classes in the plain text as I have used @keep annotation. Without the annotation, the app is crashing as these files are being removed by the R8.

How do I secure the data model files by making sure that they are not seen on reverse engineering?

Harshal Kshatriya
  • 5,630
  • 11
  • 44
  • 60
  • Can you give more information on what kind of data model class you are using? Do you use libraries like GSON ? Were you experiencing this same crash on Proguard also, or did it just appear after migrating to R8? – Elican Doenyas Dec 13 '19 at 16:02
  • The data model classes are POJOs. Yes, I'm using GSON for deserializing server responses(which are json strings) to java objects. No, I didn't experience crashes when using Proguard. – Harshal Kshatriya Dec 16 '19 at 09:43
  • Did you end up finding a solution to this? – Dan Oct 18 '20 at 17:16

2 Answers2

1

Recently I have run into this same issue and my certain problem was I had an obsolete set of proguard rules. Note that on 4 Oct 2019 Gson updated their proguard rules to take R8 into account. Hopefully you have to update them.

You can find it at https://github.com/google/gson/blob/master/examples/android-proguard-example/proguard.cfg

# Gson uses generic type information stored in a class file when working with fields. Proguard
# removes such information by default, so configure it to keep all of it.
-keepattributes Signature

# For using GSON @Expose annotation
-keepattributes *Annotation*

# Gson specific classes
-dontwarn sun.misc.**
#-keep class com.google.gson.stream.** { *; }

# Application classes that will be serialized/deserialized over Gson
-keep class com.google.gson.examples.android.model.** { <fields>; }

# Prevent proguard from stripping interface information from TypeAdapter, TypeAdapterFactory,
# JsonSerializer, JsonDeserializer instances (so they can be used in @JsonAdapter)
-keep class * implements com.google.gson.TypeAdapter
-keep class * implements com.google.gson.TypeAdapterFactory
-keep class * implements com.google.gson.JsonSerializer
-keep class * implements com.google.gson.JsonDeserializer

# Prevent R8 from leaving Data object members always null
-keepclassmembers,allowobfuscation class * {
  @com.google.gson.annotations.SerializedName <fields>;
}

Also remember to add your certain model classes: look at the rule at the center as it is just an example and have to be changed with your own models.

Rubén Viguera
  • 3,277
  • 1
  • 17
  • 31
-1

add below lines to gradle.properties file.

# Disables R8 for Android Library modules only.
android.enableR8.libraries = false
# Disables R8 for all modules.
android.enableR8 = false
Sajith
  • 713
  • 6
  • 21