9

I have an Android project that I recently published to the market after running it through obfuscation with ProGuard.

The project exported without any complications, but how do I know it's been obfuscated? Is there anything I could do to verify that obfuscation was successful?

jakebasile
  • 8,084
  • 3
  • 28
  • 34
dell116
  • 5,835
  • 9
  • 52
  • 70

3 Answers3

11

Look for dump.txt, mapping.txt, seeds.txt and usage.txt. They will probably be in a proguard folder at your project directory. These are created when ProGuard is run on your code.

These are filled with information about the obfuscation, especially useful is mapping.txt which shows what ProGuard turned your various member names in to.

jakebasile
  • 8,084
  • 3
  • 28
  • 34
  • 1
    I have a ProGuard folder in the project directory, but it's got zilch inside of it....nothing there....am I to assume that ProGuard didn't obfuscate my code properly? Could these files be in any other directory? – dell116 Aug 22 '11 at 20:27
  • Is there any `proguard` folder under your project anywhere? If not, I'd say it probably didn't run correctly. – jakebasile Aug 22 '11 at 21:41
  • Yes..proguard folder is there...but is has no contents....I couldn't find any of the files you mentioned anywhere on my hard drive...so something must have broke when I ran it through proguard....uht oh.... – dell116 Aug 22 '11 at 22:58
  • You can unpublish your app until you can get obfuscation working correctly, but it's up to you to decide if that will help. – jakebasile Aug 23 '11 at 00:42
3

Try to reverse engineer your own application. See what you can read in the code.

Use the following questions:

decompiling DEX into Java sourcecode

http://www.taranfx.com/decompile-reverse-engineer-android-apk

Community
  • 1
  • 1
Pedro Loureiro
  • 11,436
  • 2
  • 31
  • 37
  • 1
    Thank you for this. I de-compiled two different apps, one that I obfuscated and another that I didn't obfuscate. The code from both apps (non-obfuscated and obfuscated) look the same. Variable names have been changed, but class names and whatnot remain the same. Is this how obfuscation works? How come the project that I didn't obfuscate has changes in variable names? – dell116 Aug 23 '11 at 00:25
  • That depends on how you setup proguard to work... but I don't have much experience with that! – Pedro Loureiro Aug 23 '11 at 11:39
0

DISCALIMER: I am not the owner of decompileandroid.com and I am not paid to promote it. I am a develper, who is satisfied with this service.

There is actually an easier way than acquiring several different tools and passing the output of one of them to the other (this of course gives you a better control of what's going on). You can use the service

decompileandroid.com

Basically you upload and .apk file and it does all of these steps for you. Then you can download a .zip file, which contains the decompiled sources.

You can first upload your .apk built in debug mode, then upload an .apk built in release mode. Just make sure that the flag minifyEnabled is set to true in your build.gradle file for the release build.

The difference was pretty obvious in my case - most of my classes were named a,b,c, etc in the minified build.

todor.hr
  • 56
  • 1
  • 5
  • Yikes! I mean, I'm sure you already know the implications of uploading a debuggable and non-obfuscated build to a web server. We are, after all, talking about obfuscation so a third party can't read your code. Although this site looks good on the surface I'm not sure I would trust it. – dell116 Feb 10 '15 at 15:02
  • Yes, of course in most situations you would not want to upload your APKs to a remote server. Especially with commercial projects. I gave this just as an easier alternative. In my case it was a test project, so I had nothing to be concerned with. Of course one can always upload only the obfuscated version, if that would not be a problem as well. In that case one would just see how well the obfuscation has worked. – todor.hr Feb 11 '15 at 13:24