-1

I used proguard to obfuscate a jar and after research the resulting jar it was found that it didn't obfuscate logger messages which I probably would like to do.

How to do it with proguard? I used gui based tool with allmost default settings.

original class

logger.info("value encrypted");

after proguard and decompiled

this.c.info("value encrypted");
rozerro
  • 5,787
  • 9
  • 46
  • 94
  • Just strip all the logging, because obfuscated logs are useless anyway. – Martin Zeitler May 27 '22 at 10:33
  • @MartinZeitler no, the logger messages should be there – rozerro May 27 '22 at 10:34
  • The rest of the world probably might see this differently. ProGuard doesn't obfuscate strings... the proper way to handle this would be to log to Crashlytics, not to the console. Then there's no risk of disclosure, but you'd still get the logs from remote devices. – Martin Zeitler May 27 '22 at 10:35
  • @MartinZeitler it's very common to log message and have parts of them obfuscated. An example can be login requests where you don't want to see the passwords (or even the full usernames), or payment requests where you only want to see the last 4 digits of the card number. – Rob Spoor May 27 '22 at 10:38
  • Check if this helps: https://stackoverflow.com/questions/7086920/removing-logging-with-proguard-doesnt-remove-the-strings-being-logged – pringi May 27 '22 at 10:42
  • @RobSpoor Logs are usually only required for development - string obfuscation and truncation is nothing ProGuard can be used for... as it provides nothing but Java class & method mapping; the `mappings.txt` is the dictionary being generated. The least end-users would know how to access logcat, therefore remote logging is the answer. – Martin Zeitler May 27 '22 at 10:45
  • @MartinZeitler I never said that ProGuard can be used for this - in fact, you're right that it can't. I disagree about logs being only required for development. They're often also used for auditing purposes. I've had to go through log files for police requests more than once in my career, and at those times you're glad to have logging. – Rob Spoor May 27 '22 at 10:50
  • @RobSpoor Also in this case it's an advance to use a 3rd party logging service (witness), as the chance of tempered logs is equal zero - while local logs could under certain circumstances been edited. I was rather (wrongfully) responding in an Android context, but in a server-side context, it's not so much different. – Martin Zeitler May 27 '22 at 10:53

1 Answers1

1

The simple answer is that ProGuard does not do this.

And relatedly, ProGuard will not obfuscate constant strings in your code either; see Does proguard work to obfuscate static string constants?.

The best things I can suggest are:

  1. Turn off logging in your release version.
  2. Log to Crashlytics so that the end users don't to get to see the log messages on their devices.
  3. Implement a custom LogFormatter that obfuscates the log messages on the fly. (It could do it for all log messages, or just for log messages that match particular patterns.)
  4. If you are actually trying to obfuscate the log message strings embedded in your code, there are alternatives to ProGuard that will do that; see the Q&A link above for some leads.

You could also disable some or all logging at compile time with the Java equivalent of #ifdef as suggested in:

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216