Question
Sometimes we need to store in code some String that we want to protect, such as the App Id in Google Play, a third party API key, an secret seed for creating a hash, etc.
To protect this Strings sometimes developers obfuscate them with XOR operations or other techniques (ie: XOR operation with two strings in java).
If we run Proguard before releasing the code, as it performs a fairly sophisticated optimisation of the code, I guess it can resolve the final String, ending in shipping the String un-obfuscated in the released apk.... Is this true?
That would be funny, instead of obfuscating the code Proguard would de-obfuscate manually-obfuscated data...
How do you people target this? Do you exclude the classes with the obfuscated String in proguard.cfg?
Solution
I have experimented with String obfuscation using simple techniques such as Base64 or XOR. From my experience Proguard is not able to de-obfuscate the manually obfuscated data, even with optimization enabled.
You could try to decompile your own sourcecode after exporting your project with Proguard enabled using tools like APKtool, Dex2jar, etc. Then you should see whether the String was de-obfuscated or not.
https://stackoverflow.com/questions/17949419
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian