Cordova android 5.1.1 APK obfuscation with proguard confusion

Asked 23/6, 2016 at 14:43 Answered 30/7, 2019 at 13:46

android cordova proguard cordova-plugin-proguard

With tools like dex2jar and jdgui2 it is very easy to inspect the contents of the APK.

We are trying to use Proguard in our Cordova project to "protect" a few classes that contain information we want to keep secret (Mainly keys to decrypt some content we try to protect for our client).

We cannot get it right. The app crashes, or it isn't obfuscated.

We added to our build.gradle :

buildTypes {
   release {
      signingConfig signingConfigs.release
      minifyEnabled true
      proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
           }
}

Our proguard.pro contains:

-keep class !com.smartmobilesoftware.** ( *; }

smartmobilesoftware is an inAppPurchases plugin.

In that package we modified a few classes, which works great without proguard.

I found the following "Proguard support missing": https://issues.apache.org/jira/browse/CB-9269

Here Joe Bowser claims the following: "OK, you shouldn't use ProGuard with Cordova, or at least, there's no good reason to use it, since you can't use it with minifyEnabled, which is what actually makes ProGuard work properly. Since Cordova uses Reflection all over the place, this is a good way to blow up Cordova without a proguard-rules.pro file."

We tried to avoid that issue by telling proguard that ALL classes should be left intact except the ones in the com.smartmobilesoftware (-keep class !com.smartmobilesoftware.** ( *; })

I am not sure if this is a problem witih our code (but the code works fine without proguard), the plugin, or proguard itself.

We do not see any meaningful errors.

We released apps before built with Cordova 2.2.0, which used ANT and proguard and another plugin, which worked fine. So we wonder if Cordove is changed in respect to proguard.

Can anybody maybe shed some light on this issue?

Laughing answered 23/6, 2016 at 14:43 Comment(1)

use cordova-plugin-proguard alfilatov.com/posts/… – Hearken 18/11, 2020 at 23:9

It looks like the code in package com.smartmobilesoftware implements a Cordova plugin. In this case you need to keep at least a few more classes, otherwise Cordova will not properly find them at runtime (for a recent Cordova release):

-keep class * extends org.apache.cordova.CordovaPlugin

Aude answered 30/6, 2016 at 13:23 Comment(1)

Thank you for responding. I haven't been able to check yet, but the bounty was expiring, so I gave it to you. :-) I will respond in here if your suggestion works. – Laughing 4/7, 2016 at 11:44

Cordova application will crash after obfuscation because of the main activity and cordova classes will get obfuscate. So at runtime failed to create the webview and application will crash.

To resolve this you have to add :

-keep class org.apache.cordova.** {
    *;
}

-keep public class * extends org.apache.cordova.CordovaPlugin

Windhoek answered 14/12, 2016 at 6:49 Comment(0)

There's a nice cordova plugin for this nowadays

https://github.com/greybax/cordova-plugin-proguard

This worked out of the box for me, although I had to add this line to prevent building errors:

-dontwarn com.google.android.gms.**

Emerald answered 30/7, 2019 at 13:46 Comment(1)

Author of this plugin here! thank you very much for sharing it! Would be nice if you would sent PR how you fix build errors ;) – Hearken 27/11, 2019 at 22:53

@Erwin Moller For this issue you may need to safe as less as possible files filter from obfuscation so here you can try below proguard rules and try it too run. Good luck

-keep class org.apache.cordova.engine.** { *; }
-keep public class * extends org.apache.cordova.CordovaPlugin

Modestia answered 29/11, 2017 at 13:19 Comment(0)

Recommended topics

Hot tags