Login/Register
Where can I find my BuildConfig in the APK analyzer after minifying the code with ProGuard?
Asked Answered
Solved androidproguardbuildconfigandroid-buildconfig
B

2

8

Please take a look at the following two images from Analyze APK on Android Studio.

  • First one is with minifyEnabled = false, and
  • another one is with minifyEnabled = true (after decoding with mapping.txt of course)

enter image description here
minifyEnabled = false. BuildConfig is there.

enter image description here
minifyEnabled = true (decoded with mapping.txt). BuildConfig is not there.

I can find BuildConfig in classes.dex before minifying, but not after minifying. I can't find any document/discussion about this, but is there some rule to strip BuildConfig from classes.dex after minifying with ProGuard? In that case, does it mean that it is relatively safe to put sensitive information in BuildConfig? Or, probably it is just hidden in some other place?

My ProGuard version is 4.7 if that matters.

Bavardage answered 27/5, 2019 at 1:4 Comment(0)
D
18

An additional feature of the minifying step is the inlining of constants. This would explain why the BuildConfig disappears, and yet the values still exist where needed. Once the values get inlined, there are no more references to the BuildConfig class and the minifier can remove it entirely.

Dactylography answered 30/5, 2019 at 1:56 Comment(2)
Hi @David Liu : Does it mean that we can put sensitive data like network connection credentials in build.graldle. Will it be 100% safe from reverse engineering. Would you please elaborate the above answer.Paleobiology
@Paleobiology No. The sensitive data will still be there, just inlined directly into the code rather referencing BuildConfig. That sensitive data can still be seen just by scraping the app for strings.Dactylography
G
0

If you're using some variables on the BuildConfig, then proguard will not remove it. according to their manual:

The shrinking step detects and removes unused classes, fields, methods, and attributes. The optimization step analyzes and optimizes the bytecode of the methods. The obfuscation step renames the remaining classes, fields, and methods using short meaningless names.

Also, I've been using these options and I've never encountered proguard stripping my information on BuildConfig.

shrinkResources true
minifyEnabled true
Gossip answered 27/5, 2019 at 1:58 Comment(6)
Thank you for the reply. That makes very much sense. And I am not saying that I am losing BuildConfig access in my build. My build uses information that is stored in BuildConfig just fine. I just cannot find BuildConfig in APK analyzer where I can find it with minifyEnabled false settings. Are you saying that you haven't encountered that situation either? (Probably you are already saying that, but just double checking)Bavardage
I'm answering your question that if it is relatively safe to put sensitive information in BuildConfig. But from what proguard says, it renames classes fields and methods using short meaningless names, I guess the BuildConfig was also renamed and its variables. I can't also find my BuildConfig on my proguarded build on the classes.dex.Gossip
"I guess the BuildConfig was also renamed and its variables" For this part though, loading the mapping.txt should put the meaningful names back, right? At least it does for my other classes.Bavardage
Now, I'm also curious haha. What I've found on my mapping.txt is that even my own declared static variables are not there. Though I found one variable that has mapping from the BuildConfig, the boolean DEBUG variable.Gossip
Hi @TentenPonce and @Bavardage : (1) what if, if our BuildConfig is renamed, but still holds sensitive data. (2) From above discussion I could not figure out the final verdict. Is it safe to store sensitive information like network connectivity credentials inside build.gradle file and then use them inside our production app. Request you to please confirm.Paleobiology
according to @Bavardage first comment: "I am not saying that I am losing BuildConfig access in my build. My build uses information that is stored in BuildConfig just fine". Even though it was missing after enabling minifyEnabled, information still exists. Accepted answer also explained why BuildConfig was missing.Gossip

© 2022 - 2024 — McMap. All rights reserved.