CODEWITHSUNDEEP
javaandroidproguard
Frank
Frank

Reputation: 15641

Proguard left overs

When we run proguard on the following piece of Code it should remove the Logging statment:

Log.d(TAG, "field= "+field+“ : enhancedfield=”+enhancedfield);

But... After compilation you will see this:

Log.d(TAG, new StringBuilder().append("Field= ").append(field)
     .append(“ : enhancedfield=”).append(enhancedfield).toString());

Now when we run proguard on this, you will get some leftovers:

new StringBuilder().append("Field= ").append(field)
    .append(“ : enhancedfield=”).append(enhancedfield).toString();

This leaks info to pottential hackers...

What can i do: Declare a final static boolean and only log when the value is true. Because this value can be determined at compile time, the logging code will not be included when the value is false. But that polutes my code, so i am not that happy with that.

Now my Question: How can i improve this behavior? leaving less leftovers and leaking less information?

Upvotes: 0

Views: 208

Answers (3)

Eric Lafortune
Eric Lafortune

Reputation: 45668

This is a duplicate of the question Removing unused strings during ProGuard optimisation. You can define your own logging method to avoid the StringBuilder calls.

Upvotes: 1

daf
daf

Reputation: 31

You could prevent the compiler to use the Stringbuilder by forcing the statements to be separate:

Log.d(TAG, "field:");
Log.d(TAG, field);
Log.d(TAG, "enhancedfield:");
Log.d(TAG, enhancedfield);

This of course has an impact on the result of the logs (4 lines instead of 1) and the code isn't very maintainable.

Upvotes: 2

AlexWien
AlexWien

Reputation: 28737

Log Strings are always a problem in obfuscation, they cannot be obfuscated away, you only could move them in a separate class, which does not help much.

encryption of that strings would be more secure. In our praxis, we dont care much, in very special algorithm, which are the heart of know how, you could remove the logging at all, once you know that these methods work without error.

Using the static final boolean isDebug has the drawback that you cannot enabling logging anymore, you have to rebuild, and install a debug version.

Does the solution with statcic final dbg = false
:

if (dbg) Log.d("unwanted debug log");

really polute your code?

Upvotes: 0

Related Questions