Reputation: 151
How to do classname obfuscation using secure method?
I have used proguard to perform obfuscation of classes and methods. Upon researching, I came across this tool which does class name deobfuscation from penetration tester's prospective.
https://github.com/HamiltonianCycle/ClassNameDeobfuscator
In the recommendation section, author suggests to remove below line from the source code:
-keepattributes SourceFile LineNumberTable
Now this will now allow an attacker to do a proper reverse engineer and thereby gaining all original class names of the java file.
Up to here, fair enough. However, implementing this solution creates one problem for me. My developers are managing exception handling in fabric like below:
If I implement this solution, then developers will not get exact file name in order to track and resolve errors. They will get obfuscated file names in the exception list and hence they will have lot of huddles in tracking down the exceptions and to resolve it.
Is there any other way around through which I can accomplish these both tasks?
Upvotes: 0
Views: 708
Answers (2)
Reputation: 75644
They will get obfuscated file names in the exception list and hence they will have lot of huddles in tracking down the exceptions and to resolve it.
You cannot have cake and eat cake at the same time. Still, I assume you care about release builds here and if so, I'd recommend archiving proguard map files for each released build. That would allow you to figure out what exactly is class a.c.d.e just by looking at this map file. With each build, ProGuard outputs the following files:
- dump.txt - Describes the internal structure of all the class files in the APK.
- mapping.txt - Provides a translation between the original and obfuscated class, method, and field names.
- seeds.txt - Lists the classes and members that were not obfuscated.
- usage.txt - Lists the code that was removed from the APK.
These files are saved at <MODULE-NAME>/build/outputs/mapping/<FLAVOUR>/.
Also see this documentation: Shrink Your Code and Resources
Upvotes: 2
Reputation: 3203
You can't. Public classes in java have to be defined in files which are named after them. If you have to expose the file names for stack traces, you'll necessarily expose public class names.
Of course, you could modify your source code and avoid using public classes as much as possible, but I assume you want to obfuscate your existing code, without losing time on pre-obfuscating it manually.
Technically, it should be possible to create an obfuscator which works at source code level, and mangles both filenames and class names. ProGuard seems to offer such a feature.
Upvotes: 0
Related Questions
- Obfuscate Class Names With Main Methods
- How to obfuscate everything but public method names and attributes with proguard?
- Prevent class member name obfuscation by ProGuard
- r8 obfuscation map of class names
- how to avoid method parameters from obfuscation?
- How to not obfuscate class names but get the right simplename anyway?
- Android: Proguard configuration to obfuscate class names and methods
- Custom obfuscated class name in proguard
- How to keep class method names that override\implements another method from being obfuscated?
- Obfuscate just one class file in Android