Verify DexGuard configuration with a signed APK

Question

I integrated with DexGuard and ProGuard, generated a signed APK and now I want to verify that the configuration worked as configured:

1. Use dex2jar (or similar tools) to decompile the app and verify for obfuscation/encryption
2. Verify the signed APK's size is smaller
3. Of course, ensure that the app functions as expected (especially for encrypted resources)

Are there any other steps folks here use?

Answer 1

Here are the various tools one can use (copied straight from DexGuard docs when you get their JAR/License):

• dexdump (Android SDK): disassembles Dalvik bytecode to a readable text format.
• aapt (Android SDK): disassembles binary resource XML files to a readable text format.
• baksmali (open source): disassembles Dalvik bytecode to a readable source format.
• smali (open source): assembles this source format to Dalvik bytecode again.
• apktool (open source): disassembles and assembles entire applications: bytecode, Android manifest files, resource files, and assets.
• dex2jar (open source): converts Dalvik byte code to Java bytecode.
• jad (free): decompiles Java bytecode to Java source code.

As they always say, read the docs!

Answer 2

In the past I've confirmed the String/class encryption is working by decompiling/unpacking the .apk (I use Apktool) and then grepping/searching the output files for known secrets/API keys etc. In fact this could be automated.