How to obfuscate cordova plugin java code

Question

I have been working on ionic 3 mobile applications. I obfuscate typescript codes using ionic-voricles-obfuscate plugin (https://www.npmjs.com/package/ionic-voricles-obfuscate)

While reverse-engineering the APK using Apktool , Android library classes in Cordova plugins are not obfuscated. The Application security team asking to Obfuscate the Java / Android packages using Proguard in order to prevent the application from run time code manipulation, due to this my application is rejected by Appsec team.

I have referred lots of articles, all are very brief introduction about Proguard tool. I am confused whether I am approaching the right method for obfuscating my Ionic mobile application. I am new to Mobile application development and don't have hands of experience in code obfuscation.

Answer 1

The answer on whether your approach is right will depend on many factors - e.g. what is the level of security you want to achieve, what are the constraints set forth by your Appsec team.

• If you need stronger obfuscation and your appsec team is already familiar with Proguard, you can try DexGuard, which:

  • Has an out-of-the box solution for Ionic apps;
  • Compatible with Proguard;
  • Made by the same company as Proguard.

• Proguard will provide less security, but it's free & open source. For the Proguard approach, you can check out this question and the manual on the developer's website.