How to implement ProGuard properly in android studio?

Question

I am having a hard time learning proguard and I need help to remove all the R8 warnings and properly implement the proguard rules. I had watched mostly all the videos on youtube and read blogs, documentation, and articles about proguard / proguard-rules but so far I still have many questions right now, I will enumerate all of it. Here are my questions:

1. So far I know that when I created model classes I need to add a -keep class to the package so it will not be obfuscated, but how about a model just like this: (Should I also add -keep on the proguard-rules?)

public class Constants {
    public static final int ERROR_DIALOG_REQUEST = 9001;
    public static final int PERMISSIONS_REQUEST_ENABLE_GPS = 9002;
    public static final int PERMISSIONS_REQUEST_ACCESS_FINE_LOCATION = 9003;
    public static final String LOG_DB = "DB_Error";
}

//Or like this:

public class CameraView extends SurfaceView implements SurfaceHolder.Callback {
    public CameraView(Context context) {
        super(context);
        getHolder().addCallback(this);
        setFocusableInTouchMode(true);
        setFocusable(true);
        requestFocus();
    }
    @Override
    public void surfaceCreated(SurfaceHolder holder) { }
    @Override
    public void surfaceChanged(SurfaceHolder holder, int format, int width, int height) { }
    @Override
    public void surfaceDestroyed(SurfaceHolder holder) { }
}

2. How about the Adapter Classes like RecyclerAdapter or FirestorePagingAdapter? I know that they will get affected by the obfuscation but should we just let it obfuscated? or should we also add it to the rules?

3. The same goes for Activity Classes what are the necessary things to do? Will it affect the process if I retrieve data from the database for example?

4. Next is about the library. I know that I should add the corresponding proguard rules in every dependency but I saw some blog that said it needs to add OkHttp3 even though he didn't add the implementation to his dependencies. So I came up with a question of how should I know if there are also other libraries that are needed to add to the rules?

5. Lastly, how should I debug my rules or how should I know if ever I included or missing some rules in proguard? (If possible, Can you give some example on debugging the proguard-rules)

Hope you can answer all of my questions because I am pretty sure that someone out there is struggling on proguard too so I hope that if they saw these questions it will help them overcome this kind of situation without having a hard time finding answers on the internet separately. Thank you!

Answer 1

First, you need to understand what ProGurad does. If I explain in a very simple way, it changes class-name, variables, and methods to some other name (like ) which would hard to read when someone tries to decode your code from apk.

Now, you need to remember that it does not obfuscate XML files, and Android components (Activity/ Service, etc), basically all classes which you declare in manifest.xml.

So, apart from it, you can obfuscate everything (Java/ Kotlin). But due to some dependencies, you have to tell ProGurad to not obfuscate few files too.

---

Coming to your question, below is answer

1. Model classes are those which you create to parse response JSON, or to keep the state of UI. So in the case of response-JSON, you need to understand the problem. Parsers used to match field name, and when proguard changes filed name, fields, and JSON does not match. So parsing will not work. And this is the reason people ask to keep model classes. [Note: In the case of GSON, if you are using @SerializedName] , you do not need to keep model classes.

2. No need to keep.

3. You can not obfuscate the Activity class name.

4. Because of dependencies, you need to keep some classes. So look for proguard rule in the documentation of the library you are using. Most of the library used to include if they need a proguard config.

5. First of all, if you are doing anything wrong, you will get an error while compiling or running the application. And if you want to check if your code is being obfuscated or not and how much code is being obfuscated, then you need to analyze apk.