Google recommends and packs in ProGuard for code obfuscation. However the default configuration that it comes with seems minimal and one can reverse engineer to certain extent. Most people looking to reverse engineer are not really looking for detail code, but may be extract the logic. Are there any guidelines so as to configure ProGuard more efficiently ?(Something to the extent Javascript is minimized would be good.)
Secondly, there are tools like apktool that enable extracting the Manifest as well as the resource files. And there is no level of obfuscation in them. These can certainly reveal few things. Are there any ways to avoid this from happening ?
For the first part, I suggest you to check this question: Android Game Keeps Getting Hacked . It does not address directly ProGuard, but it does give you some ideas on how to reduce pirating.
For the second part, I'm afraid no, it's not really possible, since those are plain xml files. What you can do is to reduce the use of resources and create the logic directly in java. That will reduce the exposure of your code in three ways:
(1) the obvious, it shows less easy-to-read xml code
(2) it creates much longer smali files, which are not easy to follow to begin with: consider that the variables in the smali file do not have names, but numbers, and are reused several times, thus making them even harder to understand. V1 can be a TextView first, and then an int, and then a private static method.
(3) it reduces the use of hex IDs that are very easily searchable on the smali file using the table from public.xml.
When I was porting the TouchWiz framework to some custom ROMs, I even made a small java app to automate the ID recognition (the xda-developers post is here), so you can imagin how easy is to follow them.
You can now use a new gradle plugin + library to effectively obfuscate Strings in a class, Please check it here
https://github.com/MichaelRocks/paranoid
Also now there is a new plugin which can obfuscate resources also, please check it below
https://github.com/shwenzhang/AndResGuard
And help share this great information, so more developers can use it and thus more and more developers will contribute for further development of these plugins, and thus we can collectively improve these plugins.
来源:https://stackoverflow.com/questions/5666174/android-obfuscation-for-code-as-well-as-resources