Does proguard work to obfuscate static string constants?
Solution 1
ProGuard doesn't obfuscate string constants, as mentioned in its FAQ. Its more recent specialized closed-source sibling for Android, DexGuard, provides additional application protection techniques, like string encryption and class encryption.
(I am the developer of ProGuard and DexGuard)
Solution 2
No, ProGuard doesn't encrypt strings constants (Proguard FAQ Link)
But there are some commercial products which will help you with that. I would recommend the Stringer Java Obfuscator because it has the check call context and integrity controls features which makes reverse engineering as hard as possible. IMHO Stringer is the best string encryptor for Java and Android on the market today.
Also see Allatori Java Obfuscator.
N.B. I'm CEO at Licel LLC. Developer of Stringer Java Obfuscator.
Solution 3
What ProGuard does (if configured correctly to do so) is in-line string constants. It wouldn't make much sense to obfuscate them, think of it, a string constant could be used for representing a message to the user, and what good would it do if it were obfuscated?
Solution 4
Based on my reading of the obfuscation options in the manual, the answer is No.
String literal obfuscation is theoretically possible, but it would be necessary to use a special classloader that de-obfuscated the String literals as they are read from the class file. This would be tricky. On top of that it doesn't achieve much, since someone can easily recover the original strings by running your application with a Java debugger attached.
Related videos on Youtube
![[Advanced Programming Concepts] Obfuscation](https://i.ytimg.com/vi/w6ZeNnwLGi8/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLCBO0DipbixG--RyWpnBNcn7umO4w)
14 : 59
18 : 08
31 : 52
01 : 12
06 : 55
01 : 00
Code Droid
Updated on July 09, 2022Comments
-
Code Droid almost 2 years
Will proguard work to obfuscate static string constants?
-
Oleksii K. about 9 yearsHere is sample of simple string hiding using
build.gradlefile: gist.github.com/shomeser/68f4fe360be0edac95e4 -
Harmeet Singh about 8 years@OleksiiKropachov I think above comment should be posted as an Answer, coz it is of help. -
Anuj Jindal almost 8 yearsProguard don't obfuscate static strings enter link description here -
auspicious99 about 4 years@OleksiiK. the gist.github.com URL has changed?
-
Oleksii K. about 4 years@auspicious99 GitHub nickname was changed: gist.github.com/ok3141/68f4fe360be0edac95e4
-
auspicious99 about 4 years@OleksiiK. Thank you, it is a good idea!
-
-
Antimony over 11 yearsYou don't have to use a custom classloader, you can just insert functions into the class to unscramble the strings at runtime. That's what Zelix Klassmater does. Of course it's easy to bypass if you know what you're doing, but obfuscation is only good for deterring the casual user anyway.
-
Syntax almost 11 years+1 DexGuard is the commercial product for protecting strings in your application. Personally I use a bitshift operation, but wouldn't advocate that for values that <b>MUST</b> stand up to an attacker.
-
Antimony almost 11 years@Syntax I wouldn't advocate obfuscation at all for something that must stand up to an attacker. Those strings shouldn't even be in your code if they're that important. I have yet to see a Java obfuscator where the string encryption isn't easy to break, and I've looked at quite a few.
-
Syntax almost 11 yearsAs I said :P I would NOT advocate use of obfuscation for anything which hackers must not be allowed to access. I bitshift my public key for the Android billing API and am not too concerned if people break the obfuscation and have access to it.
-
Ed_ over 9 yearswhat can be done to avoid the explicit strings all over the classes instead of only being "translated" where they were defined? I mean: class A defines public static String MYCONS="no session" but this is actually what you see in class B instead of someView.setText(A.MYONCS) -
sarah.ferguson over 8 yearsProguard is used to make compiled code difficult to read and understand, if each point of a method shows plaintext user messages to the user I think each line of code becomes quite easy to be understood. If in cases like mine where I log.debug("fun()") the start of each method is shown in the compiled code the stripping of method names is quite useless! So it's a big problem... -
sarah.ferguson over 8 yearsStringer Java Obfuscator is non free
-
Matt Gibson about 8 years@sarah.ferguson You can configure ProGuard to strip out the log calls, too. -
Sipty about 8 years@sarah.ferguson A commercial product is inherently not free, yes.
-
Muhammad Younas over 6 yearsProGuard is very time consuming and is there any way that without building an apk we can run the app and see the errors because I am facing that problem its working in build apk and nothing work in release apk so I do not know how to catch the error
