Application is not obfuscated
 |
LOW | ||
| Detection method | SAST APK |
Description
The source code of the application is not obfuscated or is obfuscated with insufficient coverage.
Weak or no obfuscation of the application leads to easier examination of the code after decompilation. This allows an attacker to easily analyze the application code to find vulnerabilities or ways to bypass security.
Recommendations
Before publishing an application, make sure that rules for obfuscation are enabled in the release version of the application and that they are configured properly.
One common solution is to use the ProGuard built-in obfuscator rules to automatically enable/disable obfuscation depending on the build type (release/debug).
An example of ProGuard settings:
optimizationpasses 5 -dontusemixedcaseclassnames -dontskipnonpubliclibraryclasses -dontskipnonpubliclibraryclassmembers
-dontpreverify -verbose -dump class_files.txt -printseeds seeds.txt -printusage unused.txt -printmapping mapping.txt
-optimizations !code/simplification/arithmetic,!field/*,!class/merging/* -allowaccessmodification
-keepattributes *Annotation* -renamesourcefileattribute SourceFile -keepattributes SourceFile,LineNumberTableEnabling the use of ProGuard for the release build of an application:
buildTypes { ... release { minifyEnabled true proguardFiles 'proguard-rules.pro', getDefaultProguardFile('proguard-android.txt') } }It is also good practice to obfuscate the open source libraries used in the project. Recently, more and more libraries are distributed with ready-made configuration files for obfuscation. ProGuard knows how to look inside the archive, find the library configuration files and add it to the rest of the options. Check every library you use for such a file.
If the authors of the library do not pack the config file in the archive, maybe they took care and wrote the rules on their website, the repository page or in the README file. Try to find the config file for the version of the library you are using yourself.
Links
1. https://habr.com/ru/post/415499/
2. https://developer.android.com/studio/build/shrink-code
3. https://www.guardsquare.com/en/products/proguard/manual/examples