Does proguard work to obfuscate static string constants?

ProGuard doesn't obfuscate string constants, as mentioned in its FAQ. Its more recent specialized closed-source sibling for Android, DexGuard, provides additional application protection techniques, like string encryption and class encryption.

(I am the developer of ProGuard and DexGuard)


No, ProGuard doesn't encrypt strings constants (Proguard FAQ Link)

But there are some commercial products which will help you with that. I would recommend the Stringer Java Obfuscator because it has the check call context and integrity controls features which makes reverse engineering as hard as possible. IMHO Stringer is the best string encryptor for Java and Android on the market today.

Also see Allatori Java Obfuscator.

N.B. I'm CEO at Licel LLC. Developer of Stringer Java Obfuscator.


What ProGuard does (if configured correctly to do so) is in-line string constants. It wouldn't make much sense to obfuscate them, think of it, a string constant could be used for representing a message to the user, and what good would it do if it were obfuscated?


Based on my reading of the obfuscation options in the manual, the answer is No.

String literal obfuscation is theoretically possible, but it would be necessary to use a special classloader that de-obfuscated the String literals as they are read from the class file. This would be tricky. On top of that it doesn't achieve much, since someone can easily recover the original strings by running your application with a Java debugger attached.