How to obfuscate an Android library (.jar file) using Proguard in Eclipse

Solution 1:

as suggested in the comments to one of the answers above (but which i didn't notice at first because it was buried amongst one of the "additional comments") …

we simply run progruard on the command line (see the first block below) on the library outside of eclipse with the parameters in the second block below in our our proguard.cfg file (and definitely do not use -dontpreverify, or projects that use your project as an android library won't be able to properly be obfuscated due to StackMapTable problems from your project.jar).

command line:

$ java -jar $ANDROID_SDK/tools/proguard/lib/proguard.jar \
  -libraryjars $ANDROID_SDK/platforms/android-18/android.jar @proguard.cfg
  -outjars /tmp/project.jar -verbose

proguard.cfg:

-optimizationpasses 5
-dontusemixedcaseclassnames
-dontskipnonpubliclibraryclasses
-dontwarn our.company.project.R*
-injars bin/project.jar
-verbose
-optimizations !code/simplification/arithmetic,!field/*,!class/merging/*

-keep class org.apache.3rdparty.stuff.**
-keep public class our.company.project.ProjectAPI
-keep public class * extends android.app.Activity
-keep public class * extends android.app.Application
-keep public class * extends android.app.Service
-keep public class * extends android.content.BroadcastReceiver
-keep public class * extends android.content.ContentProvider
-keep public class * extends android.app.backup.BackupAgentHelper
-keep public class * extends android.preference.Preference

-keepclassmembers public class our.company.project.ProjectAPI {
    public static <fields>;
}

-keepclasseswithmembernames class * {
    native <methods>;
}

-keepclasseswithmembers class * {
    public <init>(android.content.Context, android.util.AttributeSet);
}

-keepclasseswithmembers class * {
    public <init>(android.content.Context, android.util.AttributeSet, int);
}

-keepclassmembers class * extends android.app.Activity {
    public void *(android.view.View);
}

-keepclassmembers enum * {
    public static **[] values();
    public static ** valueOf(java.lang.String);
}

-keep class * implements android.os.Parcelable {
    public static final android.os.Parcelable$Creator *;
}

it's possible not all of the parameters and -keep items are strictly necessary (other than not using -dontpreverify as previously mentioned), but most of these make sense to me as items that need to be there if you have an Activity class extension in the library you are exporting.

Solution 2:

I use an indirect way to generate a exported android obfuscate jar, my way is:

  1. export a signed apk use eclipse

  2. unzip the apk, find the classes.dex

  3. use dex2jar.bat ,change the classes.dex to a jar

  4. unzip the jar and delete the class you do not need,then zip it and change the file name to XXX.jar

  5. Then you use this jar in other project,or give it to customer, it is obfuscate!

I am sure this will help you! Enjoy it!

Solution 3:

java -jar proguard.jar @yourconfig.pro

yourconfig.pro (extended from http://proguard.sourceforge.net/index.html#manual/examples.html):

-injars yourjar.jar
-outjars yourjar_out.jar

-libraryjars 'C:\android\sdk\platforms\android-10\android.jar'

-printmapping mapping.txt
-verbose
-dontoptimize
-dontpreverify
-dontshrink
-dontskipnonpubliclibraryclassmembers
-dontusemixedcaseclassnames
-keepparameternames
-renamesourcefileattribute SourceFile
-keepattributes Exceptions,InnerClasses,Signature,Deprecated,
                SourceFile,LineNumberTable,*Annotation*,EnclosingMethod

-keep public class * {
    public protected *;
}

-keepclassmembernames class * {
    java.lang.Class class$(java.lang.String);
    java.lang.Class class$(java.lang.String, boolean);
}

-keepclasseswithmembernames class * {
    native <methods>;
}

-keepclassmembers enum * {
    public static **[] values();
    public static ** valueOf(java.lang.String);
}

-keepclassmembers class * implements java.io.Serializable {
    static final long serialVersionUID;
    private static final java.io.ObjectStreamField[] serialPersistentFields;
    private void writeObject(java.io.ObjectOutputStream);
    private void readObject(java.io.ObjectInputStream);
    java.lang.Object writeReplace();
    java.lang.Object readResolve();
}

Result can be verified with jd-gui

Solution 4:

The way to invoke ProGuard is fairly straightforward:

  1. Add the line proguard.config=proguard.cfg to project.properties
  2. Export the application package

A default proguard.cfg file should have been automatically created by the new project wizard.

Solution 5:

Do not obfuscated your pure Java Jar. Skip that phase completely while producing the Jar (whether manually in Eclipse or via Ant build from command line).

Instead, setup and perform proper obfuscation in the client project, the one using the Jar, where you add the library as external Jar. Proguard will be able to obfuscate code within the Jar too.

I stumbled upon this issue, and ended up successfully as I described here.