Android Confusion Summary (I)

Keywords: Android Java JSON OkHttp

Preface

For a while, my heart grew grassy again. I couldn't keep quiet. I was confused again. In this season of job-hopping, I still feel that I should calm down to learn more. Or write a blog, summarize and sort out the weeds in your heart.

Last month, I talked with my friends about this problem: "It's very difficult to collect abnormal information because of code confusion after the project goes online." Just recently, I reviewed the knowledge of confusion. While summarizing the confused knowledge points, I also discussed and summarized the problem. It is inevitable for the project to go online to confuse, package, sign and release the project, and possibly APK reinforcement. In fact, the process is not complicated, there is a clear process, so it is not very difficult to integrate. The above mentioned problem of "confusion leads to difficulty in checking abnormal information on line", which has been discussed in recent days, is intended to be recorded in the next article, so let's start talking about this article first!

I. summary

Confused concept: When packaging an Android project, you can change the package name, class name and variable name in the project, making the code not easy to leak, similar to encrypting the file in its apk.

The role of confusion:

  • 1. Increase the difficulty of code leakage after decompilation of Apk
  • 2. The volume of the generated apk will be reduced

What is confusion?

Android SDK itself provides obfuscation. When the obfuscation switch is turned on, developers need to configure the proguard-rules.pro file in the Android Studio project to confuse the whitelist.

So what is a confusing white list? In fact, specifying some package names, class names, variables and so on can not be confused. Assuming that a class name is confused without specifying a whitelist, it may not be found by other classes that refer to or use this class, which may cause the application to crash or render the corresponding functions unusable.

So the so-called confusion is to configure confusion whitelist, so let's look at the internal structure of the apk after confusion. We can see that the part circled by the red circle is confused, and some part is not confused, such as the black circle out of the attribute animation compatibility library nineold androids, whose package name class name has not become a substitute for abc.

Above I use APK reverse assistant to decompile the apk. There are many decompilation tools on the market, which can be searched by Google.

supplement

The obfuscated knowledge points recorded in this article are mainly based on Android Studio development tools.

II. Beginning to Confuse

1. Turn on the confusion switch

The confusion switch is in the project / app/build.gradle file. Look at the screenshot below. Setting minifyEnabled to true is to turn on confusion. The following configuration code can be written directly under the android node of the build.gradle file.

Code obfuscation is usually configurable only when the apk package is on-line. What if you forget to configure the code? Go directly to Project Structrue and set it up according to the screenshot below. In this way, as long as you type release package, you can open confusion and pack it.

2. Setting up a white list of confusion

In the project created by Android Studio, there is a file named "proguard-rules.pro" and the path is "project/app/proguard-rules.pro". Before editing, there is only some annotated code, as shown below.

Then how to write the confusion whitelist? If Google searches, there will be a lot of templates on blogs that can be copied and applied. The following figure, then you can refer to. The third part of the following lists the commonly used confusion instructions and corresponding annotations, which are basically commonly used. If there are omissions, you can search by yourself.

III. Actual confusion instructions

In applications, most of the obfuscation instructions have been determined, such as the following basic instructions, which need not be modified at all. Other obfuscation instructions, such as the third party's SDK/framework obfuscation instructions, are generally found in their official documents, so it is relatively convenient. Here's a summary of the obfuscation instructions categorized in these days.

Basic Directives:

    # Set the confused compression ratio 0 - 7
    -optimizationpasses 5
    # Confusing the latter class names with lowercase AaA
    -dontusemixedcaseclassnames
    # Specify classes that do not ignore non-public Libraries
    -dontskipnonpubliclibraryclasses
    #Operation without pre-verification
    -dontpreverify
    # Doesn't log when confused
    -verbose
    # The algorithm used for obfuscation.
    -optimizations !code/simplification/arithmetic,!field/*,!class/merging/*
    #Keep the line number of the code to facilitate the tracing of exception information
    -keepattributes SourceFile,LineNumberTable

    #The dump file lists the internal structure of all class es in the apk package
    -dump class_files.txt        
    #seeds.txt file lists unambiguous classes and members
    -printseeds seeds.txt
    #The usage.txt file lists the code deleted from the apk
    -printusage unused.txt
    #The mapping file lists the mappings before and after obfuscation
    -printmapping mapping.txt

To avoid confusing Android basic components, here are the rules for high compatibility:

-keep public class * extends android.app.Activity
-keep public class * extends android.app.Application
-keep public class * extends android.app.Service
-keep public class * extends android.content.BroadcastReceiver
-keep public class * extends android.content.ContentProvider
-keep public class * extends android.app.backup.BackupAgentHelper
-keep public class * extends android.preference.Preference
-keep public class com.android.vending.licensing.ILicensingService

#No error warning for V4 package
-dontwarn android.support.v4.**
#Keep the classes of the following V4 compatible packages unambiguous
-keep class android.support.v4.**{*;}

Avoiding confusion about all native s involves C, C++.

-keepclasseswithmembernames class * {
        native <methods>;
}

Avoid confusing get/set methods and constructors for custom control classes

-keep public class * extends android.view.View{
        *** get*();
        void set*(***);
        public <init>(android.content.Context);
        public <init>(android.content.Context,
                                    android.util.AttributeSet);
        public <init>(android.content.Context,
                                    android.util.AttributeSet,int);
}

Avoid confusing enumeration classes

    -keepclassmembers enum * {
        public static **[] values();
        public static ** valueOf(java.lang.String);
}

Avoid confusion about serialized classes

    #Not confusing Parcelable with its implementation subclasses, and Creator member variables
    -keep class * implements android.os.Parcelable {
      public static final android.os.Parcelable$Creator *;
    }

    #Don't confuse Serializable with its implementation subclass, its member variables
    -keepclassmembers class * implements java.io.Serializable {
        static final long serialVersionUID;
        private static final java.io.ObjectStreamField[] serialPersistentFields;
        private void writeObject(java.io.ObjectOutputStream);
        private void readObject(java.io.ObjectInputStream);
        java.lang.Object writeReplace();
        java.lang.Object readResolve();
    }

Avoid confusing constructors of JSON classes

    #When using GSON, fast JSON and other frameworks, the JSON object classes written are not confused, otherwise JSON can not be parsed into corresponding objects.
    -keepclassmembers class * {
        public <init>(org.json.JSONObject);
    }

Avoid confusion with third-party SDK

    # ================== Ring letter confusion start=================
    -keep class com.hyphenate.** {*;}
    -dontwarn  com.hyphenate.**
    # ================== ENVIRONMENT end======================

    # ==================bugly start==================
    -dontwarn com.tencent.bugly.**
    -keep public interface com.tencent.**
    -keep public class com.tencent.** {*;}
    -keep public class com.tencent.bugly.**{*;}
    # ==================bugly end====================

    # =============== Baidu Location start====================
    -keep class vi.com.gdi.** { *; }
    -keep public class com.baidu.** {*;}
    -keep public class com.mobclick.** {*;}
    -dontwarn com.baidu.mapapi.utils.*
    -dontwarn com.baidu.platform.comapi.b.*
    -dontwarn com.baidu.platform.comapi.map.*
    # =============== Baidu Location end======================

    //Note: Confused instructions from other third party packages can be copied to their official documents.

Avoiding confusion with third-party frameworks

    # ================== picasso framework start===============
    -keep class com.parse.*{ *; }
    -dontwarn com.parse.**
    -dontwarn com.squareup.picasso.**
    -keepclasseswithmembernames class * {
        native <methods>;
    }
    # ==================picasso end====================

    # ==================EventBus start=================
    -keep class org.greenrobot.** {*;}
    -keep class de.greenrobot.** {*;}
    -keepclassmembers class ** {
        public void onEvent*(**);
        void onEvent*(**);
    }
    # ==================EventBus end===================

    # ==================okhttp start===================
    -dontwarn com.squareup.okhttp.**
    -keep class com.squareup.okhttp.** { *;}
    -dontwarn okio.**
    -keep class okio.**{*;}
    -keep interface okio.**{*;}
    # ==================okhttp end=====================

    //Note: Confused instructions from other frameworks can be copied to their official documents.   

Other obfuscation instructions

    #Avoid confusing attribute animation compatibility Library
    -dontwarn com.nineoldandroids.*
    -keep class com.nineoldandroids.** { *;}    

    #Unconfused generics
    -keepattributes Signature

    #Avoid confusing annotation classes
    -dontwarn android.annotation
    -keepattributes *Annotation*

    #Avoid confusing internal classes
    -keepattributes InnerClasses

    #Avoid confusing entity classes and modify them to your corresponding package names
    -keep class com.wyk.test.bean.** { *; }
    -keep class com.wyk.test.event.** { *; }
    -keep public class com.wyk.test.utils.eventbus.** { *;}

    #Avoid confusion about Rxjava/RxAndroid
    -dontwarn sun.misc.**
    -keepclassmembers class rx.internal.util.unsafe.*ArrayQueue*Field* {
     long producerIndex;
     long consumerIndex;
    }
    -keepclassmembers class rx.internal.util.unsafe.BaseLinkedQueueProducerNodeRef {
     rx.internal.util.atomic.LinkedQueueNode producerNode;
    }
    -keepclassmembers class rx.internal.util.unsafe.BaseLinkedQueueConsumerNodeRef {
     rx.internal.util.atomic.LinkedQueueNode consumerNode;
    }

#Avoid confusing js-related interfaces
-keepattributes *JavascriptInterface*
-keep class com.wyk.test.js.** { *; }

IV. Points for Attention in Confusion Configuration

1. Assume that when the configuration "-libraryjars libs/jpush-android-2.1.6.jar" whitelists the jar package, if gradle reports an error, you can consider annotating such configuration information (format: -libraryjars [jar package name]). Replace it with the following configuration information

 -dontwarn cn.jpush.**
 -keep class cn.jpush.** { *; }

2. Following is the confusing whitelist configuration information of the attribute animation compatible library. At first, it was thought that the class under com.nineold and ROIDS package was not confused. Later, after decompiling the confused apk package, it was found that the effect was "not to confuse the classes under the class com.nineold androids package, subpackages and subpackages, nor the member variables of the classes.

-keep class com.nineoldandroids.** { *;}       

V. other.

1. Confusing and Applying Templates

Personally, I think the blog links below are very good, so I can refer to them.

Reference blog: Five minutes to clear up android confusion

2. Resource confusion

Proguard obfuscation is only for code obfuscation. After decompression, the apk package can still see the project's resource files and their names, such as layout, logo pictures and so on. At this time, you can choose to confuse the resource files. The following two links are related blog posts of Tencent's resource obfuscation tool, which can be referred to.

Blog posts related to resource obfuscation tools

http://bugly.qq.com/bbs/forum.php?mod=viewthread&tid=42
https://github.com/shwenzhang/AndResGuard/blob/master/README.zh-cn.md

3. reinforcement

In order to make the apk more difficult to crack and reinforce after confusion, there are many kinds of reinforcement technologies on the market nowadays, such as 360 reinforcement, love encryption reinforcement, Bangbang reinforcement and so on, which can be chosen by oneself. The reinforcement technology is equivalent to adding an additional shell to the apk package, and the corresponding volume will also increase, about 1M~2M, if needed, it can be searched and added by oneself. It's still quite simple.

4. Reference Links

http://blog.csdn.net/maxwell_nc/article/details/51998766
http://blog.csdn.net/chen930724/article/details/49687067
http://blog.csdn.net/lovexjyong/article/details/24652085
http://www.jianshu.com/p/f3455ecaa56e

5. Sleep ing~~~

Posted by peter.t on Fri, 12 Apr 2019 03:21:32 -0700