Secure and Optimize Your Android App With R8 and Proguard
Before you publish your app on playstore, it will be very useful to have the knowledge about r8 and proguard. There isn’t much difference between r8 and proguard, they are both tools to optimize your app before releasing it.
R8 optimizes your app in the following ways
- Code obfuscation: It will shorten the names of classes and members into unreadable names which acts as a security measure incase someone tries to reverse engineer your app.
- Removes unused resources from your packaged app, including unused resources in your app’s library dependencies.
- Inspects and rewrites your code to further reduce the size of your app’s DEX files. For example, if R8 detects that the else {} branch for a given if/else statement is never taken, R8 removes the code for the else {} branch
- Detects and safely removes unused classes, fields, methods, and attributes from your app and its library dependencies
Now we head over to android studio –> Build.gradle file. In the “release” block inside the “buildTypes” block, all the gradle options we’ll define will only be applied to the release build of our app that we’ll upload to playstore. So the `minifyEnabled` means if set to true, it will optimize the code, remove unused try-catch statements, unused libraries, unused functions and obfuscate the code. We can also set `shrinkResources` to true which would remove unused resources as the name applies.
In the Proguard-rules.pro we can declare the rules for proguard. Here we can declare the classes we don’t want to obfuscate or optimize. It is important to not obfuscate everything because for example if we have a network model class and we define some data classes to parse JSON into, we shouldn’t obfuscate these classes because the field names of JSON response must be same as field names of data class. Obfuscation renames the fields and Android Studio won’t know which fields from the JSON response it should pass into what fields of the data class.
So for example, we will create a data class. First sync now then create a package and a data class
We can declare the class as a class we don’t want to obfuscate. This can be done in two ways:
- Add @keep annotation which would tell pro-guard not to obfuscate.
- You can use the pro-guard rules.pro directly. The “*” is optional and if used it will keep will not obfuscate all the packages inside the bracket. Also with curly brackets you can declare function you won’t want to obfuscate. Curly brackets with “*” save all functions from obsfucation.
Incase your released app ever crashes and users submit crash reports then this crash report will contain the obfuscated code. If you want to understand your own release code, the r8 will generate a mapping file that contains which classes and fields were renamed to what. If you upload this file alongside your android bundle to google play, google playstore will automatically translate the error message from the user to a readable error message for you. You can find the mapped file if you go to project–> app –> build –> output –> mapping. Inside the mapping.txt file you will see all the classes and how they were renamed.