Droidcon2013 pro guard, optimizer and obfuscator in the android sdk_eric lafortune_saikoa

2,925 views

Published on

Published in: Technology, Education
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,925
On SlideShare
0
From Embeds
0
Number of Embeds
170
Actions
Shares
0
Downloads
81
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Droidcon2013 pro guard, optimizer and obfuscator in the android sdk_eric lafortune_saikoa

  1. 1. ProGuardOptimizer and Obfuscatorin the Android SDKEric LafortuneDeveloper of ProGuard
  2. 2. Eric Lafortune●1991 – 1996 K.U.Leuven (Belgium), Phd Eng CompSci●1996 – 1999 Cornell University (Ithaca, NY)●1999 – 2011 Java GIS●2012 Founder SaikoaMaybe more importantly:●1982 TMS-9900 processor●1995 ARM2/ARM3 processor●2001 Java bytecode●2010 Dalvik bytecode
  3. 3. ProGuardOpen sourceGenericShrinkerOptimizerObfuscatorFor Java bytecode
  4. 4. ProGuard historyJava applicationsApplets2002Midlets2010 2012Android apps●May 2002 First release●Sep 2010 Recommended for protecting LVL●Dec 2010 Part of Android SDK●Jan 2012 Startup Saikoa
  5. 5. Why use ProGuard?●Application size●Performance●Remove logging, debugging, testing code●Battery life●Protection
  6. 6. Application sizeclasses.dex size .apk sizeWithoutProGuardWithProGuardReductionWithoutProGuardWithProGuardReductionApiDemos 716 K 482 K 33 % 2.6 M 2.5 M 4 %GoogleIOApp3.4 M 905 K 75 % 1.9 M 906 K 53 %ApiDemosin Scala*~6 M 542 K ~90 % ~8 M 2.5 M ~70 %* [Stéphane Micheloud, http://lampwww.epfl.ch/~michelou/android/library-code-shrinking.html]
  7. 7. Performance: CaffeineMarkWithout ProGuardSieve score = 6833Loop score = 14831Logic score = 19038String score = 7694Float score = 6425Method score = 4850Overall score = 8794With ProGuardSieve score = 6666Loop score = 15473Logic score = 47840String score = 7717Float score = 6488Method score = 5229Overall score = 10436Improvement: 18%[Acer Iconia Tab A500, nVidia Tegra 2, 1.0 GHz, Android 3.2.1]
  8. 8. Battery lifeExtreme example:“5 x better battery life,by removing verbose logging codein a background service”(but dont count on it)
  9. 9. How to enable ProGuard?project.properties:→ only applied when building release versions# To enable ProGuard to shrink and obfuscateyour code, uncomment this#proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txtTip
  10. 10. ShrinkingAlso called treeshaking, minimizing, shrouding
  11. 11. Shrinking●Classes, fields, methods
  12. 12. Entry points1) Activities, applications, services, fragments,...→ provided automatically by Android build process-keep public class * extends android.app.Activity-keep public class * extends android.app.Application-keep public class * extends android.app.Service…
  13. 13. Entry points2) Introspection, e.g. Guice, RoboGuice→ must be specified in proguard-project.txt:-keepclassmembers class * {@javax.inject.** <fields>;@com.google.inject.** <fields>;@roboguice.** <fields>;@roboguice.event.Observes <methods>;}Tip
  14. 14. Notes and warnings“Closed-world assumption”→ if debug build works fine,then ok to ignore in proguard-project.txt:Warning: com.dropbox.client2.DropboxAPI:cant find referenced class org.json.simple.JSONArray-dontwarn twitter4j.internal.logging.**-dontwarn com.dropbox.client2.**Warning: twitter4j.internal.logging.Log4JLoggerFactory:cant find referenced class org.apache.log4j.LoggerWarning: twitter4j.internal.logging.SLF4JLoggerFactory:cant find referenced class org.slf4j.LoggerFactory...Tip
  15. 15. OptimizationAt the bytecode instruction level:●Dead code elimination●Constant propagation●Method inlining●Class merging●Remove logging code●Peephole optimizations●Devirtualization●...
  16. 16. Optimization exampleint answer = computeAnswer(1, 2, 3, 7);int computeAnswer(int f1, int f2, int f3, int f4) {if (f2 == 1 && f3 == 1 && f4 == 1) {return f1;} else {return computeAnswer(f1 * f2, f3, f4, 1);}}
  17. 17. Optimization exampleint answer = computeAnswer(1, 2, 3, 7);int computeAnswer(int f1, int f2, int f3, int f4) {if (f2 == 1 && f3 == 1 && f4 == 1) {return f1;} else {return computeAnswer(f1 * f2, f3, f4, 1);}}int computeAnswer(int f1, int f2, int f3, int f4) {do {if (f2 == 1 && f3 == 1 && f4 == 1) {return f1;} else {f1 = f1 * f2; f2 = f3, f3 = f4, f4 = 1;}} while (true);}
  18. 18. Optimization exampleint answer = computeAnswer(1, 2, 3, 7);int computeAnswer(int f1, int f2, int f3, int f4) {if (f2 == 1 && f3 == 1 && f4 == 1) {return f1;} else {return computeAnswer(f1 * f2, f3, f4, 1);}}int computeAnswer(int f1, int f2, int f3, int f4) {do {if (f2 == 1 && f3 == 1 && f4 == 1) {return f1;} else {f1 = f1 * f2; f2 = f3, f3 = f4, f4 = 1;}} while (true);}1 2 3 7
  19. 19. Optimization exampleint answer = computeAnswer(1, 2, 3, 7);int computeAnswer(int f1, int f2, int f3, int f4) {if (f2 == 1 && f3 == 1 && f4 == 1) {return f1;} else {return computeAnswer(f1 * f2, f3, f4, 1);}}int computeAnswer(int f1, int f2, int f3, int f4) {do {if (f2 == 1 && f3 == 1 && f4 == 1) {return f1;} else {f1 = f1 * f2; f2 = f3, f3 = f4, f4 = 1;}} while (true);}int computeAnswer() {return 42;}
  20. 20. Optimization exampleint answer = computeAnswer(1, 2, 3, 7);int computeAnswer(int f1, int f2, int f3, int f4) {if (f2 == 1 && f3 == 1 && f4 == 1) {return f1;} else {return computeAnswer(f1 * f2, f3, f4, 1);}}int computeAnswer(int f1, int f2, int f3, int f4) {do {if (f2 == 1 && f3 == 1 && f4 == 1) {return f1;} else {f1 = f1 * f2; f2 = f3, f3 = f4, f4 = 1;}} while (true);}int computeAnswer() {return 42;}int answer = 42;
  21. 21. How to enable optimization?project.properties:# To enable ProGuard to shrink and obfuscateyour code, uncomment thisproguard.config=${sdk.dir}/tools/proguard/proguard-android-optimize.txt:proguard-project.txtTip
  22. 22. Remove logging codeSpecify assumptions in proguard-project.txt:-assumenosideeffects class android.util.Log {public static boolean isLoggable(java.lang.String, int);public static int v(...);public static int i(...);public static int w(...);public static int d(...);public static int e(...);public static java.lang.String getStackTraceString(java.lang.Throwable);}Tip
  23. 23. ObfuscationTraditional name obfuscation:●Rename identifiers:class/field/method names●Remove debug information:line numbers, local variable names,...
  24. 24. Obfuscationpublic class MyComputationClass {private MySettings settings;private MyAlgorithm algorithm;private int answer;public int computeAnswer(int input) {…return answer;}}
  25. 25. Obfuscationpublic class MyComputationClass {private MySettings settings;private MyAlgorithm algorithm;private int answer;public int computeAnswer(int input) {…return answer;}}public class a {private b a;private c b;private int c;public int a(int a) {…return c;}}
  26. 26. Complementary stepsOptimization ObfuscationIrreversibly remove information
  27. 27. ProGuard guide – Android SDKdeveloper.android.comdeveloper.android.com
  28. 28. ProGuard websiteproguard.sourceforge.netproguard.sourceforge.net
  29. 29. ProGuard manualproguard.sourceforge.netproguard.sourceforge.netTip
  30. 30. Startup: SaikoaProGuardProGuard supportDexGuard
  31. 31. ProGuard - DexGuardOpen sourceGenericShrinkerOptimizerObfuscatorFor Java bytecodeClosed sourceSpecializedShrinkerOptimizerObfuscatorProtectorFor AndroidCompatible
  32. 32. Hacking and cracking●Anti-malware research●Reverse-engineeringprotocols, formats,...●Fun●Translation●Game cheating●Software piracy●Remove ads●Different ads●Different market●Extract assets●Extract API keys●Insert malware●Extorsion●...
  33. 33. Solutions?●Ignore it●Different business model (open source, service)●Regular updates●Lock down device●Server●Remove motivations●Obfuscation, application protection
  34. 34. More application protectionNothing is unbreakable, but you can raise the bar:●Reflection●String encryption●Class encryption●Resource obfuscation●Tamper detection●Debug detection●Emulator detection●…→ Automatically applied by DexGuard
  35. 35. DexGuard strategy●Tight integration●Multiple layers●Unique protection for every application●Follow up
  36. 36. DexGuard reactions“My app usually gets pirated after a few hours,but now it hasnt been pirated after several weeks,thanks to DexGuard!”“Installation was simple.”“The support is fantastic.”“Im enjoying DexGuard.”“Support from Saikoa is awesome!”“Youre doing an awesome job!”
  37. 37. Saikoa websitewww.saikoa.comwww.saikoa.com
  38. 38. Questions?Open sourceShrinkingOptimizationObfuscationJava bytecodeProGuardSaikoaDexGuardDalvik bytecodeProtection

×