Concept
SDK archives (AAR) contain native lib and JVM code packaged under 2 sub-packages impl
and sdk:
sdk
package contains all public classes and interfaces to be used by the final app.impl
package contains all internal class implementation and is not visible outside the SDK.
When building an SDK, obfuscation is only applied on the impl
elements which are repackaged in a flat structure. sdk
classes though are kept clear to be used by applications.
Recommendations
When building an application one should apply obfuscation (using a tool such as Proguard) with a provided configuration. The sdk
sub-package can now be obfuscated and all classes will be put in a flat package as well.
impl
package should not be re-obfuscated because it contains static obfuscation used by native libs.
The result of this two-step obfuscation is thousands of classes (SDK, client app, dependencies) that are stored in the same bag and make it very hard to retrieve sensitive code.