Amadis

Security Guidance - Application obfuscation

Owned by Alexandre Munsch (Unlicensed)
Last updated: Dec 14, 2022
2 min read

Concept

SDK archives (AAR) contain native lib and JVM code packaged under 2 sub-packages impl and sdk:

  • sdk package contains all public classes and interfaces to be used by the final app.

  • impl package contains all internal class implementations and is not visible outside the SDK.

 

When building an SDK, obfuscation is only applied on the impl elements which are repackaged in a flat structure. sdk classes though are kept clear to be used by applications.

Recommendations

When building an application one should apply obfuscation (using a tool such as Proguard) with a provided configuration. The sdk sub-package can now be obfuscated and all classes will be put in a flat package as well.

impl package should not be re-obfuscated because it contains static obfuscation used by native libs.

The result of this two-step obfuscation is thousands of classes (SDK, client app, dependencies) that are stored in the same bag and make it very hard to retrieve sensitive code.

ProGuard

In case you use ProGuard as a code obfuscation / protection tool, here are a few rules that should help you start:

# Rules -keepattributes SourceFile,LineNumberTable -keepattributes InnerClasses,Signature -keepattributes *Annotation* -keepattributes Exceptions # Android -keep class androidx.** -keep class com.google.android.gms.** { *; } # Agnos -keep, includedescriptorclasses class ca.amadis.agnos.impl.** { *; } -keep class ca.amadis.agnos.sdk.** { *; } # Secure client -keep class ca.amadis.secclt.impl.** { *; }

These are just default settings to make sure your application will run smoothly. They could definitely be refined to ensure a higher level of security.