I want to generate signed APK in Android Studio and it offers me an option to run ProGuard. It asks me to give config file path, but I don’t have config file. How to create one? Should I use ProGuard at all?
Can you and is it easy to unpack APK file which don’t use ProGuard?
Thank you for your answers, but I can’t find proguard.cfg file anywhere. Only properties file I have in root directory of the project is local.properties file and when I open it in Android Studio I got this:
# This file is automatically generated by Android Studio. # Do not modify this file -- YOUR CHANGES WILL BE ERASED! # # This file must *NOT* be checked into Version Control Systems, # as it contains information specific to your local configuration. # Location of the SDK. This is only used by Gradle. # For customization when using a Version Control System, please read the # header note. sdk.dir=C:/.../...
It is quite easy to reverse engineer Android applications, so if you want to prevent this from happening, yes, you should use ProGuard for its main function: obfuscation.
ProGuard has also two other important functions: shrinking which eliminates unused code and is obviously highly useful and also optimization. Optimization operates with Java bytecode, though, and since Android runs on Dalvik bytecode which is converted from Java bytecode, some optimizations won’t work so well. So you should be careful there.
There are instructions on how to use proguard on the Android website. The main thing you need to check is that you have the line
project.properties file. Since you mention that you use Android Studio and you don’t have this file, but you are asked about the config file, try selecting the one that is in the Android SDK (
It is optional to use ProGuard, and whether you use it or not, it is quite easy to unpack the apk and get at your resources (graphics and other assets). If you don’t use ProGuard, the application code can also be reconstructed pretty easily, with ProGuard it becomes very difficult and cumbersome to try and understand what happens where (although not impossible given enough time and effort).
Be careful to test your app thoroughly after obfuscating as well, since it IS a change to the application and sometimes unintended things can happen, especially if oyu are using reflection a lot.
One important case for doing ProGuard obfuscation is that, some bad guys unpack apk and inject/replace purchase module to theirs. We cannot expect all users download apk only from Play Store, and users can be stolen their purchase account.
Having ProGuard run is completely optional, but highly recommended.
You can find all what you need here:
Also you can remove the following line from the default.properties file in your project root folder: