I have a library that is about to be obfuscated using ProGuard. "Library mode" is almost applicable for my use case, i.e. it is almost fine to keep all public and protected classes and class members.
However due to Java's visibility requirements some members cannot be made package private or private and thus they are public classes although they should not be in the library. I would like to have them obfuscated to make it more clearly that these classes do not belong to the public api, as well as to get better obfuscation and smaller library jars.
Is there a way to exclude some items from a proguard "keep" rule without specifying each of these items by name (using the '!').
Ideally I would like to annotate these classes and members with a tagging annotation, but as far as I understand Proguard can only be told to keep items with certain annotations.
You can only keep items indeed. If you want to exclude certain class members, you have to do so by listing or annotating the class members that you do want to keep. When specifying a class name, you can provide a list, optionally with "!" to exclude names. When specifying a class member name and type, that is not possible. Still, in both cases, you can use wildcards. If you pick special names for your internal classes, this might work:
-keep public class * {
public protected *** !myInternalField*;
public protected *** !myInternalMethod*(...);
}
Related
I included a library I'd like to use, but in accessing to one of its classes I get the error message,
"Cannot access '<init>': it is private in [class name]
Is there something I can do to rectify this on my side, or am I just stuck to not use the package?
The error means the constructor is private. Given your comment, I'm assuming you're using a library. If this is the case, you'll have to find a different way to initialize it. Some libraries have factories or builders for classes, so look up any applicable documentation (if it is a library or framework). Others also use the singleton pattern, or other forms of initialization where you, the developer, don't use the constructor directly.
If, however, it is your code, remove private from the constructor(s). If it's internal and you're trying to access it outside the module, remove internal. Remember, the default accessibility is public. Alternatively, you can use the builder pattern, factory pattern, or anything similar yourself if you want to keep the constructor private or internal.
I came across this issue when trying to extend a sealed class in another file. Without seeing the library code it is hard to know if that is also what you are attempting to do.
The sealed classes have the following unique features:
A sealed class can have subclasses, but all of them must be declared in the same file as the sealed class itself.
A sealed class is abstract by itself, it cannot be instantiated directly and can have abstract members.
Sealed classes are not allowed to have non-private constructors (their constructors are private by default).
Classes that extend subclasses of a sealed class (indirect inheritors) can be placed anywhere, not necessarily in the same file.
For more info, have a read at https://www.ericdecanini.com/2019/10/14/kotlins-sealed-class-enums-on-steroids/
Hopefully, this will help others new to Kotlin who are also encountering this issue.
Class constructors are package-private by default. Just add the public keyword before declaring the constructor.
By default constructor is public so need to remove internal keyword.
I use Kotlin and I have many internal classes.
I want to obfuscate and shrink everything apart from all public classes.
Proguard rules:
-dontusemixedcaseclassnames
-dontskipnonpubliclibraryclasses
-verbose
-optimizationpasses 5
-overloadaggressively
-repackageclasses ''
-allowaccessmodification
-keep public class * {
public <methods>;
public <fields>;
}
Unfortunately the -keep public class * behaves defensively and keeps all names, also for the internal classes.
Your rules are way too broad.
Single "-keep" with nested rules is more broad, compared to combination of "-keepmembers" and "-keepclasseswithmembers" rules
Full "-keep" rule means "do not change bytecode of that method, ever"
Classes, referenced by kept classes and methods, can not be removed, renamed or repackaged
This line in your rules keeps all your classes and interfaces:
-keep public class * {
I mean ALL of them. Whether they have public members or not.
Use -keepclasseswithmembers instead!
Because of these lines
{
public <methods>;
public <fields>;
}
all your public methods will be left untouched, which means that repackaging and renaming methods, referenced from your public methods can not be carried out!
If you want at least some repackaging to be done, make sure to allow optimization (because repackaging is performed as part of optimization step):
-keepmembers,allowoptimization public class * {
public <methods>;
public <fields>;
}
In addition to repackaging, this will also allow for some inlining (which in turn assists in removing classes, that supply inlined methods).
Also with Android apps you are much better off repackaging into your primary package (the application package, or package with biggest number of your immovable classes in it) instead of empty package (''). This is because some "exported" classes (Activities, Views, Services, other stuff, referenced from xml files) can not be moved outside of their package by Proguard, — aapt dynamically generates special rules to prevent that. The part of optimization process, that changes access modes from public to protected/private, becomes more efficient the more classes can be placed together in single package.
I want to obfuscate and shrink everything apart from all public classes.
Bad idea. You really should try to obfuscate as much as possible, especially public classes. If you restrict obfuscation, repackaging is also restricted! It would rename them!!
Aim for the most specific rules possible.
If you want to prevent shrinking:
-keep,allowoptimization,allowobfuscation public class com.example.Example
If you want to prevent renaming, but allow stripping unused classes:
-keep,allowoptimization,allowshrinking public class com.example.*
In general, avoid wildcard rules (bare *) and -keep rules: prefer rules for specific classes and -keepmembers/-keepclasseswithmembers
The correct approaches for obfuscating applications and libraries are completely different, but they have something in common — you should not care about public methods/classes; just obfuscate/shrink/repackage as much as possible until any more would break it.
For applications you should just obfuscate/repackage as much as possible. If you don't know, which packages are safe to obfuscate, start from opting known safe packages into obfuscation.
For libraries — do not apply Proguard to library itself (unless you are trying to achieve security by obscurity). Use the feature of aar format — consumer proguard files — that allows to supply rule "segments", which should be followed during final app obfuscation.
Official docs on visibility modifiers in Kotlin say that package-level elements marked private are be visible only in the module in which they are declared.
So class A declared in Module1.kt isn't visible in Module2.kt. But if I try to add to Module2.kt it's own class A I get the Redeclaration: A error.
Since I can't access in Module2.kt to Module1's A class, why isn't the name A free to use?
"A module is a set of Kotlin files compiled together" (Visibility Modifiers - Kotlin Programming Language).
In your example, Module1.kt and Module2.kt are separate source files and despite their names they are not necessarily part of separate modules:
If they are compiled together then they are part of the same module.
If they are compiled separately from one another then they will be part of different modules and each can define their own private class A.
Keep in mind that visibility is different from identity. Even if a class is not visible elsewhere it doesn't mean that it does not exist. Loading multiple class declarations with the same fully-qualified name can (and likely will) cause issues at run-time.
What would be a smart ProGuard configuration to obfuscate just the private methods and constants of one particular class com.acme.Algorithm?
I would like to obfuscate just that, because it contains an algorithm that should not be plain obvious when accidentally opening the .jar.
I'm a ProGuard newbie. AFAIU, you have to use "keep", but the positive logic of "do obfuscate" is not available, right? So how to exlude my class from a "keep everything" config? Note: I don't want to obfuscate other classes for the moment, because I want to allow the customer to see meaningful stacktraces.
Obfuscating a single class won't have much effect: it may change the class name and a few field names and methods names, and it may optimize some code. Obfuscation tends to be less effective for hiding small pieces of information. The more application code you obfuscate, the more difficult it becomes to understand.
That being said, you can specify:
-keep class !com.acme.Algorithm { *; }
It keeps all classes/fields/methods outside of com.acme.Algorithm.
How can we distinguish to create a class which is static?
A static class forces all of its methods to be static and prohibits an instance constructor therefor can't be instantiated. If your question extends to WHEN to use static and WHEN instance, please do a search on StackOverflow (or check out the Related box on this page)
At least in C#,
static classes and class members are used to create data and functions that can be accessed without creating an instance of the class.
If you want the class to be static in nature i.e. have only 1 copy within the program (VM) then there are two obvious mechanisms:
1. Make all members and methods of the class static (Java/C#).
2. Use Singleton design pattern.
For this case (static in nature), we don't have a language construct and hence one of the above technique is used.
As to your question for this case, such classes should be created if you want your functionality to be accessible globally, unchanged and instantly accessible e.g. utility methods, global constants etc.
Secondly, the keyword 'static' is used with classes to increase their visibility in the package. This keyword can only be applied on inner classes and allows the access to inner classes without the context of their parent class.
Such kind of static classes should be used only for those inner classes that serve their purpose within the parent class as well as are useful outside the class or the package e.g. Key of a POJO.