Obfuscation is often considered as a magic solution for code protection, by making your code harder to understand if it ever gets de-compiled by hackers.
But if you're thinking that removing the Log.x(..)
actually removes the information the hackers need, you'll have a nasty surprise.
Removing all your log calls with:
-assumenosideeffects class android.util.Log {
public static *** d(...);
...etc
}
will indeed remove the Log call itself, but usually not the Strings you put into them.
If for example inside your log call you type a common log message such as: Log.d(MyTag,"Score="+score);
, the compiler converts the +
to a 'new StringBuilder()' outside the Log call. ProGuard doesn't change this new object.
Your de-compiled code will still have a hanging StringBuilder
for "Score="
, appended with the obfuscated version for score
variable (let's say it was converted to b
).
Now the hacker knows what is b
, and make sense of your code.
A good practice to actually remove these residuals from your code is either not put them there in the first place (Use String formatter instead, with proguard rules to remove them), or to wrap your Log
calls with:
if (BuildConfig.DEBUG) {
Log.d(TAG,".."+var);
}
Tip:
Test how well protected your obfuscated code is by de-compiling it yourself!