Skip to content

ProGuard

Overview

ProGuard is a tool for code shrinking, obfuscation, and optimization used primarily in Java and Android development. It helps make your app smaller, faster, and more secure by transforming the compiled bytecode before packaging the final APK or AAB.

What ProGuard Does

  1. Shrinking Removes unused classes, fields, methods, and attributes from your app and its dependencies — reducing the final APK size.

  2. Obfuscation Renames classes, methods, and variable names to meaningless letters (e.g., com.marksandspencer.billing.BillingService becomes a.a.a) — making reverse engineering harder.

  3. Optimization Rewrites code to be faster or more efficient by removing redundancies and simplifying instructions.

  4. Pre-verification Prepares the code for the Java bytecode verifier, which can reduce runtime verification overhead on some devices.

Why It’s Important for Security

In the context of tools like Appknox, ProGuard plays a critical role in basic code obfuscation, which:

  • Makes it harder for attackers to reverse engineer your app using tools like JADX or apktool.
  • Protects sensitive logic, like encryption, API logic, or security checks.
  • Helps pass security compliance requirements and reduce findings in tools like Appknox or MobSF.

However, ProGuard does not encrypt or completely secure your code — it only makes reverse engineering more difficult.

How to Use ProGuard in Android

If you're using Android Studio with Gradle, ProGuard (or its more advanced successor, R8, which is enabled by default) is already integrated.

To enable it:

  1. In your build.gradle (app-level):
buildTypes {
    release {
        minifyEnabled true // Enables code shrinking
        proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
    }
}

  1. Customize the proguard-rules.pro file to:

  2. Keep required classes (like for libraries or reflection).

  3. Allow logs (if needed).
  4. Obfuscate your own code securely.

Common Rules You Might See

# Keep all models used with Gson
-keep class com.marksandspencer.models.** { *; }

# Keep all classes with @Keep annotation
-keep @androidx.annotation.Keep class * { *; }

# Don't strip logging in debug builds
-assumenosideeffects class android.util.Log {
    public static int v(...);
    public static int d(...);
}

As a Senior Dev, What to Know

  • R8 has replaced ProGuard as the default in recent Android builds — but the config files still work the same.
  • You must test your app thoroughly after enabling ProGuard — it can accidentally remove or obfuscate code that's used via reflection or serialization.
  • Combine with Appknox or MobSF to test that your obfuscation is effective.
  • Be cautious with third-party SDKs (e.g., Firebase, Retrofit, Room) — they often need explicit ProGuard rules.