Education

R8 and ProGuard: Secure Your App Against Reverse Engineering

logo

DhiWise

July 9, 2021
image
Author
logo

DhiWise

{
July 9, 2021
}
R8 and ProGuard: Secure Your app Against Reverse Engineering

Why does app protection against reverse engineering is gaining increasing importance?

With the growing number of mobile applications, the concern about data protection has taken on a new urgency.

The global app revenue has already reached $133 billion and is expected to rise further soon. However, app piracy through the distribution of cracked software on Android and iOS devices jeopardizes total in-app revenue.

Moreover, adding more features and better graphics to the app may improve customer satisfaction and app usability, but it also increases APK size. According to studies conducted by Google, there is a negative correlation between the APK’s size and installed conversion rate.

In simple words, app users are more likely to install and stay Installed APKs that are small or average in size making it easy to download and convenient to keep in a mobile device for a longer time. 


Now the question is, how should we protect apps from reverse engineering, and is there a way to combat app piracy and the growing size of applications?

The answer is yes, R8 and ProGuard are the default application shrinker for Android provided by Android Studio that can secure your app against Reverse Engineering.

What is ProGuard and R8?

R8 and ProGuard: Secure Your app Against Reverse Engineering

To make your application as small as possible, it is crucial to enable shrinking in your release build; it will automatically remove unused code and resources, obfuscate your app code and optimize your app.

To perform Compile time code optimization for the app project, you can use ProGuard, but it can be used below the Android Gradle plugin 3.4.0

Therefore to work with the same and higher version, you will require an R8 compiler to handle compile-time tasks that include- Resource shrinking, Code shrinking, Code obfuscation, and Code optimization.


1. ProGuard

ProGuard is a free Java tool in Android, which handles the following compile-time tasks,

  • Shrink application code: Remove unused classes, fields, methods, and attributes.
  • Obfuscate the code: Rename the name of classes and other fields.
  • Optimizes the code: It analyzes and optimizes the byte code.

Overall, ProGuard reduces the size of your application by 8.5%, removes unused instructions, and makes reverse engineering difficult by obfuscating the code.

2. R8

R8 is developed by Google and it is compatible with Kotlin. R8 compilers offer the following features to reduce your APK size.

  • Tree Shaking (Code shrinking): This feature detects and removes unused classes, fields, methods, and attributes from your app and its library dependencies.
  • Resource Shrinking: It works in conjunction with code shrinking. Suppose you added code libraries that include resources, you must remove unused library code so that library resources become unreferenced and easily removable by resource shrinker.
  • Identifier Renaming a.k.a Obfuscation: Uses short names for classes and fields and compresses package namespace, which results in reduced DEX file size.
  • Optimization: R8 further optimizes code and reduces your app’s DEX file size by removing dead code, unused argument, selective inlining, and class merging.

R8 performs all the above tasks automatically while building the release version of your app and shrink application size up to 10%. However, you can disable certain tasks or customize R8 through ProGuard rules.

Comparing R8 with ProGuard

ProGuard and R8 perform the same job i.e. reducing the APK size, optimize app code, and securing the app from reverse engineering. Then what is the difference between them?

  • R8 is designed to work with the ProGuard rules. Shrinking your app with R8 might remove additional code for better optimization that doesn’t happen in the case of ProGuard. You need to define additional rules to keep the code in your build output in such a situation.
  • With the Android app using Gradle plugin above 3.4.0 or more, the project uses R8 by default and no longer uses the ProGuard to perform optimizations.
  • R8 effectively inlines the container classes, thus avoiding object allocation.
  • R8 reduces the APP size by 10% compared to ProGuard, which minimizes the App size by 8.5%.
  • R8 provides better Kotlin support as compared to ProGuard

How do ProGuard and R8 work?

ProGuard uses the Java Compiler to convert the app’s code to Java bytecode. It is then converted into Optimized Java byte code using ProGuard rules. DEX then converts it to Optimized Dalvik bytecode.

While using R8, first the App’s Code is converted into Java bytecode using Java Compiler. It is then directly converted into the Optimized Dalvik bytecode using R8.

R8 and ProGuard: Secure Your app Against Reverse Engineering

Implementing R8 Shrinking in the application

In Android Studio, you can quickly implement R8 shrinking in your application.

  • First, you need to create a new project with an empty activity.
  • Then Navigate to the Gradle scripts > build.gradle(:app), and you will see the section of BuildTypes. 
  • Inside this, change minifyEnabled and shrinkResources from false to true to enable R8, as shown in the code below.
	android {
    ...
    buildTypes {
        getByName("release") {
            shrinkResources = true
            minifyEnabled = true
            proguardFiles(
                getDefaultProguardFile("proguard-android.txt"),
                "proguard-rules.pro"
            )
        }
    }
}

You can customize resources according to your requirement using tools: keep attribute and discord resources using tools: discard attribute under the resource tag in the XML file as,

	<?xml version="1.0" encoding="utf-8"?>
<resources xmlns:tools="http://schemas.android.com/tools"
    tools:keep="@layout/l_used*_c,@layout/l_used_a,@layout/l_used_b*"
    tools:discard="@layout/unused2" />

If you want to secure your application from being reverse engineered, use R8 or ProGuard according to your requirements. It will obfuscate your code, making it more secure and difficult to crack. Not only that, if you shrink the application to the minimum size users will prefer it over other apps that consume more memory.

How DhiWise makes your app more secure against reverse engineering\

We have learned how Proguard and R8 can be used to prevent the decompilation of Android app code and prevent reverse engineering.

If you are developing an enterprise-grade application that has data-heavy operations such as healthcare or financial apps; security becomes the most important concern.

So, how can DhiWise help you?

DhiWise Kotlin Builder empowers Android developers to build their Kotlin projects sophisticatedly in the most efficient way, making them focus only on the complex issues in their projects as DhiWise has automated most of the manual tasks in app development.

Building an app with DhiWise is more secure as it provides a mechanism to encrypt your application. Additionally, the platform ensures generated or exported code can not be reverse engineered at any stage that immunizes app code against decompilation.

That is how DhiWise makes it nearly impossible to reverse engineer your Android code. 

Build your Android app faster with DhiWise Kotlin Builder!! 
Visit DhiWise today and feel free to contact us!
Happy Coding!! 😊 😊 😊


References

https://milana-becejac.medium.com/r8-proguard-guardians-of-the-code-ef1319720aea

https://www.youtube.com/watch?v=PTSRC3ZM0HQ

https://medium.com/androiddevelopers/shrinking-your-app-with-r8-909efac25de4

https://developer.android.com/studio/build/shrink-code#shrink-resources

https://www.geeksforgeeks.org/how-to-use-r8-to-reduce-apk-size-in-android/

https://blog.mindorks.com/r8-vs-proguard-in-android#:~:text=0%20or%20more%20the%20project,reduces%20the%20code%20by%2010%25.