One of the biggest challenges for app publishers is facing a series of bans imposed by platforms or services identifying multiple accounts or identical codes as being linked with each other. In this case, code obfuscation technology can effectively differentiate codes so that they will not trigger system detection, helping to prevent large-scale app bans.
This article introduces 6 most-recommended code obfuscation tools to enhance app security and compliance.
1. ProGuard
ProGuard is a native Android tool for code shrinking and obfuscation. It renames code classes, methods, and variables to make them harder to understand. This improves app security and reduces file size.
ProGuard allows developers to customize obfuscation (using a dictionary of rules) to ensure that the obfuscated code paths are different each time. You are advised not to upload the mapping file to Google’s backend, as it could expose the obfuscation details, making the code easier to reverse-engineer.
Website: https://developer.android.com/build/shrink-code
2. AndResGuard
Unlike ProGuard which focuses on code obfuscation, AndResGuard is a tool for resource obfuscation. It renames and obfuscates resource names. For example, AndResGuar can shrink a resources path from res/drawable/logo to a/b/c.
Website: https://github.com/shwenzhang/AndResGuard
3. AabResGuard
AabResGuard is very similar to AndResGuard in terms of functionality. It is a tool for resource obfuscation in AAB (Android App Bundle) files. It renames and obfuscates resource names in the bundle, which is easier to use for Android developers.
Website: https://github.com/bytedance/AabResGuard
4. XmlClassGuard
XmlClassGuard is designed for obfuscating XML files. It focuses on obfuscating class names in XML layouts.
XmlClassGuard can work alongside ProGuard. ProGuard obfuscates Java code, while XmlClassGuard obfuscates XML class references. Together, they provide more comprehensive protection for AABs from getting rejected or banned on Google Play.
Website: https://github.com/liujingxing/XmlClassGuard
5. StringFog
StringFog is a tool to encrypt sensitive strings in Android apps that are packaged as a DEX (Dalvik Executable), AAR (Android Archive), or JAR (Java Archive) file. These protected strings are typically used in app descriptions and metadata, which could trigger unwanted Google Play’s automated or manual review process if detected.
Website: https://github.com/MegatronKing/StringFog
6. App Hardening Tools
The tools mentioned above are focused primarily on code obfuscation and resource protection. They make an app’s code harder to reverse-engineer, thereby protecting sensitive data in the app. On the other hand, app hardening tools (also referred to as app security apps) go beyond just code obfuscation. They are designed to secure an app against various types of cyber-attacks.
However, there are debates around app hardening tools that stem from overprotection and compliance concerns.
-
Using app hardening tools can potentially raise suspicion on Google Play because it might be seen as indicators that the the app is trying to hide improper data and avoid detection.
-
Google Play’s guidelines require apps to provide unique, high-quality content that adds value to users. However, apps obscured by app hardening tools may appear uniform in terms of their underlying structure and content, making them look generic or identical to Google’s automated review systems. As a result, masked apps may be flagged for failing to meet these standards and get rejected.
-
Besides, app hardening techniques often include dynamic loading of DEX, where an Android app loads parts of its code (in the form of DEX files) at runtime based on specific conditions or use cases, rather than loading everything upfront. This can be a red flag when it comes to Google Play’s app review guidelines as it leads to security issues.
While app hardening tools offer significant security benefits for developers by protecting against reverse engineering and tampering, their use can also raise concerns during the Google Play review process. Therefore, it is crucial for businesses to not only rely on third-party security tools but also to focus on developing secure and transparent apps from the ground up. At the end of the day, businesses can take full control of their app and ensure app store compliance only when it is truly safe and trustworthy.
About Us
ROIBest is a software service company headquartered in Singapore, pioneering in Android progressive web app (PWA) solutions. We provide Android developers with an innovative app distribution & advertising solution that does not depend on app stores, saves in-app purchase commissions, and eliminates harmful file warnings. Our feature-rich product supports AudienceCloud, traffic deduplication, and intelligent push notifications, enabling business success in global markets.
