反编译:
一般的apk程序使用反编译工具(如dex2jar)可进行反编译,并且反编译后的代码可以进行修改重新打包签名
反编译过程:把 class.dex 拷贝到 dex2jar.bat 所在目录,直接拖动 class.dex 到 dex2jar.bat,生成 classes.dex.dex2jar.jar。
反编译后的代码可以用工具jd-gui查看:
因此在进行android打包的时候需要对项目进行混淆处理,以防止被反编译而导致代码泄露。
混淆处理方法:
Android SDK自2.3版本后内置混淆处理工具proguard
在2.3后新建的android工程中,会多出一个 proguard.cfg 文件。在default.properties中加入proguard.config=proguard.cfg
在4.+(具体版不清楚)后属性文件变为了project.properties和proguard-project.txt
如果需要混淆,只需要进行一步操作:
将project.properties文件中的“# proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt”中的“#”去掉就可以了。
我的项目中用的的proguard-project.txt代码如下:
# To enable ProGuard in your project, edit project.properties # to define the proguard.config property as described in that file. # # Add project specific ProGuard rules here. # By default, the flags in this file are appended to flags specified # in ${sdk.dir}/tools/proguard/proguard-android.txt # You can edit the include path and order by changing the ProGuard # include property in project.properties. # # For more details, see # http://developer.android.com/guide/developing/tools/proguard.html # Add any project specific keep options here: # If your project uses WebView with JS, uncomment the following # and specify the fully qualified class name to the JavaScript interface # class: #-keepclassmembers class fqcn.of.javascript.interface.for.webview { # public *; #} -optimizationpasses 5 -dontusemixedcaseclassnames -dontskipnonpubliclibraryclasses -dontpreverify -verbose -optimizations !code/simplification/arithmetic,!field/*,!class/merging/* -libraryjars ./libs/whty-core-new.jar -libraryjars ./libs/sun.misc.BASE64Decoder.jar -libraryjars ./libs/commons-io-2.0.1.jar -dontwarn com.whty.wicity.core.** -keep class com.whty.wicity.core.** { *;} -dontwarn Decoder.** -keep class Decoder.** { *;} -dontwarn org.apache.commons.io.** -keep class org.apache.commons.io.** { *;} -dontwarn net.soureceforge.pinyin4j.** -dontwarn demo.** -keep class net.sourceforge.pinyin4j.** { *;} -keep class demo.** { *;} -ignorewarnings -keep class org.kobjects.** { *; } -keep class org.ksoap2.** { *; } -keep class org.kxml2.** { *; } -keep class org.xmlpull.** { *; } #LocatCat不打印日志,加入下面两句 -renamesourcefileattribute SourceFile -keepattributes SourceFile,LineNumberTable ##---------------Gson混淆配置 ---------- # Gson uses generic type information stored in a class file when working with fields. Proguard # removes such information by default, so configure it to keep all of it. -keepattributes Signature -keep class sun.misc.Unsafe { *; } #-keep class com.google.gson.stream.** { *; } # Application classes that will be serialized/deserialized over Gson -keep class com.google.gson.examples.android.model.** { *; } ##-------------------------------------- ##微博 -dontwarn android.net.http.** -keep public class android.webkit.WebView {*;} -keep public class android.webkit.WebViewClient {*;} -keep class com.weibo.net.** {*;} ##---保持所有第三方包,一般不用处理,但为了防止不必要错误,加入--------- -dontwarn android.support.v4.** -keep class android.support.v4.** { *;} -dontwarn com.whty.wicity.core.** -keep class com.whty.wicity.core.** { *;} -dontwarn com.google.zxing.** -keep class com.google.zxing.** { *;} -dontwarn com.baidu.location.** -keep class com.baidu.location.** { *;} -dontwarn com.iflytek.speech.** -keep class com.iflytek.speech.** { *;} -dontwarn com.tencent.mm.** -keep class com.tencent.mm.** { *;} -dontwarn demo.Pinyin4jAppletDemo.** -keep class demo.Pinyin4jAppletDemo.** { *;} -dontwarn android.net.http.** -keep class android.net.http.** { *;} -dontwarn com.google.gson.** -keep class com.google.gson.** { *;} -dontwarn com.mapabc.minimap.map.vmap.** -keep class com.mapabc.minimap.map.vmap.** { *;} -dontwarn Decoder.** -keep class Decoder.** { *;} -dontwarn com.tencent.** -keep class com.tencent.** { *;} -dontwarn org.** -keep class org.** { *;} -dontwarn org.apache.commons.io.** -keep class org.apache.commons.io.** { *;} -dontwarn com.chinaMobile.** -keep class com.chinaMobile.** { *;} ##---------------------------------------------------------
-keep public class * extends android.app.Activity -keep public class * extends android.app.Application -keep public class * extends android.app.Service -keep public class * extends android.content.BroadcastReceiver -keep public class * extends android.content.ContentProvider -keep public class * extends android.app.backup.BackupAgentHelper -keep public class * extends android.preference.Preference -keep public class com.android.vending.licensing.ILicensingService -keepclasseswithmembernames class * { native <methods>; } -keepclasseswithmembers class * { public <init>(android.content.Context, android.util.AttributeSet); } -keepclasseswithmembers class * { public <init>(android.content.Context, android.util.AttributeSet, int); } -keepclassmembers class * extends android.app.Activity { public void *(android.view.View); } -keepclassmembers enum * { public static **[] values(); public static ** valueOf(java.lang.String); } -keep class * implements android.os.Parcelable { public static final android.os.Parcelable$Creator *; } #保持 Serializable 不被混淆 -keepnames class * implements java.io.Serializable -keep public class * implements java.io.Serializable { *;}
# Explicitly preserve all serialization members. The Serializable interface # is only a marker interface, so it wouldn’t save them. -keepclassmembers class * implements java.io.Serializable { static final long serialVersionUID; private static final java.io.ObjectStreamField[] serialPersistentFields; private void writeObject(java.io.ObjectOutputStream); private void readObject(java.io.ObjectInputStream); java.lang.Object writeReplace(); java.lang.Object readResolve(); }
以上代码仅作参考,实际项目跟进添加的lib包不同则混淆脚本也不同,需做适当修改。
如果部分代码报错,且不影响代码暴露可以对此类代码进行非混淆处理,参照如下代码:
-keep class org.apache.commons.io.** { *;}
另外:如果项目涉及到多个工程,以lib工程的形式引用需要注意,如果按照普通的方式引入lib工程,即工程右键—>属性——>Android——>Add形式引入,如下图:
此方法引入lib工程,混淆打包后,通常会出现错误。需要同时以
Projects>Required projects on the build path形式引入工程,猜想此方法应该是使lib工程一同参与到主工程的编译过程中来。
记得勾选Buil class path order an exported entries中加入的上面的工程。
参照:http://my.oschina.net/aibenben/blog/371889
http://www.cnblogs.com/lesliefang/p/3819259.html