apksigner
tool. It is located at [SDK-Path]/build-tools/[version]
.jarsigner
. Note that the Common Name (CN) attribute is set to "Android Debug" in the debug certificate.jarsigner
, you can rely on the apksigner
to verify the certificate chain.signingConfig
block in build.gradle
. To activate both the v1 and v2 schemes, the following values must be set:android:debuggable
attribute in the Application
element that is defined in the Android manifest determines whether the app can be debugged or not.AndroidManifest.xml
to determine whether the android:debuggable
attribute has been set and to find the attribute's value:aapt
tool from the Android SDK with the following command line to quickly check if the android:debuggable="true"
directive is present:"false"
(the default value).adb
can be used to determine whether an application is debuggable.adb
shell, execute run-as
by appending the package name and application command to the binary name:jdb
to the running process. If this is successful, debugging will be activated.jdb
:adb
and jdwp
, identify the PID of the active application that you want to debug:adb
between the application process (with the PID) and your host computer by using a specific local port:jdb
, attach the debugger to the local communication channel port and start a debug session:jdb
is being bound to the local communication channel port, kill all adb sessions and start a single new session.nm
or objdump
to examine the symbol table. A release build should generally not contain any debugging symbols. If the goal is to obfuscate the library, removing unnecessary dynamic symbols is also recommended.nm
binary in your Android NDK and export it (or create an alias).visibility
compiler flag. Adding this flag causes gcc to discard the function names while preserving the names of functions declared as JNIEXPORT
.StrictMode
with policies enabled for disk and network access to the main thread:if
statement with the DEVELOPER_MODE
condition is recommended. To disable StrictMode
, DEVELOPER_MODE
must be disabled for the release build.StrictMode
is enabled, you can look for the StrictMode.setThreadPolicy
or StrictMode.setVmPolicy
methods. Most likely, they will be in the onCreate
method.StrictMode
; the best choice depends on how the policies' roles are implemented. They includeMockito
used for testing and libraries like JavaAssist
used to compile certain other libraries.Okhttp3
.OKHTTP
prior to 2.7.5 in which TLS chain pollution was possible to bypass SSL pinning.dependency-check-gradle
. In order to use the plugin, the following steps need to be applied: Install the plugin from the Maven central repository by adding the following script to your build.gradle:build/reports
unless otherwise configured. Use the report in order to analyze the vulnerabilities found. See remediation on what to do given the vulnerabilities found with the libraries.License Gradle Plugin
. This plugin can be used by taking the following steps.build.gradle
file add:Note: If in doubt about the implications of a license model used by a third party library, then consult with a legal specialist.
about
or EULA
section in which the copy-right statements are noted as required by the license of the third party library.RuntimeException
s (e.g.NullPointerException
, IndexOutOfBoundsException
, ActivityNotFoundException
, CancellationException
, SQLException
) by creating proper null checks, bound checks, and the like. An overview of the available subclasses of RuntimeException
can be found in the Android developer documentation. A child of RuntimeException
should be thrown intentionally, and the intent should be handled by the calling method.Throwable
there's a proper catch handler, which ends up handling the actual exception properly.finally
blocks.Application
class (e.g., the class that extends Application
):Context
object is passed around to non-Activity
classes, or when you pass references to Activity
classes to your helper classes.Activity
or View
classes, Singleton classes that have references to Context
, Inner Class references, Anonymous Class references, AsyncTask references, Handler references, Threading done wrong, TimerTask references. For more details, please check:minifyEnabled
and proguardFiles
are set. Creating exceptions to protect some classes from obfuscation (with -keepclassmembers
and -keep class
) is common. Therefore, auditing the ProGuard configuration file to see what classes are exempted is important. The getDefaultProguardFile('proguard-android.txt')
method gets the default ProGuard settings from the <Android SDK>/tools/proguard/
folder.When you build you project using Android Studio 3.4 or Android Gradle plugin 3.4.0 or higher, the plugin no longer uses ProGuard to perform compile-time code optimization. Instead, the plugin works with the R8 compiler. R8 works with all of your existing ProGuard rules files, so updating the Android Gradle plugin to use R8 should not require you to change your existing rules.
proguard-rules.pro
is where you define custom ProGuard rules. With the flag -keep
you can keep certain code that is not being removed by R8, which might otherwise produce errors. For example to keep common Android classes, as in our sample configuration proguard-rules.pro
file: