{ "id": "117811", "key": "TIMOB-14740", "fields": { "issuetype": { "id": "2", "description": "A new feature of the product, which has yet to be developed.", "name": "New Feature", "subtask": false }, "project": { "id": "10153", "key": "TIMOB", "name": "Titanium SDK/CLI", "projectCategory": { "id": "10100", "description": "Titanium and related SDKs used in application development", "name": "Client" } }, "fixVersions": [], "resolution": null, "resolutiondate": null, "created": "2013-07-31T10:49:01.000+0000", "priority": { "name": "High", "id": "2" }, "labels": [ "exalture", "notable" ], "versions": [ { "id": "14162", "description": "Release 3.1.0", "name": "Release 3.1.0", "archived": true, "released": true, "releaseDate": "2013-04-16" } ], "issuelinks": [ { "id": "37145", "type": { "id": "10000", "name": "Blocks", "inward": "is blocked by", "outward": "blocks" }, "outwardIssue": { "id": "63414", "key": "TIMOB-2782", "fields": { "summary": "Android: Generate a Proguard configuration based on API usage", "status": { "description": "The issue is open and ready for the assignee to start work on it.", "name": "Open", "id": "1", "statusCategory": { "id": 2, "key": "new", "colorName": "blue-gray", "name": "To Do" } }, "priority": { "name": "Medium", "id": "3" }, "issuetype": { "id": "2", "description": "A new feature of the product, which has yet to be developed.", "name": "New Feature", "subtask": false } } } } ], "assignee": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "updated": "2019-11-07T00:40:12.000+0000", "status": { "description": "The issue is open and ready for the assignee to start work on it.", "name": "Open", "id": "1", "statusCategory": { "id": 2, "key": "new", "colorName": "blue-gray", "name": "To Do" } }, "components": [ { "id": "10202", "name": "Android", "description": "Android Platform" }, { "id": "13103", "name": "CLI", "description": "Node-based command line interface" } ], "description": "Hi,\r\n\r\nCreate a sample Android module and build it. Then follow this step by step.\r\n\r\n1. Extract the contents of the zip file inside the dist folder.\r\n2. Extract the JAR file obtained from the zip file.\r\n3. Use JAD (Decompile tool) to decompile the any *.class file.\r\n\r\nYou will observe that the entire source code is displayed. There is no obfuscation. I think Appcelerator must provide an obfuscation procedure during the build process.\r\n\r\nIf any such process is present (using ProGuard for example), then can you please let us know. If no such process exists then it will be a great idea to add this feature. This will increase the security and also reduce the module size.", "attachment": [ { "id": "52147", "filename": "com.proguard.android.zip", "author": { "name": "aleard", "key": "aleard", "displayName": "Alan Leard", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-10-23T22:45:22.000+0000", "size": 1273, "mimeType": "application/zip" }, { "id": "52146", "filename": "proguard_app.zip", "author": { "name": "aleard", "key": "aleard", "displayName": "Alan Leard", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-10-23T22:44:44.000+0000", "size": 641685, "mimeType": "application/zip" } ], "flagged": false, "summary": "Android: Automatically generate ProGuard configuration file", "creator": { "name": "soumyakantikar", "key": "soumyakantikar", "displayName": "Soumya Kanti Kar", "active": true, "timeZone": "America/Havana" }, "subtasks": [], "reporter": { "name": "soumyakantikar", "key": "soumyakantikar", "displayName": "Soumya Kanti Kar", "active": true, "timeZone": "America/Havana" }, "environment": "Mobile SDK: 3.1.0 GA\r\nJDK: 1.6\r\nAndroid API: 13", "closedSprints": [ { "id": 126, "state": "closed", "name": "2018 Sprint 05 SDK", "startDate": "2018-02-25T19:38:08.926Z", "endDate": "2018-03-11T18:38:00.000Z", "completeDate": "2018-03-11T22:06:01.520Z", "originBoardId": 100 } ], "comment": { "comments": [ { "id": "264665", "author": { "name": "soumyakantikar", "key": "soumyakantikar", "displayName": "Soumya Kanti Kar", "active": true, "timeZone": "America/Havana" }, "body": "ProGuard can be used on the JAR that is created after building the Android module. We need to extract the JAR from the modile ZIP. Use ProGuard on the JAR keeping the classes that extend KrollModule and TiViewProxy. Repack the ZIP file. Then use the modified ZIP file in Appcelerator projects.", "updateAuthor": { "name": "soumyakantikar", "key": "soumyakantikar", "displayName": "Soumya Kanti Kar", "active": true, "timeZone": "America/Havana" }, "created": "2013-08-02T12:09:05.000+0000", "updated": "2013-08-02T12:09:05.000+0000" }, { "id": "288492", "author": { "name": "cbarber", "key": "cbarber", "displayName": "Chris Barber", "active": true, "timeZone": "America/Chicago" }, "body": "What's the immediate danger in allowing the .class files to be decompiled. They can just go to https://github.com/appcelerator/titanium_mobile and see the source with comments!", "updateAuthor": { "name": "cbarber", "key": "cbarber", "displayName": "Chris Barber", "active": true, "timeZone": "America/Chicago" }, "created": "2014-01-16T19:00:15.000+0000", "updated": "2014-01-16T19:00:15.000+0000" }, { "id": "300913", "author": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "body": "Note that you can use obfuscation now. This is a ticket to automatically generate the ProGuard file.", "updateAuthor": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-04-14T23:09:05.000+0000", "updated": "2014-04-14T23:09:16.000+0000" }, { "id": "302732", "author": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "body": "Note, here is a sample ProGuard file for Titanium. This may need to be updated to fit your usage (especially the file paths)!\r\n\r\n{code}\r\n# keep titanium class / package names\r\n-keepnames class org.appcelerator.** \r\n-keepnames class com.appcelerator.**\r\n-keepnames class ti.**\r\n-keepnames class android.widget.*\r\n-keepnames class kankan.wheel.widget.*-\r\n-keepnames class org.mozilla.javascript.**\r\n \r\n# TODO: generate app ID here -keepnames com.company.id.**\r\n-keepnames class com.arcaner.proguard.test1.**\r\n-keeppackagenames\r\n \r\n# preverification does nothing for dex\r\n-dontpreverify\r\n \r\n# allows further optimization of getter/setter -> directly to field\r\n-allowaccessmodification\r\n \r\n# dalvik specific optimization flags\r\n-optimizations !code/simplification/arithmetic\r\n \r\n# app classes\r\n-injars /Users/username/Code/test/titanium/proguardTest1/build/android/bin/classes\r\n \r\n# module jars\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-accelerometer.jar(!**/accelerometer.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-analytics.jar(!**/analytics.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-android.jar(!**/android.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-api.jar(!**/api.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-app.jar(!**/app.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-bump.jar(!**/bump.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-calendar.jar(!**/calendar.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-contacts.jar(!**/contacts.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-database.jar(!**/database.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-facebook.jar(!**/facebook.json,!META-INF/MANIFEST.MF,!**/LICENSE)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-filesystem.jar(!**/filesystem.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-geolocation.jar(!**/geolocation.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-gesture.jar(!**/gesture.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-json.jar(!**/json.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-locale.jar(!**/locale.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-map.jar(!**/map.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-media.jar(!**/media.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-network.jar(!**/network.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-platform.jar(!**/platform.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-ui.jar(!**/ui.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-utils.jar(!**/utils.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-xml.jar(!**/xml.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium-yahoo.jar(!**/yahoo.json,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/support/android/lib/titanium-verify.jar(!**/.gitignore,!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/dist/android/titanium.jar(!**/titanium.json,!META-INF/MANIFEST.MF,!**/*-NOTICE.txt,!**/.gitignore)\r\n \r\n# bundled libs\r\n-injars /Users/username/Code/titanium_mobile/android/titanium/lib/ti-commons-codec-1.3.jar(!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/android/titanium/lib/commons-logging-1.1.1.jar(!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/android/titanium/lib/smalljs.jar(!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/android/modules/xml/lib/jaxen-1.1.1.jar(!META-INF/MANIFEST.MF)\r\n-injars /Users/username/Code/titanium_mobile/android/modules/bump/lib/bump-api.jar(!META-INF/MANIFEST.MF)\r\n \r\n# library jars\r\n#-libraryjars /Users/username/Code/titanium_mobile/android/kroll-apt/lib/freemarker.jar\r\n-libraryjars /Users/username/Apps/android-sdk-mac_86/platforms/android-4/android.jar\r\n-libraryjars /Users/username/Apps/android-sdk-mac_86/add-ons/google_apis-4_r02/libs/maps.jar\r\n \r\n# misc options\r\n \r\n# commons codec/logging use a lot of reflection don't warn\r\n-dontwarn org.apache.commons.codec.binary.Base64\r\n-dontwarn org.apache.commons.codec.binary.Hex\r\n-dontwarn org.apache.commons.logging.impl.ServletContextCleaner\r\n-dontwarn org.apache.commons.logging.impl.LogKitLogger\r\n-dontwarn org.apache.commons.logging.impl.AvalonLogger\r\n-dontnote org.apache.commons.logging.Log\r\n-dontnote org.apache.commons.logging.LogSource\r\n-dontnote org.apache.commons.logging.impl.Log4JLogger\r\n-dontnote org.apache.james.mime4j.message.storage.TempStorage\r\n\r\n \r\n# bytecode compiled JS uses reflection to bootstrap\r\n-dontnote org.appcelerator.titanium.TiScriptRunner\r\n \r\n# we use reflection for contacts api support post android r4\r\n-dontnote ti.modules.titanium.contacts.CommonContactsApi\r\n-dontnote ti.modules.titanium.contacts.ContactsApiLevel5\r\n \r\n# reflection used to get the internal \"applicationScale\" member in TiPlatformHelper\r\n-dontnote org.appcelerator.titanium.util.TiPlatformHelper\r\n \r\n# thirdparty classes\r\n \r\n-keep class org.mozilla.javascript.jdk13.VMBridge_jdk13\r\n \r\n# app classes\r\n \r\n-keep class com.arcaner.proguard.test1.*\r\n \r\n# module classes / methods\r\n \r\n-keep class ti.modules.titanium.TitaniumModuleBindingGen\r\n-keep class ti.modules.titanium.ui.UIModule\r\n-keep class ti.modules.titanium.ui.UIModuleBindingGen\r\n-keep class ti.modules.titanium.filesystem.FilesystemModule\r\n-keep class ti.modules.titanium.filesystem.FilesystemModuleBindingGen\r\n-keep class ti.modules.titanium.json.JSONModule\r\n-keep class ti.modules.titanium.json.JSONModuleBindingGen\r\n-keep class ti.modules.titanium.locale.LocaleModuleBindingGen\r\n-keep class ti.modules.titanium.android.AndroidModuleBindingGen\r\n-keep class ti.modules.titanium.app.AppModuleBindingGen\r\n-keep class ti.modules.titanium.api.APIModuleBindingGen\r\n-keep class ti.modules.titanium.media.MediaModuleBindingGen\r\n-keep class ti.modules.titanium.analytics.AnalyticsModuleBindingGen\r\n \r\n# proxy binding classes\r\n-keep class org.appcelerator.titanium.**BindingGen\r\n-keep class ti.modules.titanium.ui.WindowProxyBindingGen\r\n-keep class ti.modules.titanium.ui.ButtonProxyBindingGen\r\n-keep class ti.modules.titanium.ui.LabelProxyBindingGen\r\n-keep class ti.modules.titanium.filesystem.FileProxyBindingGen\r\n{code}", "updateAuthor": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-04-28T16:42:17.000+0000", "updated": "2014-04-28T16:44:05.000+0000" }, { "id": "302735", "author": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "body": "To use the ProGuard file:\r\n\r\n1. Put a file called \"proguard.cfg\" in the project/platform/android directory\r\n2. Create a CLI hook that ties into the pre-compile hook and sets builder.proguard to true.\r\n", "updateAuthor": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-04-28T16:47:41.000+0000", "updated": "2014-04-28T16:49:02.000+0000" }, { "id": "318694", "author": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "body": "Note, to configure for Crittercism: http://docs.crittercism.com/android/android.html#configuring-proguard-symbolication", "updateAuthor": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-08-14T18:07:04.000+0000", "updated": "2014-08-14T18:07:04.000+0000" }, { "id": "322528", "author": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "body": "It would b worth figuring out what a proper manually-generated ProGuard file looks like these days, and the algorithm for creating one.", "updateAuthor": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-09-09T15:12:49.000+0000", "updated": "2014-09-09T15:12:49.000+0000" }, { "id": "329253", "author": { "name": "aleard", "key": "aleard", "displayName": "Alan Leard", "active": true, "timeZone": "America/Los_Angeles" }, "body": "I have attached a sample app that has Proguard enabled with the 3.4 SDK. It has a hacked together proguard.cfg file that probably needs some fixing, but the app and the plugin work. I will attach separately the Proguard plugin that is used in the app.", "updateAuthor": { "name": "aleard", "key": "aleard", "displayName": "Alan Leard", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-10-23T22:44:44.000+0000", "updated": "2014-10-23T22:44:44.000+0000" }, { "id": "329254", "author": { "name": "aleard", "key": "aleard", "displayName": "Alan Leard", "active": true, "timeZone": "America/Los_Angeles" }, "body": "Here is the plugin required to manually enabled proguard. To enable, follow these steps:\r\n\r\n1. Create plugins folder if one does not already exist\r\n2. Add the attached plugin com.proguard.android to the plugins directory\r\n3. Enable the plugin in tiapp.xml by adding\r\n{code}\r\n\r\n com.proguard.android\r\n\r\n{code}\r\n4. Add the ‘proguard.cfg' file in platform/android/ directory", "updateAuthor": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-10-23T22:45:22.000+0000", "updated": "2014-10-29T20:29:14.000+0000" }, { "id": "329976", "author": { "name": "sfeather", "key": "sfeather", "displayName": "Stephen Feather", "active": true, "timeZone": "America/New_York" }, "body": "Alan, thank you. I'll try to get it put into an app tomorrow for testing.", "updateAuthor": { "name": "sfeather", "key": "sfeather", "displayName": "Stephen Feather", "active": true, "timeZone": "America/New_York" }, "created": "2014-10-29T21:35:56.000+0000", "updated": "2014-10-29T21:35:56.000+0000" }, { "id": "333660", "author": { "name": "tcrist", "key": "tcrist", "displayName": "Travis Crist", "active": true, "timeZone": "America/Los_Angeles" }, "updateAuthor": { "name": "tcrist", "key": "tcrist", "displayName": "Travis Crist", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-11-25T18:24:54.000+0000", "updated": "2014-11-25T18:24:54.000+0000" }, { "id": "333683", "author": { "name": "sfeather", "key": "sfeather", "displayName": "Stephen Feather", "active": true, "timeZone": "America/New_York" }, "body": "I had to modify it all a bit. used -outjar to generated an intermediate jar that was reduced, then modify my proguard config to use it and not the regular jars and my apk was smaller.\r\n\r\nEnded up being faster at times, using google-play-services.jar for example, to use JarJar links to just clean that jar of unused methods before building and just skipping proguard.\r\n\r\nWith libraries such as AWS, the proguard.cfg takes so long to setup and begin to declaring the used methods that its just a lot of wasted time. (no, the AWS recommended proguard.cfg does not work correctly out of the repo)", "updateAuthor": { "name": "sfeather", "key": "sfeather", "displayName": "Stephen Feather", "active": true, "timeZone": "America/New_York" }, "created": "2014-11-25T19:30:36.000+0000", "updated": "2014-11-25T19:30:36.000+0000" }, { "id": "334986", "author": { "name": "mokesmokes", "key": "mokesmokes", "displayName": "Mark Mokryn", "active": true, "timeZone": "Asia/Jerusalem" }, "updateAuthor": { "name": "mokesmokes", "key": "mokesmokes", "displayName": "Mark Mokryn", "active": true, "timeZone": "Asia/Jerusalem" }, "created": "2014-12-05T05:00:48.000+0000", "updated": "2014-12-05T05:00:48.000+0000" }, { "id": "363992", "author": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "body": "[~hpham] [~cbarber] thoughts?", "updateAuthor": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2015-09-15T18:46:34.000+0000", "updated": "2015-09-15T18:46:34.000+0000" }, { "id": "369168", "author": { "name": "thomascolliers", "key": "thomascolliers", "displayName": "Thomas Colliers", "active": true, "timeZone": "America/Los_Angeles" }, "body": "I've been trying to get this working. As mentioned before, the plugin and sample attached here do run ProGuard but do nothing with the output. Like Stephen I used -outjars to specify an output directory but I'm not sure how to make dexer pick up the processed folder instead of the original classes folder.", "updateAuthor": { "name": "thomascolliers", "key": "thomascolliers", "displayName": "Thomas Colliers", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2015-11-06T07:15:36.000+0000", "updated": "2015-11-06T07:15:36.000+0000" }, { "id": "369182", "author": { "name": "thomascolliers", "key": "thomascolliers", "displayName": "Thomas Colliers", "active": true, "timeZone": "America/Los_Angeles" }, "body": "After many trial and error I finally got it working. I added 2 more event listeners to the plugin that move the classes folder to a temporary folder, proguard will then write to the classes directory so dexer can pick up the right files. I would attach the updated plugin and the proguard configuration I'm using but it seems I am unable to.", "updateAuthor": { "name": "thomascolliers", "key": "thomascolliers", "displayName": "Thomas Colliers", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2015-11-06T12:26:56.000+0000", "updated": "2015-11-06T12:26:56.000+0000" }, { "id": "373336", "author": { "name": "egomez", "key": "egomez", "displayName": "Eduardo Gomez", "active": false, "timeZone": "America/Los_Angeles" }, "body": "[~thomascolliers] can you elaborate what did you have add to the event listeners? Probably post a dropbox link of plugin? ", "updateAuthor": { "name": "egomez", "key": "egomez", "displayName": "Eduardo Gomez", "active": false, "timeZone": "America/Los_Angeles" }, "created": "2015-12-21T16:59:48.000+0000", "updated": "2015-12-21T16:59:48.000+0000" }, { "id": "373619", "author": { "name": "thomascolliers", "key": "thomascolliers", "displayName": "Thomas Colliers", "active": true, "timeZone": "America/Los_Angeles" }, "body": "Here's the plugin code I'm using to switch out the Proguard output with the unobfuscated output so dexer can pick it up: (Linux/OSX only)\r\nhttps://paste.ee/p/8Y7tG", "updateAuthor": { "name": "thomascolliers", "key": "thomascolliers", "displayName": "Thomas Colliers", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2015-12-30T07:12:26.000+0000", "updated": "2015-12-30T07:12:26.000+0000" }, { "id": "428958", "author": { "name": "gmathews", "key": "gmathews", "displayName": "Gary Mathews", "active": true, "timeZone": "America/Los_Angeles" }, "body": "Like [~jquick] and [~cbarber] mentioned, running ProGuard on a Titanium project will offer little to no benefit. The ProGuard config file provided seems to whitelist all of our Titanium namespaces which means they won't be optimised and obfuscated. Nor can they be, due to Titaniums use of reflection.\r\n\r\nThe only benefit to running ProGuard would be in optimising the use of third-party libraries, reducing final APK size. ProGuard is marketed as a \"source optimizer\" and not a security measure (for that they suggest DexGuard). So if optimising is the priority, maybe [ReDex|https://github.com/facebook/redex] would be worth looking into? Since it will work regardless of our reflection requirements.", "updateAuthor": { "name": "gmathews", "key": "gmathews", "displayName": "Gary Mathews", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2017-10-11T18:51:58.000+0000", "updated": "2017-10-11T18:52:30.000+0000" }, { "id": "428976", "author": { "name": "ben.bahrenburg@gmail.com", "key": "ben.bahrenburg@gmail.com", "displayName": "Ben Bahrenburg", "active": true, "timeZone": "America/Los_Angeles" }, "body": "[~gmathews] I understand that the proxies cannot be obfuscated but shouldn't any internal classes be able to be obfuscated? This allows for any more sensitive operation to be moved into a plain old Java class.\r\n\r\nWithout some form of obfuscation this will be a high / medium finding on any enterprise security review.", "updateAuthor": { "name": "ben.bahrenburg@gmail.com", "key": "ben.bahrenburg@gmail.com", "displayName": "Ben Bahrenburg", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2017-10-11T22:38:54.000+0000", "updated": "2017-10-11T22:38:54.000+0000" }, { "id": "428981", "author": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "body": "[~ben.bahrenburg@gmail.com], Titanium and its modules are open source. So, obfuscating the code doesn't make a lot of sense (you can freely see the code on github). Just like how Google doesn't bother obfuscating their own open source Android libraries such as their support libraries. Plus, there is no 100% full-proof/future-proof automated way of obfuscating the code without issues since 3rd party code is out of our control and obfuscation would break their usage of reflection too... or features which use reflection indirectly such as via Java Serialization, GSON, HyperLoop, or possibly other means.\r\n\r\nIf you're worried about code being tampered with (ie: your APK decompiled, code changed, re-compiled, and re-signed), then I think a better solution would be \"tamper detection\". This is what code signing is for. So, I think what you're really after here is the ability to check on startup that your APK is signed with the signature you originally signed it with. What do you think?", "updateAuthor": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2017-10-11T23:09:58.000+0000", "updated": "2017-10-11T23:09:58.000+0000" }, { "id": "428995", "author": { "name": "ben.bahrenburg@gmail.com", "key": "ben.bahrenburg@gmail.com", "displayName": "Ben Bahrenburg", "active": true, "timeZone": "America/Los_Angeles" }, "body": "[~jquick] I 100% agree with your statement for commercial apps. The trouble happens when you enter the enterprise space. The approach you mention, ie don't obfuscate, doesn't match the OWASP guidelines, which govern most of the industry https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide \r\n\r\nIf this was native, the developer would need to determine the best proguard settings to cover both the app and their dependencies. I would recommend that we allow for the same opportunity for Ti. This does a few things. First allows your enterprise customers the flexibility in a \"safe space\" to be able show they are meeting the OWASP requirement. Secondly it allows the non proxy objects in the Ti framework or modules to be obfuscate. This allows for the ecosystem to more easily create the \"tamper detection\" methods you mentioned.\r\n\r\nPlease note I've implemented the OWASP tamper detection methods within Titanium. I'm happy to discuss how these could be contributed back to the community.\r\n\r\n", "updateAuthor": { "name": "ben.bahrenburg@gmail.com", "key": "ben.bahrenburg@gmail.com", "displayName": "Ben Bahrenburg", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2017-10-12T00:05:49.000+0000", "updated": "2017-10-12T00:05:49.000+0000" }, { "id": "428997", "author": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "body": "[~ben.bahrenburg@gmail.com], probably the simplest solution would be to set up ProGuard to not obfuscate anything using a Java @Kroll annotation. That would likely cover most of the reflection issues between JavaScript and Java in Titanium. That and any classes referenced in the AndroidManifest.xml would have to be on the list too.\r\n\r\nBut from there, I think it would have to be the app developer's responsibility to disable obfuscation for any other APIs reflected upon via 3rd party code or by the app developer via HyperLoop. That's where I think we can't provide a 100% full-proof solution. But that said, it's not any better for a native developer using Android Studio either.\r\n\r\nHmm...", "updateAuthor": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2017-10-12T00:58:00.000+0000", "updated": "2017-10-12T00:58:00.000+0000" }, { "id": "428998", "author": { "name": "ben.bahrenburg@gmail.com", "key": "ben.bahrenburg@gmail.com", "displayName": "Ben Bahrenburg", "active": true, "timeZone": "America/Los_Angeles" }, "body": "Thanks [~jquick] . I think this would give the Ti developers the same footing, if not better (given JS encryption) than native developers. Is there anything that I can help with implementing or testing? Additionally happy to contribute the tamper methods if that would be helpful to core or AppC.", "updateAuthor": { "name": "ben.bahrenburg@gmail.com", "key": "ben.bahrenburg@gmail.com", "displayName": "Ben Bahrenburg", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2017-10-12T01:03:33.000+0000", "updated": "2017-10-12T01:03:33.000+0000" }, { "id": "429927", "author": { "name": "emerriman", "key": "emerriman", "displayName": "Eric Merriman ", "active": true, "timeZone": "America/Los_Angeles" }, "body": "Hello all, due to the volume of items and the schedule for 7.0.0 and the technological challenge for this feature, this ticket will be moved to 7.1.0. ", "updateAuthor": { "name": "emerriman", "key": "emerriman", "displayName": "Eric Merriman ", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2017-10-31T21:46:22.000+0000", "updated": "2017-10-31T21:46:22.000+0000" }, { "id": "431868", "author": { "name": "fahad86", "key": "fahad86", "displayName": "Muhammad Ahmed Fahad", "active": true, "timeZone": "Asia/Shanghai" }, "body": "Would really love to see this soon. Without this apps with multiple dex files are getting created which is totally incompatible with Android 4.X.X", "updateAuthor": { "name": "fahad86", "key": "fahad86", "displayName": "Muhammad Ahmed Fahad", "active": true, "timeZone": "Asia/Shanghai" }, "created": "2017-12-08T08:36:07.000+0000", "updated": "2017-12-08T08:36:07.000+0000" }, { "id": "433559", "author": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "body": "[~fahad86], in the upcoming Titanium 7.0.2 release, multidex'ed apps will be able to run on Android 4.x (see [TIMOB-25597]). ProGuard is not required. It'll just work.", "updateAuthor": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2018-01-24T01:09:00.000+0000", "updated": "2018-01-24T01:09:00.000+0000" }, { "id": "433563", "author": { "name": "fahad86", "key": "fahad86", "displayName": "Muhammad Ahmed Fahad", "active": true, "timeZone": "Asia/Shanghai" }, "body": "@Joshua Quick :D happy for this. Thank you very much.", "updateAuthor": { "name": "fahad86", "key": "fahad86", "displayName": "Muhammad Ahmed Fahad", "active": true, "timeZone": "Asia/Shanghai" }, "created": "2018-01-24T02:00:13.000+0000", "updated": "2018-01-24T02:00:13.000+0000" } ], "maxResults": 50, "total": 50, "startAt": 0 } } }