Skip to content

String obfuscator for Android applications

License

Notifications You must be signed in to change notification settings

Androidacy/LSParanoid

 
 

Repository files navigation

LSParanoid

String obfuscator for Android applications. LSParanoid supports configuration cache.

This library has been modified from the original for Androidacy's internal usage. We do not warrant that this library will work in any other circumstances or scenarios, nor is it part of our supported product portfolio.

This library is not intended as a security tool. Security by obscurity is never a good idea.

Usage

In order to make LSParanoid work with your project you have to apply the LSParanoid Gradle plugin to the project.

The following is an example settings.gradle.kts to apply LSParanoid.

pluginManagement {
  repositories {
    mavenCentral()
  }
  plugins {
    id("com.github.Androidacy:LSParanoid") version "......"
  }
}

Now you can just annotate classes with strings that need to be obfuscated with @Obfuscate. After you project compiles every string in annotated classes will be obfuscated.

Note that you should use at least Java 17 to launch the gradle daemon for this plugin (this is also required by AGP 8+). The project that uses this plugin on the other hand does not necessarily to target Java 17.

Configuration

Paranoid plugin can be configured using lsparanoid extension object.

The following is an example build.gradle.kts that configures lsparanoid extension object with default values.

plugins {
    id("org.lsposed.lsparanoid")
    // other plugins...
}

lsparanoid {
  seed = null
  classFilter = null
  includeDependencies = false
  variantFilter = { true }
}

The extension object contains the following properties:

  • seed - Integer. A seed that can be used to make obfuscation stable across builds. Default value is null. Set it to non-null can make the obfuscation task cacheable.
  • classFilter - (String) -> boolean. If set, it allows to filter out classes that should be obfuscated. Use classFilter = { true } to turn on global obfuscation i.e. obfuscate all classes, not only annotated ones. Or apply a filter like classFilter = { it.startsWith("com.example.") } or classFilter = { it != "module-info" }. Default value is null.
  • includeDependencies - boolean. If true, the obfuscation will be applied to all dependencies. Default value is false.
  • variantFilter - (Variant) -> boolean. Allows to filter out variants that should be obfuscated. Default value always returns true. Note that you can set seed, classFilter and includeDependencies dynamically for each variant in variantFilter. For example
    variantFilter = { variant -> 
        // enable global obfuscate for globalObfuscate flavor release build
        if (variant.flavorName == "globalObfuscate" && variant.buildType == "release") {
            seed = 114514
            classFilter = { true }
            true
        } else if (variant.buildType == "release") {
            seed = 1919810
            classFilter = null
            true
        } else {
            false
        }
    }

How it works

Let's say you have an Activity that contains some string you want to be obfuscated.

@Obfuscate
public class MainActivity extends AppCompatActivity {
  private static final String QUESTION = "Q: %s";
  private static final String ANSWER = "A: %s";

  @Override
  protected void onCreate(final Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.main_activity);

    final TextView questionTextView = (TextView) findViewById(R.id.questionTextView);
    questionTextView.setText(String.format(QUESTION, "Does it work?"));

    final TextView answerTextView = (TextView) findViewById(R.id.answerTextView);
    answerTextView.setText(String.format(ANSWER, "Sure it does!"));
  }
}

The class contains both string constants (QUESTION and ANSWER) and string literals. After compilation this class will be transformed to something like this.

@Obfuscate
public class MainActivity extends AppCompatActivity {
  private static final String QUESTION = Deobfuscator.getString(4);
  private static final String ANSWER = Deobfuscator.getString(5);

  protected void onCreate(final Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.main_activity);

    final TextView questionTextView = (TextView) findViewById(R.id.questionTextView);
    questionTextView.setText(String.format(Deobfuscator.getString(0), Deobfuscator.getString(1)));

    final TextView answerTextView = (TextView) findViewById(R.id.answerTextView);
    answerTextView.setText(String.format(Deobfuscator.getString(2), Deobfuscator.getString(3)));
  }
}

Credit

LSParanoid was originally forked from https://github.com/MichaelRocks/paranoid. Credits to its original author Michael Rozumyanskiy.

This version was forked from https://github.com/LSPosed/LSParanoid. Credits to LSPosed Developers.

License

Copyright 2021 Michael Rozumyanskiy
Copyright 2023 LSPosed
Copyright 2024 Androidacy

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

About

String obfuscator for Android applications

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Kotlin 91.2%
  • Java 8.8%