Concatenated strings are not obfuscated if bytecode targets Java 9+
mirfatif opened this issue · 3 comments
It looks the bytecode compiled for Android apps (APK) and libraries (AAR) always target Java 8 (or below) even if a bigger version is used, as in a gralde project:
android {
compileOptions {
sourceCompatibility = JavaVersion.VERSION_11
targetCompatibility = JavaVersion.VERSION_11
}
}
But if the app depends on a Java library (JAR), and the library is built with -source 9 -target 9 (or above), as in a gradle project:
java {
sourceCompatibility = JavaVersion.VERSION_11
targetCompatibility = JavaVersion.VERSION_11
}
In this case, strings concatenated with + are not obfuscated because they are not pushed onto stack using ldc. So visitLdcInsn cannot intercept (and hence manipulate) them. It's because String concatenation behavior was changed in Java 9.
Writing this for future reference. Please close the issue if you do not want to fix this.
we hv fixed it
We already know about this issue, but we think it's weird to obfuscate external dependencies and therefore not worth the effort. PR welcome.
we hv fixed it
Great. But it affects only the app module, not its dependencies. This one should work for all:
project.rootProject.subprojects {subProject ->
subProject.tasks.withType(JavaCompile::class.java) {
it.options.compilerArgs.add("-XDstringConcat=inline")
}
subProject.tasks.withType(KotlinCompile::class.java) {
it.kotlinOptions.freeCompilerArgs += "-Xstring-concat=inline"
}
}
We already know about this issue, but we think it's weird to obfuscate external dependencies and therefore not worth the effort. PR welcome.
I've a few Java API libraries shared with backend servers and frontend apps. And a utility library I use in all of my Java apps (Android and non-Android). So obfuscating them makes sense to me.
I just got introduced to bytecode manipulation 2 days back when figuring out why some strings were not obfuscated. So I'm not the right person to send a PR :)