Plugin not working when I make aar library (com.android.library)
eidola7 opened this issue · 7 comments
When I make aar library, encrypted string is not included in aar files.
After completion of library module build,
I open and check values.xml files under location : 'module'\build\intermediates\res\merged'variant''buildType'\values
Strings are all encrypted as well.
but, It seems that 'res\values.xml' file in aar library is not encrypted (original file itself?)
Is there any missing point?
@efraespada
string resource file in my project :
main\res\values\stings.xml
has
<string name="app_name" hidden="true">TestApp</string>
When I make AAR, then, gradle log show me string encryption is progress well, and finally
'module'\build\intermediates\res\merged\ "variant" \ "buildType" \values\values.xml
has encrypted string...
<string name="app_name" hidden="true">B291D296DDC7A0ACF251E01BACDEE2BF</string>
It's seems that plugin working.
However, rename that 'moduleName'.aar file to 'moduleName'.zip
res\values\values.xml in .zip file
has
<string name="app_name" hidden="true">TestApp</string>
not encrypted (original) string is included in .aar
That's not I expected.
Any Idea?
@eidola7 I think you can't do it
When you'll try to use your aar file in other app the fingerprint will be different. Context is needed for getting the fingerprint:
public class YourApplication extends Application {
@Override
public void onCreate() {
super.onCreate();
Library.init(this);
}
}public class Library {
private Library() {
// ..
}
public static void init(Context context) {
SC.init(context); <-- Your library will use your app's fingerprint
which won't be the same as used on aar compilation
}
}StringCare library won't be able to decrypt your strings at run time.
No idea about how these strings aren't being encrypted at compilation time
Update
This problem (not the issue) is resolved in version 0.8.
@eidola7 I just release v0.8 in library in order to solve the problem I mentioned you.
Please, check out readme in develop branch for see how to set your library up to work with StringCare library.
Now the original problem: Strings aren't being encrypted when aar file is built.
Plugin doesn't look for string files in build folder, it only rewrites the original string file before the build process merges resources.
Could you show me your Gradle output console with debug flag enabled?
stringcare {
debug true
}Hi @eidola7, I just fix the problem with library resources encryption but I noticed a great vulnerability at runtime.
I also noticed a second problem: SC Library cannot get the library fingerprint
@efraespada Thankyou for your help!
But I still cannot test 0.8 version.
I get gradle sync error : "Could not find com.stringcare:plugin:0.8"
version 0.6 or 0.7 have no gradle sync error. Only v0.8 show me error log.
About fingerprint, I understand difference between app and library.
If I use same signature for app & lib, then fingerprint also same. right?
I will manage that carefully.
Hi @eidola7, I'm working on next version which won't use fingerprints. Every module in your project (app, library) will generate its own key at runtime/compilation time allowing libraries to be exported as aar files with encrypted content.
With the current version (which can't get lib's fingerprint), If you export your lib as aar file it's possible that when you implement your lib in the same app, fingerprint could have changed.
Thanks for your patient.
Hi @eidola7, here is a similar issue where StringCare works in libraries (but it doesn't obfuscate library's strings, only external data).
I couldn't continue working on the sign issue. I'll let you know if there is an improvement on that.