38

I find myself needing more detail in my reported stack traces, but I'm concerned that by including the extra data (by using -keepattributes SourceFile,LineNumberTable) I'm making my app even easier to reverse engineer. Is this the case, and if so, by how much?

Vinoth
  • 5,687
  • 11
  • 44
  • 56
wirbly
  • 2,183
  • 1
  • 24
  • 24

4 Answers4

44

ProGuard manual > Examples > Producing useful obfuscated stack traces

The SourceFile attribute is required, because Oracle/Sun's Java virtual machine otherwise does not include line numbers in stack traces, which is what you really want (and which is quite harmless on its own). I haven't checked if this is true for Android's Dalvik virtual machine.

As for a solution, ProGuard can keep the SourceFile attribute but replace its contents by a meaningless string of your choice, e.g.

-renamesourcefileattribute SourceFile

The value of the string is not important for interpreting the stack traces. Picking a string like "SourceFile" avoids increasing the class file sizes, because this string is already present by definition.

Eric Lafortune
  • 45,150
  • 8
  • 114
  • 106
  • @Eric, Why garble class names if your going to keep the source file attribute ? Sure stacktraces will be useless, but isnt that the point of obsfucation ? – mP. Jul 21 '11 at 00:37
  • 2
    @mP The above configuration keeps the SourceFile attribute, but replaces its contents. The JVM will then print out complete stack traces, but with obfuscated names. These can be useful for debugging the obfuscated application, with the help of the mapping file that ProGuard generates for the developer. – Eric Lafortune Aug 09 '11 at 21:28
  • "and which is quite harmless", how its harmless if anyone can see the actual file name after decompiling ? that makes obfuscating completely useless. – xmen Jan 15 '14 at 13:21
  • 1
    @xmenW.K. See the comments above -- the actual file name is gone; it is replaced by a meaningless string, e.g. "SourceFile". – Eric Lafortune Jan 16 '14 at 19:01
  • Yes only after using '-renamesourcefileattribute' – xmen Jan 17 '14 at 03:15
2

I am not exactly sure of what happens but given the source file name contains the actual name of the class, someone could use this to map obfuscated class names into real class names. Given obfsucation already jumbles everything up why keep the source file at all ? Everything should and will still run, the debug details are not required by the runtime so it makes no sense to keep them. The more you remove the better given your goals.

mP.
  • 18,002
  • 10
  • 71
  • 105
0

I think you can just use:

-keepattributes LineNumberTable
double-beep
  • 5,031
  • 17
  • 33
  • 41
zht2005
  • 36
0
-renamesourcefileattribute
-keepattributes SourceFile, LineNumberTable,Signature,Exceptions,InnerClasses,EnclosingMethod

or 

-renamesourcefileattribute ''
-keepattributes SourceFile, LineNumberTable,Signature,Exceptions,InnerClasses,EnclosingMethod

Just let filename empty is ok

Victor Choy
  • 4,006
  • 28
  • 35