0

I am using a library or a dependency that has a security problem in one of its sub-packages. Assume that the name of the package is parent and the name of the sub package that is causing the problem is child, unfortunately I have to -keep the package to make the app work, otherwise I get the famous crash that says no such method exception or whatever. So I need to keep the package. The issue is when uploading the apk to google play console, I get a security issue inside of one of the sub packages of this third-party package. Is there a way to ask R8/Proguard to -keep only parent but remove the child.

I tried with chat gpt and I got this answer but I don't think it is working:

-keep class com.example.parent.** {
    *;
    !public class com.example.parent.child;
}

I read the whole documentation of R8 in android, and also read a little in the docs of Proguard in general but I don't think I could find anything useful.

Mohammad Elsayed
  • 1,885
  • 1
  • 20
  • 46

1 Answers1

1

Based on this answer, you can keep the entire package while excluding one subpackage as following:

-keep class !com.example.parent.child.**, com.example.parent.** { *; }

See how it behaves in Proguard Playground: https://playground.proguard.com/p/aecEkJ

Note that the shrinker might still keep the classes from child package if they are referenced by retained classes. In this case, use the -whyareyoukeeping directive to find out the reason.

Another possible workaround for this issue is to edit the library itself by removing the undesired subpackage.

Alex Lipov
  • 13,503
  • 5
  • 64
  • 87