Broad proguard consumer rules e.g. -dontoptimize, -dontshrink

[mrjameshamilton]

We noticed that your proguard.txt consumer rules inside your library aar looks like the following:

-dontoptimize
-dontobfuscate

# Prints some helpful hints, always add this option
-verbose

-keepattributes SourceFile,LineNumberTable,Exceptions,InnerClasses,Signature,Deprecated,*Annotation*,EnclosingMethod

# add all known-to-be-safely-shrinkable classes to the beginning of line below
-keep class !androidx.legacy.**,!com.google.android.**,** { *; }

The proguard.txt file contains consumer rules that are applied by users of your library. This means that when someone uses your library and applies ProGuard/R8 to their own app, these rules will be applied and their app will not be obfuscated.

The consumer rules should specifically keep the parts of your library that are necessary for it to work for a consumer. It shouldn't contain broad rules like -dontobfusate or -keep rules with ** or -verbose or in most cases -keepattributes.

Could you please update your consumer rules?

Thanks!

See e.g. https://google.github.io/android-gradle-dsl/current/com.android.build.gradle.internal.dsl.DefaultConfig.html#com.android.build.gradle.internal.dsl.DefaultConfig:consumerProguardFiles or e.g. https://android.jlelse.eu/proguard-r8-in-the-world-of-modularity-f599650b4553

[botnerd]

Thank you for the detailed information. We'll take a look and update it as soon as we can.

[botnerd]

We're working on a fix for this now. We are going through testing to make sure it doesn't cause any runtime crashes due to the obsfucation. We're trying to get this in the next release or shortly after. If you would like to test a pre-release to make sure it doesn't introduce errors for your app, let us know.

[mrjameshamilton]

Thanks for the update! It was actually one of our customers who reported a problem caused by this to us (we're the developers of ProGuard & DexGuard) but we can update them once you've made the release.

[botnerd]

That would be great. They are also welcome to reach out to us through their customer success manager so we can work with them directly to verify the fix.

[botnerd]

This has now been resolved in release v1.4.0. Please let us know if you have any issues with the update.

[mrjameshamilton]

Hi @botnerd, thanks for the update! Unfortunately, I see that there are still broad rules in the proguard.txt.

• -verbose shouldn't be there, since then a user of your library cannot turn verbose off
• -keep class !androidx.legacy.**,!com.google.android.**,** { *; } -> this means keep all classes except androidx.legacy.** / !com.google.android.*; which means all classes except those classes would be kept in a user application so the application would not be obfuscated.
• attributes: does your library need for example, SourceFile or LineNumberTable?

If you have questions about ProGuard or keep rules, you could head over to the Guardsquare Community for advice & tips on ProGuard https://community.guardsquare.com/

[botnerd]

Thanks @mrjameshamilton . I thought we removed all of that. We'll take another pass at it. I'll reopen this issue to address it.

[botnerd]

This is now fixed in https://github.com/RadiusNetworks/flybuy-android/releases/tag/sdk-v1.4.1. Please let us know if you have any additional concerns.