datatrans / android-sdk

Accept payments on your Android apps: Our mobile SDKs support your entire payment and registration process and simplify the integration of any payment method in your mobile apps.
Other
6 stars 0 forks source link

Obfuscated package names should be repackaged in a default package name to avoid naming clashes #22

Closed joost-klitsie closed 2 months ago

joost-klitsie commented 10 months ago

As seen in this image, the obfuscated package names inside the datatrans sdk ("a", "a0", "b", etc...) are at the root of the classes.jar. This means that classes like a.a have a high chance of having duplicate class names in other (obfuscated) dependencies. And if another dependency uses the same naming, we can get clashes in class names.

image

For example, the instabug library also had all their obfuscated class names existing on the root (by mistake) and that lead to release build errors as such (until they fixed it): Duplicate class a.a found in modules android-sdk-3.3.0-runtime (ch.datatrans:android-sdk:3.3.0) and instabug-apm-okhttp-interceptor-12.3.1-runtime (com.instabug.library:instabug-apm-okhttp-interceptor:12.3.1)

I suggest that you repackage classes (the ones that you wish to obfuscate) into a unique package, for example ch.datatrans. Then instead of having classes like a.a, it will be ch.datatrans.a.a which should be unique in the project and should have a very low change of duplicate class names with other (thirdparty) dependencies.

Maybe you can look into something like this: https://www.guardsquare.com/manual/configuration/usage#repackageclasses

jschmid commented 2 months ago

Hi there!

In release 3.7.0 you mention that this bug is fixed. That is partly incorrect.

Decompiling android-sdk-3.7.0.aar shows that indeed you now correctly use your own namespace:

Screenshot 2024-08-21 at 13 24 44

However, you have updated a version of the Twint dependency. And this version now contains classnames such as a.a. As seen in twint-sdk-android-8.0.0.jar

Screenshot 2024-08-21 at 13 26 13

Therefore you only moved the problem, but not fixed it. Hopefully this can be fixed by #25.

bacherma commented 2 months ago

@jschmid Please let's not mix issues here. The TWINT dependency is not under our control. We have forwarded the request to change obfuscated package names to the developers. However, your issue is that the same dependency is added twice in your project which is not related to obfuscated package names.

I'm closing this issue: Resolved in https://github.com/datatrans/android-sdk/releases/tag/3.7.0.

jschmid commented 2 months ago

As I have no way to know that a SDK published under https://**datatrans**.jfrog.io/ui/native/mobile-sdk/ch/twint/payment/twint-sdk-android/8.0.0/, is not under your control, I felt the need to make sure that this would be fixed. Thank you for forwarding the request to them.

natronite commented 2 months ago

FYI: The TWINT SDK will have this fixed in the future.