search

scottyab / secure-preferences

Android Shared preference wrapper than encrypts the values of Shared Preferences. It's not bullet proof security but rather a quick win for incrementally making your android app more secure.
1.53k stars 235 forks source link

Add custom ProGuard/DexGuard config #26

Closed XandrMaster closed 9 years ago

XandrMaster commented 9 years ago

08-02 05:00:41.356 1533-1533/erparchitector.findwork.app.android E/AndroidRuntime﹕ FATAL EXCEPTION: main java.lang.SecurityException: new SecureRandom() backed by wrong Provider: class com.tozny.crypto.android.AesCbcWithIntegrity$PrngFixes$LinuxPRNGSecureRandomProvider at com.tozny.crypto.android.AesCbcWithIntegrity$PrngFixes.installLinuxPRNGSecureRandom(Unknown Source) at com.tozny.crypto.android.AesCbcWithIntegrity$PrngFixes.apply(Unknown Source) at com.tozny.crypto.android.AesCbcWithIntegrity.fixPrng(Unknown Source) at com.tozny.crypto.android.AesCbcWithIntegrity.generateKeyFromPassword(Unknown Source) at com.tozny.crypto.android.AesCbcWithIntegrity.generateKeyFromPassword(Unknown Source) at com.securepreferences.SecurePreferences.generateAesKeyName(Unknown Source) at com.securepreferences.SecurePreferences.(Unknown Source) at com.securepreferences.SecurePreferences.(Unknown Source) at com.securepreferences.SecurePreferences.(Unknown Source) at erparchitector.findwork.app.android.utils.Preferences.(Unknown Source) at erparchitector.findwork.app.android.network.Session.getInstance(Unknown Source) at erparchitector.findwork.app.android.App.getSession(Unknown Source) at erparchitector.findwork.app.android.gui.ProfileContainer.onCreate(Unknown Source) at android.support.v4.app.Fragment.performCreate(Unknown Source) at android.support.v4.app.FragmentManagerImpl.moveToState(Unknown Source) at android.support.v4.app.FragmentManagerImpl.moveToState(Unknown Source) at android.support.v4.app.BackStackRecord.run(Unknown Source) at android.support.v4.app.FragmentManagerImpl.execPendingActions(Unknown Source) at android.support.v4.app.FragmentManagerImpl$1.run(Unknown Source) at android.os.Handler.handleCallback(Handler.java:725) at android.os.Handler.dispatchMessage(Handler.java:92) at android.os.Looper.loop(Looper.java:137) at android.app.ActivityThread.main(ActivityThread.java:5041) at java.lang.reflect.Method.invokeNative(Native Method) at java.lang.reflect.Method.invoke(Method.java:511) at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:793) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:560) at dalvik.system.NativeStart.main(Native Method)

After proguard obfuscation :(

scottyab commented 9 years ago

Can you supply your proguard.cfg?

XandrMaster commented 9 years ago

Yes, of course:

-dontwarn * -dontshrink -dontoptimize -keep class com.google.* { ; } -keep class android.* { ; } -keep class org.apache.* { ; } -keep class com.activeandroid.* { ; } -keep class com.squareup.* { ; } -keep class retrofit.* { ; } -keep class rx.* { ; } -keep class com.facebook.* { ; } -keep class pl.charmas.* { ; } -keep class com.orhanobut.* { ; } -keep class com.tozny.* { ; } -keep class com.securepreferences.* { ; } -keep class com.scottyab.* { ; } -keep class java.security.* { ; } -keep class javax.crypto.* { ; } -keep class org.acra.* { ; } -keep class okio.* { ; } -keep class bolts.* { ; } -keep class pl.charmas.* { _; }

-keep class erparchitector.findwork._* { *; }

-keepattributes Signature

Gson specific classes

-keep class sun.misc.Unsafe { _; }

-keep class sun.misc.* { ; } -keep class com.google.gson.stream._* { *; }

Application classes that will be serialized/deserialized over Gson

-keep class com.google.gson.examples.android.model.* { ; }

-printmapping classes-processed-proguard.map

danybony commented 9 years ago

I had the same problem in a project using Secure-preferences. Adding the following to the Proguard config file worked in my case:

-keep class com.tozny.crypto.android.** { *; }
-keep class com.securepreferences.** { *; }

@scottyab do you see any issue with that?

scottyab commented 9 years ago

@danybony that'll work. Of course you're excluding all the library code so it's not obfuscated. It would be better security (even if security by obscurity) to have that obfuscated too. I'll add to the issues, I'm sure it's only a small part that needs excluding.

scottyab commented 9 years ago

See issue #29

scottyab commented 9 years ago

This issue has been fixed as part of v0.1.4 - also please note unlike previous versions from 0.1.4+ no specific ProGuard config is need to get working. Just waiting for maven central to propagate dependancy.

Also please note there is specific DexGuard config supplied with DexGuard 7+ located <dexgaurd root>/samples/advanced/SecurePreferences