0x5b - ProGuard enabled by default?

[romualdszkudlarek]

When reading "Debug build" / "Code obfuscation from ProGuard is not applied" in "Basic Security Testing" (Android), I get the impression that ProGuard is enabled by default in Android Studio, or performed by default in any other IDE. While reading https://developer.android.com/studio/build/shrink-code.html, this does not seem to be true.

More detailed explanation on code obfuscation VS reverse engineering could be added, or a link to chapter 0x5b (same as the current one???) could be added in case it provides enough information on this topic.

[muellerberndt]

Yes, AFAIK debug vs. release build does not affect the Proguard configuration by default, even though many will configure it that way. The exact recommendations will be in the test case.

[sushi2k]

When I was reading about it last year, the documentation was saying that Proguard settings are only applied in release builds and not in debug builds. therefore you couldn't obfuscate code in a debug build even with an existing Proguard config. Seems that this changed already last year with a new version of gradle. Just deleted this sentence, as it is not correct. Thanks for pointing out.