New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reflection Free Configuration and Proguard #146
Comments
Here's what I've got working on my project...
|
Hi @philipbjorge , Thanks for the rules! Do you need We use them just at compile time, they don't need to be present at runtime. At groupon, we even use a gradle trick to use a version of thoses classes with a non-runtime retention policy, so they are definitely not part of our classes. (we do this to save space in the first dex.. Those annotations are available in TP for those who would like to use them too) |
As soon as @philipbjorge answers our question, we should add this to the wiki page about configurations: |
@dlemures When I remove the
I've tried removing it and including both of the following and receive the same failures:
Any ideas why or how to debug? |
Looking at my stacktraces + mappings.txt makes me think something real funny is going on. |
OK, so I had the following rule to keep the names of all the classes annotated with my custom scope annotations Turns out that doesn't work and you need to list them all out manually
Now I'm running into a new issue though. Will update shortly. |
So the latest rules are...
The problem I'm running into now is the following...
We need both to be non-obfuscated and I'm not sure if there's a way to select for that with proguard. It seems like the easiest way forward might be to have Toothpick generate a proguard rules file that keeps class names for classes that will be looked up in the registry? Alternatively, just recommend all class names within your project be non-obfuscated. |
Yes, probably the best here would be to recommend not to obfuscate any project class... |
we recently migrated to toothpick from roboguice and these proguard rules worked on our project -keepattributes Annotation -keepnames class * { -keepnames @javax.inject.Singleton class * -keep class **$$Factory{ *; } |
wait, so the solution to this is not to obfuscate the code?! Most production applications require some form of obfuscation for a semblance of security. This seems like a major dealbreaker and i'm only saying that because I'm having trouble with the above proguard rules. It would have been nice to have a solution that included a recommended (Tested and true) way of using proguard with the library. |
All names of classes using injection won't be obfuscated.
We use this at Groupon, not only because of toothpick but because of quite
a few other librairies that rely on some naming convention to.load classes
to avoid reflection. For instance ButterKnife, Dart, Icepick, etc. Dagger 1
or 2 would be no exception here.
As you say, obfuscation provides kind of a feeling of secrecy, not much
more. So, what else could a library offer ?
Also, besides name obfuscation, you can also use other proguard
transformations like optimization, method rewriting, etc that will probably
provide even further hard to decompile byte code.
We are really not sure about what TP itself removes to apps on this matter.
And we would be happy to hear from a better solution.
Le mar. 4 avr. 2017 00:02, Brian Shuman <notifications@github.com> a écrit :
… wait, so the solution to this is not to obfuscate the code?! Most
production applications require some form of obfuscation for a semblance of
security. This seems like a major dealbreaker and i'm only saying that
because I'm having trouble with the above proguard rules. It would have
been nice to have a solution that included a recommended (Tested and true)
way of using proguard with the library.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#146 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABv33RXm0ncXILbFTPIFimZG2ICFRKiTks5rsWx1gaJpZM4JvwRt>
.
|
@stephanenicolas |
Thx for hint @terrakok. If anyone feels like adding a proguard configuration page to TP wiki, feel welcome to do so. |
@stephanenicolas Whatever the reason, the solution is simple: just generate if-else chain instead of switch. I checked that it works. |
@pshmakov the problem is that it would be slower, that's the main reason why we have the switch. Can you give an example of the code after it is obfuscated so we can fine tune this ? |
@stephanenicolas |
@stephanenicolas I'd like to point out that this issue seems to be a "blocker" for using ToothPick in a large portion of commercial projects, because using obfuscation there is absolutely non-negotiable. I work on one of such projects, and would really like to give Toothpick a shot, because it's awesome. But this issue needs to be fixed first. Otherwise we'll have to go with Dagger 2, unfortunately (which doesn't have problems with obfuscation as far as I know). |
@stephanenicolas |
This is adressed in TP 1.1.3, released today. |
Is there any guidance on how to use the reflection free configuration with proguard and obfuscation?
Based on looking at the factories, it looks like I'll need to keep my class names at a minimum (possibly method names too).
-keepnames class com.myapp.**
Do you have any advice on how I can make this more specific?
The text was updated successfully, but these errors were encountered: