Mobile application code obfuscation (ProGuard/R8 for Android)

TRUETECH is engaged in the development, support and maintenance of iOS, Android, PWA mobile applications. We have extensive experience and expertise in publishing mobile applications in popular markets like Google Play, App Store, Amazon, AppGallery and others.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and support of all types of mobile applications:
Information and entertainment mobile applications
News apps, games, reference guides, online catalogs, weather apps, fitness and health apps, travel apps, educational apps, social networks and messengers, quizzes, blogs and podcasts, forums, aggregators
E-commerce mobile applications
Online stores, B2B apps, marketplaces, online exchanges, cashback services, exchanges, dropshipping platforms, loyalty programs, food and goods delivery, payment systems.
Business process management mobile applications
CRM systems, ERP systems, project management, sales team tools, financial management, production management, logistics and delivery management, HR management, data monitoring systems
Electronic services mobile applications
Classified ads platforms, online schools, online cinemas, electronic service platforms, cashback platforms, video hosting, thematic portals, online booking and scheduling platforms, online trading platforms

These are just some of the types of mobile applications we work with, and each of them may have its own specific features and functionality, tailored to the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 1735 services
Mobile application code obfuscation (ProGuard/R8 for Android)
Medium
from 1 business day to 3 business days
FAQ
Our competencies:
Development stages
Latest works
  • image_mobile-applications_feedme_467_0.webp
    Development of a mobile application for FEEDME
    756
  • image_mobile-applications_xoomer_471_0.webp
    Development of a mobile application for XOOMER
    624
  • image_mobile-applications_rhl_428_0.webp
    Development of a mobile application for RHL
    1052
  • image_mobile-applications_zippy_411_0.webp
    Development of a mobile application for ZIPPY
    947
  • image_mobile-applications_affhome_429_0.webp
    Development of a mobile application for Affhome
    862
  • image_mobile-applications_flavors_409_0.webp
    Development of a mobile application for the FLAVORS company
    445
Show more works

Code obfuscation for mobile applications (ProGuard/R8 for Android)

R8 is a compiler and minifier that since AGP 3.4 replaced ProGuard in Android builds. It does three things: removes unused code (tree shaking), renames classes and methods to single-letter identifiers (obfuscation), optimizes bytecode. ProGuard rules remain — R8 reads them, syntax is compatible.

Enabled in build.gradle:

buildTypes {
    release {
        isMinifyEnabled = true
        isShrinkResources = true
        proguardFiles(
            getDefaultProguardFile("proguard-android-optimize.txt"),
            "proguard-rules.pro"
        )
    }
}

proguard-android-optimize.txt — base Google file with aggressive optimizations. proguard-rules.pro — custom project rules.

What breaks after enabling obfuscation

Enable isMinifyEnabled = true — app crashes in release. This is standard, and figuring it out without mechanism understanding is difficult.

Classes used via reflection. JSON libraries (Gson, Moshi without codegen) creating objects via Class.forName() or reading fields via reflection — don't know about obfuscation at compile-time. R8 renames UserResponse.userId to a.a — Gson looks for field userId, doesn't find it, silently returns null. No crash, data just didn't deserialize. Solution: @Keep annotations or rule -keepclassmembers class com.example.data.** { *; }. With Gson better to switch to kotlinx.serialization with KSP — codegen doesn't depend on reflection there.

Retrofit interfaces. Retrofit via reflection reads method annotations (@GET, @POST). API interfaces must be saved: -keep interface com.example.api.** { *; }.

Serialized Parcelable and Serializable classes. If object is passed via Intent.putExtra() or saved in Bundle — field names must match. R8 renames them. Rule: -keepclassmembers class * implements android.os.Parcelable { *; }.

Firebase Crashlytics and stack traces. Obfuscation makes crash reports unreadable: a.b.c instead of real names. Solution — mapping file. Crashlytics automatically picks up app/build/outputs/mapping/release/mapping.txt when using com.google.firebase.crashlytics Gradle plugin. Mapping must be stored — without it old crashes won't deobfuscate.

Native libraries and JNI. Methods called from C++ via JNI must keep exact names: -keepclasseswithmembernames class * { native <methods>; }.

How to check rules

-printusage build/outputs/usage.txt — list of removed code. –printseeds build/outputs/seeds.txt — what's saved. Analyzing these files after build shows if R8 deleted something important.

apkanalyzer (in Android SDK): apkanalyzer dex packages app-release.apk — list of classes in final APK. If needed class is missing — it's been cut.

Test release build via Firebase App Distribution or internal Google Play track before publishing. Debug build with isMinifyEnabled = false won't show obfuscation problems.

Libraries with built-in rules. Most Jetpack libraries and popular SDKs include consumer-rules.pro in AAR — R8 applies them automatically. But third-party and legacy libraries often lack built-in rules.

Configuring obfuscation with existing rules audit and release build testing: 1–3 days. Pricing calculated individually.