Android app obfuscation is not one switch. A safe release usually combines R8 code obfuscation, ProGuard-compatible keep rules, mapping file preservation, optional resource obfuscation, and smoke testing of the final APK or AAB.
Quick Answer
For most Android apps, start with minifyEnabled for release builds, add the default optimized ProGuard file, keep runtime-sensitive classes, archive mapping.txt, and test the signed release artifact. Add resource obfuscation only after code obfuscation and SDK behavior are stable.
android {
buildTypes {
release {
isMinifyEnabled = true
isShrinkResources = true
proguardFiles(
getDefaultProguardFile("proguard-android-optimize.txt"),
"proguard-rules.pro"
)
}
}
}
Code Obfuscation vs Resource Obfuscation
| Area | Tool | What Changes |
|---|---|---|
| Classes and methods | R8 | Renames and optimizes bytecode |
| Keep rules | ProGuard rule syntax | Protects reflection, serialization, SDK callbacks, and native entry points |
| Resource names | AabResGuard-style tools | Renames Android resources and may filter unused files |
| Crash readability | Mapping files | Allows release stack traces to be deobfuscated |
What Usually Breaks
- Reflection and string-based class loading. R8 cannot always infer these paths.
- JSON serialization. Gson, Moshi, kotlinx.serialization, and custom adapters may need rules.
- Dependency injection. Generated code and annotations can be sensitive to broad shrinking.
- SDK resources. Firebase, ad SDKs, push SDKs, and payment SDKs can reference resources by name.
- Crash reports. Without archived mapping files, release crashes become hard to read.
How ADB Pro Helps
R8 Assistant helps review rules, reflection risks, mapping output, and dictionary options. Res Guard manages resource obfuscation and whitelist configuration. Release Readiness checks whether the final release artifact is configured, signed, and ready to test before distribution.
FAQ
Can an AAB be obfuscated?
Yes. Code obfuscation happens during the release build, and resource obfuscation can be applied to AAB workflows when whitelists are correct.
Does obfuscation prevent reverse engineering?
No. It increases analysis cost, but secrets and sensitive business logic should still be protected by server-side design.
Should I keep everything to avoid crashes?
No. Very broad keep rules reduce obfuscation value. Use targeted rules and test the signed release artifact.