Right now, on reverse engineering the android application APK file, I can see the data model classes in the plain text as I have used @keep annotation. Without the annotation, the app is crashing as these files are being removed by the R8.
How do I secure the data model files by making sure that they are not seen on reverse engineering?
On
Recently I have run into this same issue and my certain problem was I had an obsolete set of proguard rules. Note that on 4 Oct 2019 Gson updated their proguard rules to take R8 into account. Hopefully you have to update them.
You can find it at https://github.com/google/gson/blob/master/examples/android-proguard-example/proguard.cfg
# Gson uses generic type information stored in a class file when working with fields. Proguard
# removes such information by default, so configure it to keep all of it.
-keepattributes Signature
# For using GSON @Expose annotation
-keepattributes *Annotation*
# Gson specific classes
-dontwarn sun.misc.**
#-keep class com.google.gson.stream.** { *; }
# Application classes that will be serialized/deserialized over Gson
-keep class com.google.gson.examples.android.model.** { <fields>; }
# Prevent proguard from stripping interface information from TypeAdapter, TypeAdapterFactory,
# JsonSerializer, JsonDeserializer instances (so they can be used in @JsonAdapter)
-keep class * implements com.google.gson.TypeAdapter
-keep class * implements com.google.gson.TypeAdapterFactory
-keep class * implements com.google.gson.JsonSerializer
-keep class * implements com.google.gson.JsonDeserializer
# Prevent R8 from leaving Data object members always null
-keepclassmembers,allowobfuscation class * {
@com.google.gson.annotations.SerializedName <fields>;
}
Also remember to add your certain model classes: look at the rule at the center as it is just an example and have to be changed with your own models.
add below lines to
gradle.propertiesfile.