Adding ProGuard to Your Android Cordova Project

“The ProGuard tool shrinks, optimizes, and obfuscates your code by removing unused code and renaming classes, fields, and methods with semantically obscure names. The result is a smaller sized .apk file that is more difficult to reverse engineer” (from http://developer.android.com/tools/help/proguard.html). You’ll want to use this tool if your app has sensitive security features you want to protect. To my knowledge, it does not obfuscate your HTML.

These steps assume you’ve already built your Android Cordova project and just about finished it, and are ready to build a release version of the app.

1. To implement this, open /platforms/android/project.properties and uncomment one line by removing the “#” at left:

#proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt

2. Add these two lines below the final line of the file and save, even though it says, “Do not modify this file — YOUR CHANGES WILL BE ERASED!” Of course, change “myapp” to your own app name.

key.store=myapp.keystore 
key.alias=myapp

Now when you create the release version, the apk will be obfuscated. There are several more steps to take. (If you are submitting this app to the Amazon Appstore, read these extra steps: https://developer.amazon.com/post/TxHZ4VD3PRBCAV/Code-Obfuscation-for-the-Amazon-In-App-Purchasing-API.html )

3. Follow the steps on this page to sign the apk: https://iphonedevlog.wordpress.com/2014/10/29/signing-an-android-apk-apart-from-eclipse-in-mac-os-x/ , from “Signing a First Version Apk Apart from Eclipse” up to the line “Now it’s time to sign the app with the key and create the release version.” Then do the following.

4. In your /myapp folder in Terminal, run:

cordova build android --release

5. When finished, it will return an error, “platforms/android/myapp.keystore (No such file or directory)”. To fix the error, duplicate /android/ant-build/proguard.txt and rename it proguard-project.txt.

6. Move proguard-project.txt to the /android folder.

7. Move your myapp.keystore file to /android.

8. Run the cordova build android –release command again (watch for where it requests your passphrase twice), and all should be well. Your CordovaApp-release.apk file is put in /myapp/platforms/android/ant-build. This is the file you would rename and upload to Google Play.

9. A /proguard folder will also have been created in the /ant-build folder. Important! Save the /ant-build/proguard/mapping.txt file along with your .keystore file and its passwords/passphrases to a safe place. Rename mapping.txt to mapping-myapp-v1.0.0.txt and retain it for future debugging efforts. Save a copy of every final version’s mapping.txt file by including the version number in the filename as I did here. Go ahead and open it. It shows you how your classes have been renamed.

10. Read the bottom of http://developer.android.com/tools/help/proguard.html to see how to read a stack trace using the mapping.txt file.