Currently CogniCrypt has some troubles analyzing obfuscated Android Apps.(.apk files).
TODO: Check obfuscated .class and .jar files.
The noticeable impacts are:
- Analysis taking longer than with non obfuscated code.
- Analysis to source code mapping might not be correct.
- Analysis might not find errors.
- Analysis might report errors which are actually none.
Obfuscation is a popular method to protect certain assets and making it uneasy for understanding decompiled bytecode. By default in IntelliJ ProGuard can be included into the build pipeline, such as Gradle builds.
As for now we recommend the following build and analysis steps:
- Disable or remove ProGuard (or any other tool) from your build task.
- Rebuild the code you with to analyze.
- Analyze the code with CogniCrypt.
- Process the findings of the analysis
- Re-Enable the obfuscation tool and build the code OR
Manually obfuscate your application (like using the command line interface).