I just wanted to plug this cool tool based on ProguardCORE. You can print the kotlin metadata of apk’s using this website.
The source is also available on GitHub
Just execute ./gradlew run --args "input.{apk,jar,zip,class}" and you can try it.
3 Likes
I’ve found that Kotlin leaves so much metadata that it counters a lot of obfuscation. The best I’ve been able to do about it so far is to have the following in my gradle build files for my Android applications:
kotlinOptions {
// Configure Kotlin compiler to remove not-null-assertions for a slight performance improvement,
// but more importantly because the compiler leaves string-representations of method and parameter names
// that ProGuard doesn't obfuscate.
freeCompilerArgs += '-Xno-param-assertions'
freeCompilerArgs += '-Xno-call-assertions'
freeCompilerArgs += '-Xno-receiver-assertions'
}
I use this only for the release-flavor of my apps, so that I can still get the benefit of not-null-assertions during development.
Admittedly it has been a while since I decompiled an app where I used these rules, so they might need improvement, or might have been disabled in newer versions of Kotlin.
1 Like
ProGuard supports Kotlin metadata obfuscation/removal with the recently added -keepkotlinmetadata configuration option. You can read more about it in the manual https://www.guardsquare.com/en/products/proguard/manual/kotlin
ProGuard will also remove the method and parameter name strings that are due to the intrinsics checks added by the compiler.
So now you don’t need to worry about configuring the Kotlin compiler, you can configure ProGuard to remove or obfuscate the metadata!
3 Likes