Configuring DexProtector

Verbose Logging

Element: verbose

Description: Enables/disables verbose logging for the DexProtector process.

Valid values: true; false. Default value: false

Code Optimization

Element: optimize

Description: Removes redundant metadata from the package that might otherwise affect performance and/or be exploited by bad actors

Valid values: true; false. Default value: false

Security Assessment

Element: securityAssessment

Description: With Security Assessment enabled, the DexProtector process will fail if the signing certificate is known to be compromised, or recognized as weaker than recommended.

Valid values: true; false. Default value: false

Nested elements (<signingCertificateCompromised>, <signingCertificateWeakKey>, <dependencyCheck>)

Element (nested): signingCertificateCompromised

Description: If the signing certificate has been compromised, the DexProtector process will throw an error and the build will fail.

Valid values: warning; error; off. Default value: error

Element (nested): signingCertificateWeakKey

Description: If the signing key is weak (i.e. an RSA key that is <2048 bits), the DexProtector process will throw an error and the build will fail.

Valid values: warning; error; off. Default value: error

Element (nested): dependencyCheck

Description: Checks application dependencies for known vulnerabilities.

Valid values: warning; error; off. Default value: warning

ProGuard mapping file

Element: proguardMapFile

Description: Specifies the absolute path to ProGuard's mapping file. If you use ProGuard for name obfuscation, it is necessary to provide the path to ProGuard's mapping file so that DexProtector can locate classes for encryption.

Default value: no default value. Note: When using the DexProtector Gradle Plugin, the value for the proguardMapFile (if necessary) is set automatically.

Signing Mode

Element: signMode

Description: Specifies options for app signing.

Valid values:

Keystore information (for signMode == release; signMode == google; signMode == amazon)

Element: keystore

Description: Specifies the path to the keystore containing the relevant signing key

Default value: no default value. Note: With the DexProtector Gradle Plugin, the path is specified automatically.

Element: storepass

Description: Specifies the password to the keystore containing the relevant signing key

Default value: no default value. Note: With the DexProtector Gradle Plugin, the path is specified automatically.

Element: alias

Description: Specifies the alias string for the relevant signing key in your keystore

Default value: no default value. Note: With the DexProtector Gradle Plugin, the path is specified automatically.

Element: keypass

Description: Specifies the password for the signing key

Default value: no default value. Note: With the DexProtector Gradle Plugin, the path is specified automatically.

Keystore information (for signMode == google)

Element: sha256CertificateFingerprint

Description: Specifies the SHA-256 Certificate Fingerprint corresponding to the Google Play App Signing Key used in Play app signing.

Default value: no default value. Note: with the DexProtector Gradle plugin, the value is derived automatically.

Element: legacySha256CertificateFingerprint

Description: If you publish your app to Google Play, you can upgrade the signing key for your published app through the Play Console—your new key is used to sign new installs and app updates, while your older app signing key is used to sign updates for users who installed your app before the key upgrade. If you have upgraded the signing key for your published app and are DexProtecting an update, you must specify both the SHA-256 Certificate Fingerprint corresponding to the new key, and the Legacy SHA-256 Certificate Fingerprint corresponding to the original key.

Default value: no default value.

Logging Call Stripping

Element: stripLogging

Description: Prevents unwanted log outputs by blocking the calling of methods with android.util.Log. The scale of verbosity (from least to most) is WTF, ERROR, WARNING, INFO, DEBUG, VERBOSE.

Valid values: wtf [strip android.util.Log.wtf(...)]; error [strip android.util.Log.e(...)]; warning [strip android.util.Log.w(...)]; info [strip android.util.Log.i(...)]; debug [strip android.util.Log.d(...)]; verbose [strip android.util.Log.v(...)]; all [strip all of the above]

Method Call Stripping

Element: stripMethodCalls

Description: Blocks the calling of specified methods (for example, the method calls of third-party logging libraries)

Element (nested): filters (Only when mode != off):

Format: string

Default value: no default value

String Encryption

Element: stringEncryption

Description: Enables DexProtector's String Encryption mechanism. Note: We recommend encrypting as many strings as possible, but especially those containing sensitive data (logins, passwords, API credentials, keys, etc.). There is no need, on the other hand, to encrypt any strings contained in publicly available third party libraries, and DexProtector’s default configuration file contains certain example filters to exclude such libraries from the string encryption process.

Element (nested): filters

Format: string

Default value: no default value

Annotation Encryption

Element: annotationEncryption

Description: Encrypt Kotlin annotations to protect sensitive metadata. Important: Filters for Annotation Encryption work differently than for other mechanisms. Filters must target the classes in which annotations are defined, and not the classes in which annotations are referenced. DexProtector will then locate all instances of the annotations and encrypt them.

Element (nested): filters

Format: string

Default value: no default value

JNI Obfuscation

Element: jniObfuscation

Description: Enables the obfuscation of JNI (Java Native Interface) method names in native libraries and classes, in accordance with the specified filters. Note: When setting filters for JNI Obfuscation, you only need to specify the classes that contain JNI methods. DexProtector will then automatically process native libraries containing the JNI methods from those classes.

Element (nested): filters

Format: string

Default value: no default value

Hide Access

Element: hideAccess

Description: The Hide Access mechanism conceals method calls and field accesses in the packages and classes specified in the filters, breaking the link between the call site and the function being called.

Element (nested): filters

Format: string

Default value: no default value

Class Encryption

Element: classEncryption

Description: DexProtector encrypts entire classes.dex including Application, Activities, ContentProviders, and Receivers, in accordance with the specified filters. Note: DexProtector will encrypt all classes by default, without affecting the application’s performance. However, it is important to exclude any classes that must remain accessible to third parties, such as those that form part of a public API.

Element (nested): filters

Format: string

Default value: no default value

Native Library Encryption

Element: nativeLibraryEncryption

Description: DexProtector encrypts native libraries (.so files) within the target package, in accordance with the chosen filters.

Element (nested): filters

Format: string

Default value: no default value

Resource Encryption

Element: resourceEncryption

Description: Resource encryption protects against malicious copying, modification, and piracy by encrypting an application's internal resources; resource names; and, for cross-platform apps, HTML, JS, and CSS code. Filters can target the assets and res folders, as well as resources in the root folder, and individual string resources.

Nested elements (<assets>, <res>, <strings>, <nameObfuscation>,<root>, <androidManifestMangling>, <xamarinAssemblies>):

Element (nested): assets

Description: Encrypts files in assets/. Files can be targeted by file pattern (i.e. .png denotes all files of PNG file format), name pattern (i.e. File1 denotes all files whose names begin with the string "File1"), by specific file name (e.g. File2.json), or by path (e.g. TestDir/File3.txt). Note 1: If there are no assets/res elements in the configuration file under the resourceEncryption section, the encryption of the assets folder will be performed in accordance with DexProtector’s default settings. Note 2: Assets directly accessed by the OS must not be encrypted.

Format: contains nested elements

     Element (nested): filters

     Format: string

     Default value: no default value

Element (nested): res

Description: Encrypts files in res/. Files can be targeted by file pattern (i.e. **png denotes all files of PNG file format), name pattern (i.e. File1** denotes all files whose names begin with the string "File1"), by specific file name (e.g. File2.json), or by path (e.g. TestDir/File3.txt). Note 1: If there are no assets/res elements in the configuration file under the resourceEncryption section, the encryption of the res folder will be performed in accordance with the default filter. Note 2: Resources directly accessed by Android must not be encrypted.

Format: contains nested elements

     Element (nested): filters

     Format: string

     Default value: no default value

Element (nested): strings

Description: Encrypts strings and string arrays in resources.arsc. Note:  If there is no ‘strings’ element in the configuration file under the resourceEncryption section, the encryption of strings and string-arrays in resources.arsc will be performed in accordance with DexProtector’s default settings.

Format: contains nested elements

     Element (nested): filters

     Format: string

     Default value: no default value

Element (nested): nameObfuscation

Description: With Resource Name Obfuscation enabled, DexProtector will obfuscate names of names of files in res/. It is possible to set filters for Resource Name Obfuscation independently of the filters specified for res folder encryption. For more information, see the guide to filters for resource encryption.

Format: contains nested elements

     Element (nested): filters

     Format: string

     Default value: no default value

Element (nested): root

Description: Encrypts files in root/. Files can be targeted by file pattern (i.e. **png denotes all files of PNG file format), name pattern (i.e. File1** denotes all files whose names begin with the string "File1"), by specific file name (e.g. File2.json), or by path (e.g. TestDir/File3.txt).

Format: contains nested elements

     Element (nested): filters

     Format: string

     Default value: no default value

Element (nested): androidManifestMangling

Description: Mangling settings for AndroidManifest.xml. If the element androidManifestMangling is included in the configuration file, DexProtector will mangle entities in the AndroidManifest.xml file.

Element (nested): xamarinAssemblies

Description: Encrypts Xamarin assemblies

Attribute: dir

Description: If the assemblies are not in the default folder (assets/assemblies), you can set a path to them using the attribute dir. The path should start from the APK’s root, for example: assets/xxx/assemblies

Format: string

Default value: no default value

Anti-Debug

Element: antiDebug

Description: With this setting enabled, the DexProtector Runtime Engine will close the app instantly if it detects that a debugger is attached.

Anti-Emulator

Element: antiEmulator

Description: With this setting enabled, the DexProtector Runtime Engine will prevent the app from running on an emulator. Note: Client-side API and callback options are available as an alternative to closing the app. Please request more details on configuration and implementation.

Anti-Manual Install

Element: antiManualInstall

Description: With this setting enabled, the DexProtector Runtime Engine will prevent the app from running if it was sideloaded. Note: Client-side API and callback options are available as an alternative to closing the app. Please request more details on configuration and implementation.

Anti-Malware

Element: antiMalware

Description: With this setting enabled, the DexProtector Runtime Engine will report malware and Potentially Harmful Apps detected on the device to the organization's Alice Threat Intelligence database. Note: <reportMonitoring> must be enabled. Client-side API and callback options are also available. Please request more details on configuration and implementation.

Runtime Checks

Element: runtimeChecks

Description: With this setting enabled, the DexProtector Runtime Engine will prevent the app from running on custom firmware and rooted devices.

Public Key Pinning

Element: publicKeyPinning

Description: Settings for SSL/HTTP Public Key Pinning. These can be specified either via a security configuration file in res/xml (in accordance with specification for Android N), or via the network-security-config nested element. If you have a separate security configuration file, you must set the path to it within the attribute ‘src’.

Attribute: src

Valid values: Path to a security configuration file (see details here).

Default value: no default value

Note: if the file exists, all public key pinning settings are taken from the file. On the other hand, if the src attribute is not set and there is a network-security-config tag, all the settings are taken from the configuration defined inside the tag and the res/xml/networksecurityconfig.xml will be created, it will contain settings from the network-security-config tag, and also the following information will be added into the AndroidManifest.xml:

Format: contains nested elements (<actions>, <reportUri>, <reportMethod>, <network-security-config>)

Element (nested): actions

Description: Specifies the actions to be performed if there are errors or anomalies detected during the Public Key Pinning checks

Format: list with the ',' separator

Valid values: block - block the connection; report - send a report regarding the connection

Default value: block, report

Element (nested): reportUri

Description: Specifies the address that will be used to send JSON reports regarding any errors or anomalies detected during the Public Key Pinning checks

Format: string

Element (nested): reportMethod

Description: Specfies a method (in the format ClassName.methodName) to which JSON reports are passed in the event of any errors or anomalies detected during the Public Key Pinning checks. These methods should have public static modifier and (String jsonStr) signature.

Format: string

Element (nested): cacheTTL

Description: Time to live for a server SSL certificate chain check result for each domain

Format: int

Default value: 180

Element (nested): network-security-config

Description: Embedded Security Configuration File

Examples of embedded security configuration settings:

Example #1:

Example #2 (Security Configuration File in res/xml):

Certificate Transparency

Element: certificateTransparency

Description: Settings for monitoring public key certificates according to the Certificate Transparency standard. DexProtector uses a list of log servers that is located in the distribution package. This list is based on: https://source.chromium.org/chromium/chromium/src/+/master:components/certificate_transparency/data/log_list.json Alternatively, a list of authorized log servers can be specified manually by entering a path to a file containing that list.

Format: contains nested elements (<trace>, <logFile>)

Element (nested): trace

Format: string

Description: For debugging purposes, set trace to 1000.

Default value: no default value

Element (nested): logFile

Format: string

Description: Path to file containing your own list of authorized log servers.

Default value: no default value

UI Protection

Element: uiProtection

Description: DexProtector’s UI Protection blocks screen capture and prevents activity hijacking. Screen capture blocking hardens your app against screenshots, screen recording, and screen casting. Hijacking prevention protects the app from malware that takes control of the application and replaces legitimate windows with impostors.

Threat Reporting

Element: reportMonitoring

Description: Configures Licel’s Real-Time Attack Telemetry and Threat Intelligence service, Alice. For more information, see our guide to Alice.

Format: contains nested elements (<apiKey>, <customFieldsUpdate>, <trace>)

Element (nested): apiKey

Format: string

Default value: no default value

Element (nested): customFieldsUpdate

Format: string

Description: Specifies a method, if one is implemented in the package’s code, for customizing the types of data reported to Alice by the monitoring system (e.g. user’s IP address; device serial number, etc.) . The method specified must have the following format:

Default value: no default value, but the field must have the following structure:

Element (nested): trace

Format: string

Description: The logging level of DexProtector messages on the end device. For debugging purposes, set to 1000. Otherwise, set to 0 or exclude the <trace> node.

Default value: no default value

AAR

Element: aar

Description: Enables the DexProtection of Android libraries & SDKs (AAR). Since DexProtector's runtime engine must start before the AAR is first accessed, it is necessary to configure the initialization process, and/or to leave DexProtector's auto-initialization mechanism enabled.

Attribute: autoInit

Valid values: on - enable DexProtector's automatic initialization mechanism; off - disable DexProtector's automatic initialization mechanism. If autoInit="off" you must specify either initMethod(s) and/or initClass(es).

Default value: on

Attribute: autoInitAuthorities

Description: To ensure that DexProtector's runtime engine is initialized when necessary, the autoInit mechanism uses a Content Provider approach, and defines a content provider component in the AndroidManifest.xml. Therefore, if autoInit="on" we strongly recommend to specify autoInitAuthorities="${applicationId}", additionally specifying a unique ID for each AAR where necessary, to avoid the risk of conflict whereby multiple content providers with the same name are specified in android:authorities.

Default value: ${applicationId}

Attribute: kotlinSupport

Valid values: on - enable support for libraries containing Kotlin code; off - disable support for libraries containing Kotlin code

Default value: off

Attribute: nativeClassEncryption

Valid values: on - enable the encryption of native classes within the library; off - disable the encryption of native classes within the library

Default value: on

Attribute: nativeHideAccess

Valid values: on - enable the Hide Access mechanism for native classes within the library; off - disable the Hide Access mechanism for native classes within the library

Default value: off

We strongly recommend leaving autoInit="on", but if you prefer to set autoInit="off" you must specify either initMethod(s) and/or initClass(es). For example:

on

Obfuscate all names

As per filter

Obfuscate all names

off

No name obfuscation

No name obfuscation

No name obfuscation

No attribute specified

Obfuscate all names

As per filter

No name obfuscation