Protecting and obfuscating Android App Bundles (AAB) using DexProtector

The Android Application Bundle is a new app publishing format. It is more efficient in terms of building and releasing your apps. The Android App Bundle makes it easier to deliver optimized and smaller apps to your application's users. Its goal is to improve the user experience of Android users as, at least, the applications that get to users' devices become smaller, and they only contain the required resources. According to independent research, the size can be potentially optimized up to 50%.

DexProtector allows you comprehensively protect Android Application Bundles by applying all the protection mechanisms available in DexProtector Standard and DexProtector Enterprise.

Prerequisites

  • DexProtector Enterprise or DexProtector Standard activated with a full or trial license
  • Android Studio 3.2 or higher and Android Gradle Plugin 3.2.0 or higher

Protection Process

Android Application Bundle's protection process is similar to the APK's. You can even use the same settings (configuration file) for your Android Application Bundles (AABs) as you had for your APKs.

  1. Prepare and build an Android Application Bundle (AAB, .aab)
  2. Prepare the DexProtector's configuration in accordance with the documentation or use existing configuration that you created for your APK.
  3. Launch the protection process via the CLI, for example:

    java -jar dexprotector.jar -configFile dexprotector.xml -keystore upload.keystore -alias android -storepass android -keypass android build/outputs/bundle/release/app.aab protected-app.aab
    
  4. In order to test the protected AAB without publishing it to Google Play, you can use latest version of the bundletool which is located at https://github.com/google/bundletool/releases. To publish an AAB protected by DexProtector, simply upload it to Google Play Console.

  5. To generate APKs from the bundle, the following command can be used (the APK will be built for a connected device):

    java -jar bundletool-all-x.x.x.jar build-apks --bundle=protected-app.aab --output protected-apk.apks --ks sample.keystore --ks-key-alias android --connected-device
    

The bundletool can install the produced APKs as well:

    java -jar bundletool-all-x.x.x.jar install-apks  --apks protected-apk.apks

Important: Please keep in mind that when you publish your AAB to Google Play you need to set the fingerprint of your app signing certificate in your configuration file as Google Play App Signing is required in this case. Please refer to Goole Play App Signing. It is also required to use your upload certificate for signing your AABs. In other words, you need to set the following tags in your DexProtector's configuration file:

    <signMode>google</signMode> 
    <sha256CertificateFingerprint><SHA-256-FINGERPRINT-OF-APP-SIGNING-CERT></sha256CertificateFingerprint>
Do not forget to use your upload keystore:
java -jar dexprotector.jar -configFile dexprotector.xml -keystore upload.keystore -alias alias -storepass storepass -keypass keypass build/outputs/bundle/release/app.aab protected-app.aab

Note: DexProtector's Gradle plugin does not support the protection of Android Application Bundles (AABs) at the moment (the statement is valid for the version 9.1.1/2209). Only the CLI is suitable for AAB protection.