Use Removal with String Encryption
DashO String Encryption Obfuscation replaces strings in code with encrypted values that are then decrypted in the running application. This protects most strings, but inlined string constants are not always fully protected. The Java compiler inlines string constants, effectively copying them into the places where they are used. DashO does not encrypt the original field values, because this could produce incorrect behavior, e.g. breaking the value of a library API constant that is used by an external application.
This means that some string constants will remain in place, unencrypted, after String Encryption. If these string constants will not be used by external applications then they can be safely removed. Therefore, to protect those string constants, configure DashO to remove unused members. Inlined string constant references will not mark the defining field as "used".
For libraries, specify
Remove if not public; otherwise specify
Remove if not public, public strings will not be removed, so any strings that require protection should not be public.
The effect of these settings can be adjusted by excluding classes, methods, or fields from Removal.
There are also size and performance costs to using String Encryption, and it may be necessary to exclude methods or classes from it. Because of inlining, both the class that defines a string constant and all of the classes that reference it must be protected with String Encryption for all copies of that string to be encrypted.
String Encryption — Options
The String Encryption — Options panel controls the encryption of strings, the encryption techniques, and allows you to control the location where the decryption method is placed.
Enables or disables string encryption obfuscation globally. You can control the portions of the application to which string encryption is applied by using include and exclude rules. If you do not specify any rules then all methods will have their strings encrypted.
This control selects the level of string encryption to use. Level
1 uses a simple and fast decryption technique while level
10 uses a more complex but slower technique. Increasing this value configures DashO to use various expressions to increase the complexity of decompilation as well as adding randomness factors to the implementation of decryption methods. The default level is
This controls the number of decryption methods that will be generated and added to classes included in each output. The names and signatures of the methods are randomly selected (except when using an input file). The default number of methods is
If you want decrypters to be placed globally (not kept internal to the jars where they are used) add a User Property named
INJECT_DECRYPTERS_GLOBALLYand set it to
This setting lets you specify criteria that control which classes may serve as outer classes for generated anonymous static inner classes that will house the decrypters. If you do not specify any value, DashO will choose a class from the public classes in the inputs. To change the selection criteria click the Edit button to bring up a properties dialog.
If you specify criteria, the decrypters will be injected based on that criteria and will be used without regards to jar boundaries.
The map input file specified is a file created by a previous DashO run. Using this file, DashO creates the same decrypters used in the previous run. This is necessary for an incremental obfuscation. It is used in addition to the renaming map file. When an input file is provided, settings for the level and number of decrypters and the decrypter class criteria will be ignored.
The information created in this file can be used for the map input file in a future DashO run. It stores information about the types of decrypters, the method names used, and the classes where they were placed.
String Encryption — Include and Exclude
The String Encryption Include and Exclude panels let you compose rules that determine which parts of the application will have strings encrypted. Methods, classes, or entire packages can be selected. Since string encryption adds a size and runtime performance cost, you can selectively include parts of your application where sensitive string information is located or exclude sections where performance may be impacted by the runtime decryption.
See Graphical Rules Editor for details.
The Custom Encryption panel lets configure your own encryption/decryption methods to be used. This allows you to provide your own level of encryption. See Using Custom Encryption for the requirements of the encryption and decryption methods.
Use Custom Encryption
Enables or disables the use of custom encryption obfuscation globally. You can control the portions of the application to which custom string encryption is applied by using include rules. You must specify at least one rule for custom encryption to work.
The jar containing the encryption class and method. This jar is external to your project. It will be used to encrypt strings while obfuscating.
Encryption Class and Method
The class and method used to encrypt the text. This method will not be part of the output. Clicking Choose… will bring up a dialog with all the methods inside the encryption jar, which match the requirements.
Decryption Class and Method
The class and method used to decrypt the text. These classes must be part of the project inputs. The class and method you specify will remain in your output (but may be renamed/obfuscated based on other project settings). Clicking Choose… will bring up a dialog with all the methods from the inputs, which match the requirements.
Custom Encryption — Include
The Custom Encryption Include panels let you compose rules that determine which parts of the application will have strings encrypted using the custom encryption. Methods, classes, or entire packages can be selected. This should be considered a subset of overall string encryption. Any class/method specified here must not be excluded from string encryption.
See Graphical Rules Editor for details.