Obfuscating Spring Boot Projects Using Maven Proguard Plugin

Introduction

Obfuscation is the act of reorganizing bytecode such that it becomes hard to decompile. Many developers rely on obfuscation to save their sensitive code from undesired eyes. Publishing jars without obfuscation may hinder competitiveness because rivals may take advantage of easily decompilable nature of java binaries.

Objective

Spring Boot applications make use of public interfaces, annotations which makes applications harder to obfuscate. Additionally, maven Spring Boot plugin creates a fat jar which contains all dependent jars. It is not viable to obfuscate the whole fat jar. Thus obfuscating Spring Boot applications is different than obfuscating regular java applications and requires a suitable strategy.

Audience

Those who use Spring Boot and Maven and wish to obfuscate their application using Proguard are the target audience for this article.

Sample Application

As the sample application, I will use elastic search synch application from my GitHub repository.

https://github.com/habanoz/essync/

Only the rest module uses obfuscation. The rest module simply creates an elastic search instance and provides a rest interface to let clients access the elastic search repository. Spring Boot uses embedded tomcat to launch the application.

Obfuscation Details

Regarding obfuscation on a Spring Boot application, the first caveat is to leave the information which is necessary for spring framework intact. Spring requires annotations, interfaces and attribute names. That information is not only necessary for spring runtime but also important for other enterprise frameworks such as hibernate.

	<build>
	<finalName>${artifactId}</finalName>
	<plugins>
	<plugin>
	<groupId>com.github.wvengen</groupId>
	<artifactId>proguard-maven-plugin</artifactId>
	<executions>
	<execution>
	<phase>package</phase>
	<goals><goal>proguard</goal></goals>
	</execution>
	</executions>
	<configuration>
	<proguardVersion>5.3.3</proguardVersion>
	<injar>${project.build.finalName}.jar</injar>
	<outjar>${project.build.finalName}.jar</outjar>
	<obfuscate>true</obfuscate>
	<options>
	<option>-dontshrink</option>
	<option>-dontoptimize</option>
	<!-- This option will replace all strings in reflections method invocations with new class names.
	For example, invokes Class.forName('className')-->
	<option>-adaptclassstrings</option>
	<!-- This option will save all original annotations and etc. Otherwise all we be removed from files.-->
	<option>-keepattributes Exceptions,InnerClasses,Signature,Deprecated,*Annotation*,EnclosingMethod</option>
	<!-- This option will save all original names in interfaces (without obfuscate).-->
	<option>-keepnames interface **</option>
	<!-- This option will save all original methods parameters in files defined in -keep sections,
	otherwise all parameter names will be obfuscate.-->
	<!--option>-keepparameternames</option-->
	<!-- This option will save all original class files (without obfuscate) but obfuscate all in domain package.-->
	<!--option>-keep class !com.slm.proguard.example.spring.boot.domain.** { *; }</option-->
	<!-- This option will save all original class files (without obfuscate) in service package-->
	<!--<option>-keep class com.slm.proguard.example.spring.boot.service { *; }</option>-->
	<!-- This option will save all original interfaces files (without obfuscate) in all packages.-->
	<option>-keep interface * extends * { *; }</option>
	<option>-keep class cookle.rest.RestMain { *; }</option>
	</options>
	<libs>
	<!-- Include main JAVA library required.-->
	<lib>${java.home}/lib/rt.jar</lib>
	<!-- Include crypto JAVA library if necessary.-->
	<lib>${java.home}/lib/jce.jar</lib>
	</libs>
	</configuration>
	<dependencies>
	<dependency>
	<groupId>net.sf.proguard</groupId>
	<artifactId>proguard-base</artifactId>
	<version>5.3.3</version>
	</dependency>
	</dependencies>
	</plugin>
	<!-- Maven assembly must be run after proguard obfuscation so it take already obfuscated files.-->
	<plugin>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-maven-plugin</artifactId>
	<executions>
	<execution>
	<goals>
	<goal>repackage</goal>
	</goals>
	<configuration>
	<mainClass>cookle.rest.RestMain</mainClass>
	</configuration>
	</execution>
	</executions>
	</plugin>
	</plugins>
	</build>

view raw springbootproguard.xml hosted with ❤ by GitHub

Proguard can be configured to leave required information untouched. A proguard.cfg file can be used to configure Proguard. Luckily, Proguard has a maven plugin which makes using Proguard with maven applications a breeze. Maven plugin can be used to configure the Proguard by using option tags.

Look at the configuration excerpt from the module pom and check the options. Note that main class is opted out from obfuscation. "donotshrink" and "donotoptimize" options are not necessary, however, use with care is advised.

The second caveat is to run the obfuscation before the fat jar is created. To achieve this, spring boot maven plugin is added after the Proguard plugin. Execution goal should be set to repackage because the plugin should repackage the project jar to create a fat jar.  Also, note that it is necessary that injar and outjar values of the Proguard plugin be the same so that spring boot plugin repackages the obfuscated jar.

Discussion

In my opinion, spring applications should be designed keeping obfuscation in mind. Obfuscation on spring applications requires a correct configuration which may not be very easy to set up. A proper configuration may require some part of the code is not obfuscated thus hinders gains from the obfuscation process.

It is a good practice to decouple obfuscation critic code from spring dependencies or other enterprise frameworks. This way sensitive code sections can easily be obfuscated.

Conclusion

Obfuscation should be applied with great care. Also, it is important to design applications keeping the obfuscation process in mind.