Description
Integration
sentry-android-ndk
Build System
Gradle
AGP Version
8.9.2
Proguard
Enabled
Version
7.22.5
Steps to Reproduce
Some third-party libraries include the following ProGuard rule:
-keepclasseswithmembernames,includedescriptorclasses class * {
native <methods>;
}
This rule is too broad and prevents class name obfuscation for all classes with native methods — not just those from the library itself.
This impacts security and maintainability in downstream projects, especially in cases where native methods contain security-sensitive logic and developers want to obscure their names.
-
Include a library that contains the following rule in its ProGuard file:
-keepclasseswithmembernames,includedescriptorclasses class * { native <methods>; } -
Add your own class with a native method:
public class SecureNative { public native void signTransaction(byte[] input); }
-
Build with R8 enabled.
-
Inspect the mapping file or APK — the class and method names will not be obfuscated.
Log output
No error, but the obfuscation is blocked unexpectedly.
Expected Result
Third-party libraries should scope ProGuard rules only to their own package, for example:
-keepclasseswithmembernames,includedescriptorclasses class io.sentry.** {
native <methods>;
}
🔐 Security concern
In our project, we use native methods for security-critical operations (e.g., cryptographic signing, hardware access). These method names should be obfuscated to prevent easy reverse engineering.
However, the use of overly broad ProGuard rules from dependencies prevents that, and we are forced to manually clean the merged configuration.txt before release — which is fragile and error-prone.
Actual Result
Update the ProGuard rule to scope it only to your own package:
-keepclasseswithmembernames,includedescriptorclasses class io.sentry.** {
native <methods>;
}
Metadata
Metadata
Assignees
Labels
Type
Projects
Status