Balancing Performance and Security with Android Baseline Profiles and DexGuard
Ensuring security without sacrificing performance optimizations
When developers set out to build an Android mobile application, discussions typically ensue around functionality, performance, and security. Each topic could be evaluated in its own right, but without adequate consideration of the relationships between them, design and implementation mistakes can arise. This complex game of give and take can be further clouded when your software toolchain consists of multiple utilities, each with various functions that seemingly relate to only one discrete category. In this blog, we’ll look at a complementary example between performance and security with DexGuard’s support for Android Baseline Profiles.
What is an Android Baseline Profile, and why are they important?
When functionality is delivered with a well-performing application, positive outcomes are quantifiable with business metrics such as user retention and favorable reviews. Given the prevalence of performance issues in creating barriers to achieving these goals, the Android team developed an extremely useful feature in baseline profiles. The use of which can significantly improve startup and runtime execution times through a process of profiling, and code path optimization. For instance, the Google Maps team managed to improve their app startup time by up to 40% after introducing Baseline Profiles.
These performance improvements are achieved through the production of a file with a set of rules containing code paths (hot methods) important for initialization as well as those commonly experienced by users beyond startup. The Android Runtime (ART) uses this information to compile select code ahead-of-time (AOT) avoiding slowdowns inherent with interpretation and just-in-time (JIT) compilation. Since the baseline profile gets shipped with a release, users can see the improvements faster than depending solely on Cloud Profiles.
Fig 1. This diagram displays the baseline profile worklow from upload through end-user delivery, and how that workflow relates to cloud profiles (Source: Android)
There is plenty more information, including customer success stories in the Android documentation. You can also check out this DroidCon talk and an Android Developers Backstage podcast. Still, the momentary takeaway is that baseline profiles work to improve a critical aspect of an application's success.
DexGuard 9.4 is now compatible with Android Baseline Profiles
The simplest and most basic feature for application security is obfuscating method names. If you recall, the basis of Android Baseline Profiles is a rule set containing method names marked to be optimized for performance gains. Consequently, if the rule set is established with unobfuscated names and your security product then obfuscates those names, there will be an interpretation problem. Google’s R8 provides method obfuscation and seamlessly handles baseline profiles but lacks additional features essential for security. Some security tools will transform the app in such a way that optimizations like baseline profiles are lost in the process. With DexGuard 9.4 the methods in your baseline profile are seamlessly adapted to their obfuscated names retaining the performance benefits and developers can quickly focus on the available, more effective layers of security.
Given first-hand reports from our customers and studies on baseline profiles, combined with DexGuard’s compatibility and more advanced features, Android developers can take a step towards releasing a performant and secure application.