January 13, 2022

    ProGuard vs. DexGuard: An Overview

    Customers are increasingly choosing mobile platforms as their preferred means to engage with organizations. For this reason, developers need to ensure mobile apps perform as they should to meet customer expectations. 

    If you’re weighing your options between ProGuard and DexGuard, take heed: they provide very different benefits. 

    In this blog, we’ll highlight the primary differences between ProGuard and DexGuard.

    What is ProGuard?

    ProGuard is an open-sourced, versatile optimizer for Kotlin, Java, and other JVM languages. ProGuard is primarily used to shrink apps. In fact, ProGuard makes apps up to 90% smaller and 20% faster, while providing some code obfuscation techniques for basic protection against reverse engineering.

    What is DexGuard?

    DexGuard provides all the functionality of ProGuard with the addition of numerous code hardening techniques to guard mobile applications against reverse engineering and tampering. DexGuard is primarily intended for Android mobile applications which need robust code protection and code optimization.

    DexGuard applies multiple obfuscation and encryption techniques to the app’s code and SDKs, providing a layered protection profile. Beyond the code enhancements, it integrates RASP (runtime application self-protection) mechanisms, making it virtually impossible to gain access to the app’s internal logic. A key advantage of DexGuard is that it leverages polymorphism; each app build has a different obfuscation configuration. This means that any knowledge or success a threat actor may gain is reset to zero with each app build and release.  

    It is worth noting that DexGuard is based on ProGuard. This is why it is so easy to upgrade to DexGuard; it integrates seamlessly with your existing ProGuard (or R8) configuration. 

    Let’s take a closer look at the differences between ProGuard and DexGuard.

    ProGuard vs. DexGuard: A comparison guide

    ProGuard_vs_DexGuard_comparison_diagram

    Generic optimizer vs. Android app protection

    ProGuard is a versatile optimizer for Java bytecode. It enables you to shrink, optimize and provide basic obfuscation for desktop and server applications, as well as embedded and Android applications. But ProGuard is restricted to the bytecode of Java applications.

    DexGuard, on the other hand, is specifically designed to protect and optimize Android applications. With multi-layered protection that adapts to the distributed and quickly evolving environment in which mobile applications are used, it optimizes, obfuscates, and encrypts manifest files, native libraries, resources, resource files, and asset files.

    DexGuard also seamlessly integrates with ThreatCast to provide you with greater visibility into vulnerabilities and suspicious activity so you can more efficiently and effectively adapt your security configuration.

    Static analysis + Dynamic analysis

    ProGuard offers basic protection against static analysis only, while DexGuard shields applications from both static and dynamic analysis. This is an important differentiator as it relates to mobile app security because attackers generally combine two approaches when attempting to reverse engineer an application. These include:

    • Trying to gain access to the source code of the application by using decompilers (static analysis), and 
    • Monitoring the behavior of the application at runtime (dynamic analysis) 

    Using RASP and obfuscation and encryption techniques, DexGuard enables the app to react whenever suspicious activity is detected by checking the integrity of the app and the environment it’s running in.

    Encryption and obfuscation

    Though both ProGuard and DexGuard harden the app’s code to shield it from reverse engineering, ProGuard is not a security solution. ProGuard offers basic protection in the form of name obfuscation, whereas DexGuard provides multiple layers of encryption and obfuscation. In fact, DexGuard obfuscates the names of classes, fields and methods, as well as the arithmetic and logical expressions in the code, and the control flow of the code inside methods. In addition, DexGuard encrypts strings and classes, and adds reflection to access-sensitive APIs.

    Open source vs. commercial 

    ProGuard can be downloaded and used free of charge to process your commercial and non-commercial applications. All the information needed to set up ProGuard is detailed in the online manual. DexGuard is a commercial product, which requires a license to gain access to a team of experienced engineers who can help you set up and configure the software.

    Make your choice

    Deciding where to start — or when to upgrade — depends largely on your specific mobile app development needs. ProGuard should primarily be used when the main need is the optimization of JVM languages. 

    DexGuard is recommended for any mobile Android applications that need to be protected against threat actors who seek to compromise an application by reverse engineering, using either static or dynamic analysis of the code and application functionality. 

    To learn more about ProGuard and DexGuard, and to determine which solution best fits your needs:Contact us to speak with an expert >

     

    Guardsquare

    Discover how Guardsquare provides industry-leading protection for mobile apps.

    Request Pricing

    Other posts you might be interested in