@@ -14,24 +14,33 @@ compiled Dart code, replacing each symbol with
1414another symbol, making it difficult for an attacker
1515to reverse engineer your proprietary app.
1616
17- ** Flutter's code obfuscation works
18- only on a [ release build] [ ] .**
19-
2017[ Code obfuscation ] : https://en.wikipedia.org/wiki/Obfuscation_(software)
21- [ release build ] : /testing/build-modes#release
2218
23- ## Limitations
19+ ## Limitations and warnings {: #limitations}
2420
25- Note that obfuscating your code does _ not_
26- encrypt resources nor does it protect against
27- reverse engineering.
28- It only renames symbols with more obscure names.
21+ ** Flutter's code obfuscation works
22+ only on a [ release build] [ ] .**
2923
3024::: warning
3125It is a ** poor security practice** to
3226store secrets in an app.
3327:::
3428
29+ Obfuscating your code does _ not_
30+ encrypt resources nor does it protect against
31+ reverse engineering.
32+ It only renames symbols with more obscure names.
33+
34+ Web apps don't support obfuscation.
35+ A web app can be [ minified] [ ] , which provides a similar result.
36+ When you build a release version of a Flutter web app,
37+ the web compiler minifies the app. To learn more,
38+ see [ Build and release a web app] [ ] .
39+
40+ [ release build ] : /testing/build-modes#release
41+ [ Build and release a web app ] : /deployment/web
42+ [ minified ] : https://en.wikipedia.org/wiki/Minification_(programming)
43+
3544## Supported targets
3645
3746The following build targets
@@ -49,91 +58,97 @@ described on this page:
4958* ` macos-framework `
5059* ` windows `
5160
52- ::: note
53- Web apps don't support obfuscation.
54- A web app can be [ minified] [ ] , which provides a similar result.
55- When you build a release version of a Flutter web app,
56- the web compiler minifies the app. To learn more,
57- see [ Build and release a web app] [ ] .
58- :::
59-
60- [ Build and release a web app ] : /deployment/web
61- [ minified ] : https://en.wikipedia.org/wiki/Minification_(programming)
62-
63- ## Obfuscate your app
64-
65- To obfuscate your app, use the ` flutter build ` command
66- in release mode
67- with the ` --obfuscate ` and ` --split-debug-info ` options.
68- The ` --split-debug-info ` option specifies the directory
69- where Flutter outputs debug files.
70- In the case of obfuscation, it outputs a symbol map.
71- For example:
61+ For detailed information about the command line options
62+ available for a build target, run the following
63+ command. The ` --obfuscate ` and ` --split-debug-info ` options should
64+ be listed in the output. If they aren't, you'll need to
65+ install a newer version of Flutter to obfuscate your code.
7266
7367``` console
74- $ flutter build apk --obfuscate --split-debug-info=/ < project-name > / < directory >
68+ $ flutter build < build-target > -h
7569```
70+ * ` <build-target> ` : The build target. For example,
71+ ` apk ` .
7672
77- Once you've obfuscated your binary, ** save
78- the symbols file** . You need this if you later
79- want to de-obfuscate a stack trace.
73+ ## Obfuscate your app
8074
81- ::: tip
82- The ` --split-debug-info ` option can also be used without ` --obfuscate `
83- to extract Dart program symbols, reducing code size .
84- To learn more about app size, see [ Measuring your app's size ] [ ] .
85- :::
75+ To obfuscate your app and create a symbol map, use the
76+ ` flutter build ` command in release mode
77+ with the ` --obfuscate ` and ` --split-debug-info ` options .
78+ If you want to debug your obfuscated
79+ app in the future, you will need the symbol map.
8680
87- [ Measuring your app's size ] : /perf/app-size
81+ 1 . Run the following command to obfuscate your app and
82+ generate a SYMBOLS file:
8883
89- For detailed information on these flags, run
90- the help command for your specific target, for example:
84+ ``` console
85+ $ flutter build <build-target> \
86+ --obfuscate \
87+ --split-debug-info=/<symbols-directory>
88+ ```
9189
92- ``` console
93- $ flutter build apk -h
94- ```
90+ * ` <build-target> ` : The build target. For example,
91+ ` apk ` .
92+ * ` <symbols-directory> ` : The directory where the SYMBOLS
93+ file should be placed. For example,
94+ ` out/android ` .
9595
96- If these flags are not listed in the output,
97- run ` flutter --version ` to check your version of Flutter.
96+ 1 . Once you've obfuscated your binary, ** backup
97+ the SYMBOLS file** . You might need this if you lose
98+ your original SYMBOLs file and you
99+ want to de-obfuscate a stack trace.
98100
99101## Read an obfuscated stack trace
100102
101103To debug a stack trace created by an obfuscated app,
102104use the following steps to make it human readable:
103105
104- 1 . Find the matching symbols file.
106+ 1 . Find the matching SYMBOLS file.
105107 For example, a crash from an Android arm64
106108 device would need ` app.android-arm64.symbols ` .
107109
1081101 . Provide both the stack trace (stored in a file)
109- and the symbols file to the ` flutter symbolize ` command.
110- For example:
111+ and the SYMBOLS file to the ` flutter symbolize ` command.
111112
112113 ``` console
113- $ flutter symbolize -i <stack trace file> -d out/android/app.android-arm64.symbols
114+ $ flutter symbolize \
115+ -i <stack-trace-file> \
116+ -d <obfuscated-symbols-file>
114117 ```
115118
116- For more information on the ` symbolize ` command,
119+ * ` <stack-trace-file> ` : The file path for the
120+ stacktrace. For example, ` ??? ` .
121+ * ` <obfuscated-symbols-file> ` : The file path for the
122+ symbols file that contains the obfuscated symbols.
123+ For example, ` out/android/app.android-arm64.symbols ` .
124+
125+ For more information about the ` symbolize ` command,
117126 run ` flutter symbolize -h ` .
118127
119128## Read an obfuscated name
120129
121- To make the name that an app obfuscated human readable,
122- use the following steps:
130+ You can generate a JSON file that contains
131+ an obfuscation map. An obfuscation map is a JSON array with
132+ pairs of original names and obfuscated names. For example,
133+ ` ["MaterialApp", "ex", "Scaffold", "ey"] ` , where
134+ ` ex ` is the obfuscated name of ` MaterialApp ` .
123135
124- 1 . To save the name obfuscation map at app build time,
125- use ` --extra-gen-snapshot-options=--save-obfuscation-map=/<your-path> ` .
126- For example:
136+ To generate an obfuscation map, use the following command:
127137
128- ``` console
129- $ flutter build apk --obfuscate --split-debug-info=/<project-name>/<directory> --extra-gen-snapshot-options=--save-obfuscation-map=/<your-path>
130- ```
138+ ``` console
139+ $ flutter build < build-target> \
140+ --obfuscate \
141+ --split-debug-info=/<symbols-directory> \
142+ --extra-gen-snapshot-options=--save-obfuscation-map=/<obfuscation-map-file>
143+ ```
131144
132- 1 . To recover the name, use the generated obfuscation map.
133- The obfuscation map is a flat JSON array with pairs of
134- original names and obfuscated names. For example,
135- ` ["MaterialApp", "ex", "Scaffold", "ey"] ` , where ` ex `
136- is the obfuscated name of ` MaterialApp ` .
145+ * ` <build-target> ` : The build target. For example,
146+ ` apk ` .
147+ * ` <symbols-directory> ` : The directory where the symbols
148+ should be placed. For example, ` out/android `
149+ * ` <obfuscation-map-file> ` : The file path where the
150+ JSON obfuscation map should be placed. For example,
151+ ` out/android/map.json `
137152
138153## Caveat
139154
@@ -145,9 +160,9 @@ eventually be an obfuscated binary.
145160 For example, the following call to ` expect() ` won't
146161 work in an obfuscated binary:
147162
148- <? code-excerpt "lib/main.dart (Expect)"?>
149- ``` dart
150- expect(foo.runtimeType.toString(), equals('Foo'));
151- ```
163+ <? code-excerpt "lib/main.dart (Expect)"?>
164+ ``` dart
165+ expect(foo.runtimeType.toString(), equals('Foo'));
166+ ```
152167
153168* Enum names are not obfuscated currently.
0 commit comments