How to Automatically De-obfuscate Crashlytics Stack Traces

Last updated May 6, 2024 by Appdome

What is Firebase Crashlytics?

Firebase Crashlytics is a lightweight, real-time crash reporter that helps you track, prioritize, and fix stability issues that erode your app quality. Crashlytics saves you troubleshooting time by intelligently grouping crashes and highlighting the circumstances that lead up to them.

Understanding Stack Trace Obfuscation with Appdome’s Obfuscate App Logic

Before diving into the de-obfuscation process, it’s important to understand the impact of integrating Appdome’s Obfuscate App Logic with Android Crashlytics. This integration results in obfuscated stack traces that are difficult to interpret without the appropriate de-obfuscation keys, thus safeguarding your app’s internal logic by making the stack traces difficult to read without proper de-obfuscation keys. The following sections of this article will guide you through the steps to automatically de-obfuscate these stack traces, starting with a glimpse at how an obfuscated stack trace looks prior to de-obfuscation.

Obfuscated Stack Traces

How to automatically Deobfuscate Android Crashlytics stack traces

Step 1: Build the feature: Obfuscate App Logic.

1. Upload an app to Appdome’s Mobile App Security Build System
1.1. Upload Method: Appdome Console or DEV-API
1.2. Android Formats: .apk or .aab
1.3. Obfuscate App Logic Compatible with Java, JS, C++, C#, Kotlin, Flutter, React Native, Unity, Xamarin, Cordova, and other Android apps.
2. Build the Obfuscate App Logic feature using Appdome’s DEV-API:
2.1. Create and name the Fusion Set (security template) that will contain the Obfuscate App Logic feature as shown below:
fusion set that contains Obfuscate App Logic

Figure 1: Fusion Set that will contain the Obfuscate App Logic feature
Note: Naming the Fusion Set to correspond to the protection(s) selected is for illustration purposes only (not required).

2.1.2. To add the Obfuscate App Logic feature to this Fusion Set, using the Appdome Console, follow the steps in Sections 2.2.1-2.2.2 of this article, Building the Obfuscate App Logic feature.
2.1.3. Open the Fusion Set Detail Summary by clicking the “…” symbol on the far-right corner of the Fusion Set.
Fusion set details
2.1.4. Copy the Fusion Set ID from the Fusion Set Detail Summary (as shown below):
fusion Set Detail Summary image
Figure 2: Fusion Set Detail Summary
Note: Annotating the Fusion Set to identify the protection(s) selected is optional only (not mandatory).
2.1.5. Follow the instructions below to use the Fusion Set ID inside any standard mobile DevOps or CI/CD toolkit like Bitrise, App Center, Jenkins, Travis, Team City, Circle CI or another system:
2.1.5.1. Build an API for the app – for instructions, see the tasks under Appdome API Reference Guide
2.1.5.2. Look for sample APIs in Appdome’s GitHub Repository
2.2. To build the Obfuscate App Logic protection using Appdome Console, follow the instructions below.
2.2.1. Where: Inside the Appdome Console, go to Build Security Tab > TOTALCode™ Obfuscation section.
2.2.2. How: Toggle (turn ON) Obfuscate App Logic, as shown below.

Obfuscate App Logic option

Figure 3: Obfuscate App Logic option

2.2.3. When you select the Obfuscate App Logic, you’ll notice that the Fusion Set you created in step 2.1.1 now bears the icon of the protection category that contains Obfuscate App Logic.

Fusion Set applied Obfuscate App Logic

Figure 4: Fusion Set that displays the newly added Obfuscate App Logic protection

2.2.4. Click Build My App at the bottom of the Build Workflow (shown in Figure 3).

Step 2: Click on Workflow Summary:

Workflow Summary

Step 3: Click Download Obfuscation Mapping Files

Download Obfuscation Mapping Files

Step 4: Locate the required files

a. com_google_firebase_crashlytics_mappingfileid.xml
b. mapping.txt

Mapping Files

Step 5: Install Firebase CLI

Follow the instructions in this Installation Guide

Step 6: Log in to your Firebase account

Follow the instructions in the Firebase Login Guide. 

Step 7: Save your app-id from Firebase Console

Learn more about: Where can I find the App ID for my Firebase app?

Step 8: Run the following CLI command

firebase crashlytics:mappingfile:upload --app=<app-id from step 7> --resource-file=<"com_google_firebase_crashlytics_mappingfileid.xml" file location from step 4a> <"mapping.txt" file location from step 4b>

Step 9: Install the protected App
Use this command to install the APK app file to your device:

adb install <full path to APK>

Step 10: Produce a new crash to verify that the de-obfuscation is working.

From this point forward, every stack trace in Crashlytics related to this Appdome build will be automatically deobfuscated.

Related Articles:

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

Appdome

Want a Demo?

Mobile Code Obfuscation

AlanWe're here to help
We'll get back to you in 24 hours to schedule your demo.