Search code examples
androidobfuscationleakcanaryyandex-metrika

How to analyze leak trace of obfuscated 3rd party library code


I found a memory leak (using LeakCanary), but code in leak trace is obfuscated. I don't have much experience with code obfuscation and I want to know if there is a way to to deobfuscate it, or maybe disable code obfuscation for that third library code?

The third library code I am using is yandex-ads-sdk. Leak trace:

2020-10-20 12:03:00.931 D/LeakCanary: ​
┬───
│ GC Root: System class
│
├─ com.yandex.metrica.impl.ob.dr class
│    Leaking: NO (a class is never leaking)
│    ↓ static dr.a
│                ~
├─ com.yandex.metrica.impl.ob.dr instance
│    Leaking: UNKNOWN
│    Retaining 125 bytes in 5 objects
│    f instance of com.example.Application
│    ↓ dr.h
│         ~
├─ com.yandex.metrica.impl.ob.bj instance
│    Leaking: UNKNOWN
│    Retaining 1538 bytes in 60 objects
│    q instance of com.example.MainActivity with mDestroyed = false
│    a instance of com.example.Application
│    ↓ bj.n
│         ~
├─ com.yandex.metrica.impl.ob.aao instance
│    Leaking: UNKNOWN
│    Retaining 249 bytes in 13 objects
│    ↓ aao.i
│          ~
├─ com.yandex.metrica.uiaccessor.a instance
│    Leaking: UNKNOWN
│    Retaining 12 bytes in 1 objects
│    ↓ a.b
│        ~
├─ com.yandex.metrica.uiaccessor.a$1 instance
│    Leaking: UNKNOWN
│    Retaining 368482 bytes in 3462 objects
│    Anonymous subclass of androidx.fragment.app.FragmentManager$FragmentLifecycleCallbacks
│    a instance of com.example.MainActivity with mDestroyed = true
│    ↓ a$1.a
│          ~
╰→ com.example.MainActivity instance
​     Leaking: YES (ObjectWatcher was watching this because com.example.MainActivity received
​     Activity#onDestroy() callback and Activity#mDestroyed is true)
​     Retaining 368470 bytes in 3461 objects
​     key = 5b3ef21a-0cf4-4dae-b329-9dd2e9d2657e
​     watchDurationMillis = 5398
​     retainedDurationMillis = 397
​     mApplication instance of com.example.Application
​     mBase instance of android.app.ContextImpl, not wrapping known Android context

METADATA

Build.VERSION.SDK_INT: 26
Build.MANUFACTURER: samsung
LeakCanary version: 2.5
App process name: com.example.app
Stats: LruCache[maxSize=3000,hits=2461,misses=58027,hitRate=4%]
RandomAccess[bytes=2861846,reads=58027,travel=20176117749,range=13550252,size=16944114]
Analysis duration: 32101 ms

Solution

  • Unfortunately, the Yandex library is obfuscated and you'd need to mapping file to be able to deobfuscate the leak trace (see https://square.github.io/leakcanary/changelog/#deobfuscating-hprof-files)

    If you want to dig further, you can download the mobmetricalib AAR on Maven central (direct link and then use JD-GUI to decompile the bytecode. It'll still be obfuscated but you can navigate it. For example, here's the content of the a class at the bottom of the leak trace:

    package com.yandex.metrica.uiaccessor;
    
    import android.app.Activity;
    import android.support.annotation.NonNull;
    import android.support.annotation.Nullable;
    import android.support.v4.app.FragmentActivity;
    import android.support.v4.app.FragmentManager;
    
    public class a implements b {
      @NonNull
      private final a a;
      
      @Nullable
      private FragmentManager.FragmentLifecycleCallbacks b;
      
      public a(@NonNull a parama) throws Throwable {
        this
          .a = parama;
      }
      
      public void b(@NonNull Activity paramActivity) throws Throwable {
        if (paramActivity instanceof FragmentActivity) {
          if (this.b == null)
            this
              .b = new FragmentLifecycleCallback(this.a, paramActivity); 
          ((FragmentActivity)paramActivity)
            .getSupportFragmentManager()
            .unregisterFragmentLifecycleCallbacks(this.b);
          ((FragmentActivity)paramActivity).getSupportFragmentManager().registerFragmentLifecycleCallbacks(this.b, true);
        } 
      }
      
      public void a(@NonNull Activity paramActivity) throws Throwable {
        if (paramActivity instanceof FragmentActivity && this.b != null)
          ((FragmentActivity)paramActivity).getSupportFragmentManager().unregisterFragmentLifecycleCallbacks(this.b); 
      }
      
      public static interface a {
        void a(@NonNull Activity param1Activity);
      }
    }
    

    I would recommend reaching out to the owners of the library with the leaktrace and ask them to fix it.