> The smoking gun is a pattern match performed on any URL string that begins with the word 'telegram.' In the most recent version of the app, these strings are classified as a "bad host," so that no hyperlink is generated and it becomes impossible to copy or forward any message with that URL. No other strings trigger the match, so this block is purposefully targeted at Telegram.
Maybe times have changed and these things are now included in the dex file, but that doesn't seem to be a verbatim decompiler output to me.
Local variable names aren't normally stored in an APK, they're just refereed to by register numbers. For instance, I wouldn't expect to see "for(Pattern badHost : BAD_HOSTS)" (specifically the badHost) - last time I checked, this information would be lost during compilation.
I'm not suggesting that the code is falsified - the person that decompiled it probably just guessed at some variable names and re-factored to make it more readable. It just stood out to me, so I thought it was worth mentioning.
That's only true if you choose to obfuscate your code on android. I recently decompiled an apk and all variables/function names were perfectly readable
Even variable names? I know that class/method/field names are visible, but I didn't think that local variable names were. I can't see a reason for them to be, aside from debugging... and presumably they're not shipping a debug build.
It used to be incredibly common for production APKs to contain Java debug info (line numbers and variable names). IIRC, Android Studio now sets up the Release builds to strip this out and do basic ProGuard optimizations, but if WhatsApp was migrated from an old build system or something, it could easily be missing this step.
I was under the impression that it's now no longer possible to upload an APK that has been built in Debug Mode to Google Play. I don't know if other app stores (i.e. Amazon App store) are enforcing this.
Debug mode and obfuscation are completely seperate concepts. You can have a debug build with obfuscation or a release build without. Google Play doesn't care if an apk is obfuscated or not.
I don't work with Android, but java code is usually visible after decompilation. Unless there is specific obfuscation tech being used, you should assume all your java code can be seen by others.
That's weird. By "method variable names" I mean local variables, i.e. those declared inside a method.
I'm not getting the same results as you with a little sample program I wrote - see: https://gist.github.com/JosephRedfern/662131ceb2119abf3e83. Field names and method names are preserved (which make sense), but local variable names are lost (which also makes sense to me!)
Are you sure that your example code doesn't include debug information?
I decompiled the dex file, but not the Java Class file.
I suppose this is diverging a little from the original comment (which was in the context of an Android application), but surely if running `strings` on the class file found the method, class and field names then it would also find the local variable name too, if it was there.
If I specifically compile the java file with `javac -g:vars DecompilationTest.java` then the local variable name IS included in the file. It is not by default.
Proguard is set up to obfuscate by default on release builds with the default build script, but many devs often turn it off or use a different build system without it as a build step. You often need to add exceptions for 3rd party libs that rely on class names or variable names not changing for whatever reason (usually reflection).
Local variables no, but a method name like isBadHost, and the field BAD_HOSTS, would be preserved in the absence of an obfuscator (and then, its job would not be trivial as isBadHost is scoped public).
Thanks, that looks like really solid evidence for intentionally blocking them. I see no way to explain this than anything but an attempt to block their competitor.
I still think this will result in more publicity for Telegram than all the messages that are blocked.
Intentionally blocking your competitor in this situation doesn't seem like a good idea, it mostly generates publicity for them.