ProGuard obfuscation variable naming, how to avoid local and param prefixes?

I am trying to obfuscate a spring web application using ProGuard. I want to keep class and method names, especially the ones used as spring beans.

But ProGuard renames local variables to local[class name], for example if I have a User object it renames the local variable to localUser. It also renames method parameters to param[Class name], for example if I have a User parameter the variable name in obfuscated method becomes paramUser. So the obfuscated code becomes pretty readable.

I want to prevent ProGuard using local and param prefixes and class names. For example I want it t开发者_如何学JAVAo use x1 instead of localUser. I checked configuration options but I could not find how to do that.

ProGuard manual > Troubleshooting > Unexpected observations after processing > Variable names not being obfuscated

If the names of the local variables and parameters in your obfuscated code don't look obfuscated, because they suspiciously resemble the names of their types, it's probably because the decompiler that you are using is coming up with those names. ProGuard's obfuscation step does remove the original names entirely, unless you explicitly keep the LocalVariableTable or LocalVariableTypeTable attributes.

The variable x1 isn't giving away any more information than paramUser, given that the viewed code would be:

public void foo(User x1)
{
    ...
}

Unless your methods are really long, it wouldn't be hard for anyone reading the method to remember that it's a parameter of type User, which is all that paramUser is saying. Yes, there's a bit of a difference in readability but I wouldn't say it's worth worrying about, personally - if someone's investing enough time to decompile your code to start with, a very small difference like that would be unlikely to deter them. If the class names were obfuscated as well, that makes a bigger difference IMO.

The naming scheme, you are describing, looks like the names regenerated by JD when the LocalVariableTable has been skipped by a Java compiler (see javac -g:var). For me, this is not a bug of ProGuard.

To make more efficient the obfuscation of your applications,

• try to replace "protected" by "private" each time that is possible : ProGuard will replace the class, method and field names by short names,
• try to use anonymous classes in your code,
• and try to split your algoritms in a large number of classes to complexify the understanding of the execution flows.