Block Android dex2oat on demand

🌐 - 简体中文

TLDR:

oat_dir=$(dumpsys package com.package.name | grep codePath= | cut -d= -f2-)/oat ; rm -rf $oat_dir ; touch $oat_dir

Root required. Above code will find the app's codePath, delete the oat dir, then create an empty file to block dex2oat for this app forever.

Why

IMO, obfuscation should be exclusively for core logic. Alipay use OLLVM to obfuscate only a small subset of its security-sensitive native lib (.so). Applying aggressive obfuscation to general business logic is unnecessary; it seriously degrades performance with no other benefits.

A prime counter-example is the HSBC HK app, which indiscriminately applied heavy hardening to all DEX files. Consequently, despite its minimal feature set (significantly fewer than mainland Chinese banking apps), it manages to achieve a larger size and poorer performance (ironically).

Even worse, because the hardening affects every DEX file, the app size reaches a staggering 2.9GB after a full dex2oat. As a result, we are looking to restrict Android from running dex2oat on this specific app.

After exec the aforementioned command, the size was reduced from 2.9GB to 644MB — a significant improvement. In terms of runtime performance, profiling showed no noticeable regressions.

Developers looking for a shortcut can manually set android:vmSafeMode in the manifest to disable AOT compilation (dex2oat).

20260307: Since v3.67.6, the HSBC HK app's size has decreased slightly; the size after removing the oat directory dropped from 635MB to 476MB. However, still expands drastically after dex2oat.

🌐

oat_dir=$(dumpsys package com.package.name | grep codePath= | cut -d= -f2-)/oat ; rm -rf $oat_dir ; touch $oat_dir