That's only true if you choose to obfuscate your code on android. I recently decompiled an apk and all variables/function names were perfectly readable
Even variable names? I know that class/method/field names are visible, but I didn't think that local variable names were. I can't see a reason for them to be, aside from debugging... and presumably they're not shipping a debug build.
It used to be incredibly common for production APKs to contain Java debug info (line numbers and variable names). IIRC, Android Studio now sets up the Release builds to strip this out and do basic ProGuard optimizations, but if WhatsApp was migrated from an old build system or something, it could easily be missing this step.
I was under the impression that it's now no longer possible to upload an APK that has been built in Debug Mode to Google Play. I don't know if other app stores (i.e. Amazon App store) are enforcing this.
Debug mode and obfuscation are completely seperate concepts. You can have a debug build with obfuscation or a release build without. Google Play doesn't care if an apk is obfuscated or not.
I don't work with Android, but java code is usually visible after decompilation. Unless there is specific obfuscation tech being used, you should assume all your java code can be seen by others.
That's weird. By "method variable names" I mean local variables, i.e. those declared inside a method.
I'm not getting the same results as you with a little sample program I wrote - see: https://gist.github.com/JosephRedfern/662131ceb2119abf3e83. Field names and method names are preserved (which make sense), but local variable names are lost (which also makes sense to me!)
Are you sure that your example code doesn't include debug information?
I decompiled the dex file, but not the Java Class file.
I suppose this is diverging a little from the original comment (which was in the context of an Android application), but surely if running `strings` on the class file found the method, class and field names then it would also find the local variable name too, if it was there.
If I specifically compile the java file with `javac -g:vars DecompilationTest.java` then the local variable name IS included in the file. It is not by default.
Proguard is set up to obfuscate by default on release builds with the default build script, but many devs often turn it off or use a different build system without it as a build step. You often need to add exceptions for 3rd party libs that rely on class names or variable names not changing for whatever reason (usually reflection).
