dpt-shell
dpt-shell is an open-source Android DEX protection tool that obfuscates method implementations by hollowing out DEX bytecode and reconstructing it at runtime. It supports both APK and AAB formats with configurable protection rules and optional signature verification.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | luoyesiqiu/dpt-shell |
| Owner | luoyesiqiu |
| Primary language | Java |
| License | MIT — OSI-approved |
| Stars | 998 |
| Forks | 331 |
| Open issues | 33 |
| Latest release | v2.12.0 (2026-06-07) |
| Last updated | 2026-06-16 |
| Source | https://github.com/luoyesiqiu/dpt-shell |
What dpt-shell is
Java-based tool that processes Android packages to encrypt DEX method bodies, replacing them with runtime stubs that decompress and execute protected code. Integrates with native hooks (Dobby, bhook) and supports multiple ABIs (ARM, ARM64, x86, x86_64) with optional size optimization and keep-classes mode for faster startup.
Get the dpt-shell source
Clone the repository and explore it locally.
git clone https://github.com/luoyesiqiu/dpt-shell.gitcd dpt-shell# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Build process integration: requires invoking dpt.jar as a post-build step; CI/CD pipeline modification needed.
- Testing overhead: DEX protection can mask genuine crashes; enable debug mode and verbose logging during QA.
- APK size growth: runtime stubs and metadata inflate package size; use --smaller flag to trade performance for size.
- Rule file maintenance: keep exception rules (keep-classes, protected config) in version control and update for app updates.
- Native ABIs: explicitly exclude unused ABIs to reduce APK bloat and reduce attack surface.
When to avoid it — and what to weigh
- Limited testing tolerance — Project README explicitly warns of limited test coverage and recommends caution in production. Not suitable for risk-averse organizations.
- Requires zero performance impact — Runtime DEX reconstruction and native hooking add measurable overhead; incompatible with ultra-latency-sensitive apps.
- Managed app store compliance unknown — Google Play Store and other stores may flag or reject apps protected with native hooking (Dobby, bhook). Requires pre-deployment verification.
- Multi-platform/cross-platform needs — Android-only tool; no iOS, Flutter, React Native, or cross-platform support.
License & commercial use
MIT License. Permissive OSI license allowing commercial use, modification, and redistribution with attribution.
MIT license permits commercial use without royalties. However, verify with legal counsel that: (1) redistributing protected apps complies with your app store terms, (2) native hooking does not violate platform policies, (3) runtime verification does not trigger anti-cheat or security detection on target platforms.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Runtime DEX reconstruction and native hooking increase attack surface compared to static obfuscation. Tool does not provide integrity checking of runtime code; vulnerable to in-memory tampering. No formal security audit data provided. Native dependencies (Dobby, bhook) must be vetted independently. Signature verification flag (--verify-sign) adds optional runtime check but is not enabled by default.
Alternatives to consider
Guardsquare ProGuard / R8
Industry-standard DEX bytecode shrinking and obfuscation built into Android Gradle; mainstream app store support; extensive docs; commercial support available.
Yiguan APK Shell
Chinese APK protection tool with similar DEX hollowing approach; proprietary; less transparent community; different compliance/support model.
Aliyun Mobile Security / Alibaba Mobile Guard
Cloud-based mobile app protection service with DEX encryption, runtime verification, and managed compliance; enterprise SLA; higher cost; no open-source alternative.
Build on dpt-shell with DEV.co software developers
dpt-shell offers low-cost runtime DEX obfuscation with MIT licensing, but requires careful testing and app store compliance review before production deployment. Contact our mobile security experts to assess fit for your threat model and distribution strategy.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
dpt-shell FAQ
Does dpt-shell work with app store distribution (Google Play, Samsung Galaxy Store)?
What is the runtime performance impact?
Can I exclude certain classes or methods from protection?
Is there professional support or SLA?
Custom software development services
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If dpt-shell is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.
Evaluate dpt-shell for Your Android Security Needs
dpt-shell offers low-cost runtime DEX obfuscation with MIT licensing, but requires careful testing and app store compliance review before production deployment. Contact our mobile security experts to assess fit for your threat model and distribution strategy.