DEV.co
Open-Source Security · luoyesiqiu

dpt-shell

dpt-shell is an open-source Android DEX protection tool that obfuscates method implementations by hollowing out DEX bytecode and reconstructing it at runtime. It supports both APK and AAB formats with configurable protection rules and optional signature verification.

Source: GitHub — github.com/luoyesiqiu/dpt-shell
998
GitHub stars
331
Forks
Java
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryluoyesiqiu/dpt-shell
Ownerluoyesiqiu
Primary languageJava
LicenseMIT — OSI-approved
Stars998
Forks331
Open issues33
Latest releasev2.12.0 (2026-06-07)
Last updated2026-06-16
Sourcehttps://github.com/luoyesiqiu/dpt-shell

What dpt-shell is

Java-based tool that processes Android packages to encrypt DEX method bodies, replacing them with runtime stubs that decompress and execute protected code. Integrates with native hooks (Dobby, bhook) and supports multiple ABIs (ARM, ARM64, x86, x86_64) with optional size optimization and keep-classes mode for faster startup.

Quickstart

Get the dpt-shell source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/luoyesiqiu/dpt-shell.gitcd dpt-shell# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Enterprise mobile app protection

Protect proprietary business logic in high-value Android applications from reverse engineering and tampering.

Gaming and premium app obfuscation

Add a runtime protection layer to games and subscription-based apps to increase attack complexity for crackers.

Compliance-driven security hardening

Meet security requirements for regulated industries by demonstrating DEX-level obfuscation and runtime verification capabilities.

Implementation considerations

  • Build process integration: requires invoking dpt.jar as a post-build step; CI/CD pipeline modification needed.
  • Testing overhead: DEX protection can mask genuine crashes; enable debug mode and verbose logging during QA.
  • APK size growth: runtime stubs and metadata inflate package size; use --smaller flag to trade performance for size.
  • Rule file maintenance: keep exception rules (keep-classes, protected config) in version control and update for app updates.
  • Native ABIs: explicitly exclude unused ABIs to reduce APK bloat and reduce attack surface.

When to avoid it — and what to weigh

  • Limited testing tolerance — Project README explicitly warns of limited test coverage and recommends caution in production. Not suitable for risk-averse organizations.
  • Requires zero performance impact — Runtime DEX reconstruction and native hooking add measurable overhead; incompatible with ultra-latency-sensitive apps.
  • Managed app store compliance unknown — Google Play Store and other stores may flag or reject apps protected with native hooking (Dobby, bhook). Requires pre-deployment verification.
  • Multi-platform/cross-platform needs — Android-only tool; no iOS, Flutter, React Native, or cross-platform support.

License & commercial use

MIT License. Permissive OSI license allowing commercial use, modification, and redistribution with attribution.

MIT license permits commercial use without royalties. However, verify with legal counsel that: (1) redistributing protected apps complies with your app store terms, (2) native hooking does not violate platform policies, (3) runtime verification does not trigger anti-cheat or security detection on target platforms.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Runtime DEX reconstruction and native hooking increase attack surface compared to static obfuscation. Tool does not provide integrity checking of runtime code; vulnerable to in-memory tampering. No formal security audit data provided. Native dependencies (Dobby, bhook) must be vetted independently. Signature verification flag (--verify-sign) adds optional runtime check but is not enabled by default.

Alternatives to consider

Guardsquare ProGuard / R8

Industry-standard DEX bytecode shrinking and obfuscation built into Android Gradle; mainstream app store support; extensive docs; commercial support available.

Yiguan APK Shell

Chinese APK protection tool with similar DEX hollowing approach; proprietary; less transparent community; different compliance/support model.

Aliyun Mobile Security / Alibaba Mobile Guard

Cloud-based mobile app protection service with DEX encryption, runtime verification, and managed compliance; enterprise SLA; higher cost; no open-source alternative.

Software development agency

Build on dpt-shell with DEV.co software developers

dpt-shell offers low-cost runtime DEX obfuscation with MIT licensing, but requires careful testing and app store compliance review before production deployment. Contact our mobile security experts to assess fit for your threat model and distribution strategy.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

dpt-shell FAQ

Does dpt-shell work with app store distribution (Google Play, Samsung Galaxy Store)?
Unknown. README does not address app store compatibility. Native hooking (Dobby, bhook) may trigger store security scanning. Requires pre-submission testing with each target store.
What is the runtime performance impact?
Not quantified in documentation. DEX reconstruction on app startup adds latency; --smaller flag trades performance for size. --keep-classes option reported to improve startup speed but may break some packages.
Can I exclude certain classes or methods from protection?
Yes: use -r (rules-file) to exclude class names, and -K (keep-classes) to retain some classes unobfuscated. Configuration requires manual rule authoring; no auto-generation documented.
Is there professional support or SLA?
No commercial support model documented. Community support via GitHub issues only. README explicitly disclaims responsibility for production failures.

Custom software development services

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If dpt-shell is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.

Evaluate dpt-shell for Your Android Security Needs

dpt-shell offers low-cost runtime DEX obfuscation with MIT licensing, but requires careful testing and app store compliance review before production deployment. Contact our mobile security experts to assess fit for your threat model and distribution strategy.