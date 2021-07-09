



Android apps have been distributed as APKs (Android packages). The APK contains a compiled version of the app and important media resources such as icons and sounds. It also includes a manifest file that provides app information to the Android system, a set of certificates and signing keys that verify the issuer’s ID.

In May 2018, Google released a new app package format aimed at addressing some of the shortcomings of APKs. The Android App Bundle (AAB) plays the same role as the APK, but with significant implementation differences.

At Google I / O 2021, Google announced that AAB will be the default Android app format. Starting at the end of August, the Play Store will require submissions of new app publications as AAB. End users who only use the Play Store do not need to do anything. For developers, the story is a little more complicated.

Benefits of app bundles

AAB was originally introduced as a way to solve some of the common packaging challenges in the Android ecosystem. Android runs on thousands of devices that cover a variety of screen sizes, performance baselines, and CPU architectures. The APK format cannot be extended to meet this diversity, as each package contains all the resources of the app.

If you want to install the app on your mobile phone, you don’t need to download the high resolution tablet variant of graphics. However, using an APK usually gives you all the variations, which increases the number of downloads and storage usage. If the developer wants to provide a more streamlined build, he has to manually compile and sign several different APKs.

AppBundle takes a different approach. By design, it “bundles” multiple different versions of your app into a single logical package. The Play Store then sends only the bits associated with each device you request to install. American users using 10-inch Intel devices get different downloads for Germans using 5-inch ARM phones because the appropriate bundles are created on demand for each user. The important thing is that the device continues to receive the APK. Users do not interact with the AppBundle directly. The difference is that the APK is dynamically generated in the cloud.

App Bundle also has the benefit of making add-on modules easier to load and providing better support for large assets such as game content. According to Google, all of this typically reduces the download size by 15% compared to the same app distributed as an APK.

What are the changes in the APK?

Google will phase out APK support from August 2021. New apps submitted to the Play Store must be published as an app bundle. Existing APK-based apps will continue to be supported and developers can continue to publish updates. These apps are described as “currently exempt”, suggesting that updates may need to be released as AAB in the future.

According to Google, changes have been made to allow more users to take advantage of AppBundle. From a typical end-user perspective, it’s difficult to discuss app bundle promises. Low download volumes and low storage capacity are welcomed by many, especially low-end devices and slow internet connections.

Users of older Android versions will not benefit because the device cannot assemble to apps that work with “split” bundles. However, you can still install the App Bundle app from the Play Store on older OS versions. The bundle system recognizes that it is handling older devices and instead offers a regular all-in-one APK.

What about the drawbacks?

While the headline advantages are undeniable, the AppBundle has one serious drawback for both developers and power users. The App Bundle system revolves around the dynamic in-cloud generation of signed APKs, so developers need to pass the app’s signing key to Google. Instead of developers signing app updates with their own build infrastructure, Google takes the app bundle and converts it to the signed APK itself.

The signing process allows your Android device to verify that the update is from the same publisher as the currently installed app. This is an important part of the ecosystem that prevents malicious attackers from creating malicious apps that silently overwrite real downloads. Google promises that developers can provide their own keys, but they still need to be stored in the Play Store.

By letting Google store the signing key, the company will have more control over the distribution of Android apps. All signing keys are centralized within Google’s infrastructure, so anyone who successfully compromises the Play Store can start publishing app updates to their developer accounts.

In addition, Google can now publish the app update itself, perhaps if the government enforces it. You already have the ability to silently install the app on your Android device. Now it holds the key to the developer kingdom and can respond to requests to secretly install unauthorized updates for existing apps.

Can government agencies let Google install the modified encrypted messaging app on the target user’s device? Such a request can cause an agency to intercept a message, even if the target is unwise. App bundles and hosted signatures make scenarios theoretically possible.

The risk is likely to be mitigated by a “code transparency” system. It aims to provide developers and end users with a way to ensure that the downloaded APK matches the bundle sent to the Play Store, eliminating the possibility of intrusion.

However, Android doesn’t actually check code transparency signatures, so it’s the community’s responsibility to build tools around it. In addition, code transparency is completely optional and only takes effect if your APK contains transparent files. Google already has the key needed to generate the new APK, so you can delete the code transparent file whenever you need it.

App bundles and third-party app stores

App Bundle is also a threat to the open nature of the Android ecosystem. In recent years, Google has claimed a stronger stewardship role. App Bundle is another knock on third-party app stores where you can download APKs directly.

APK builds are obsolete because developers need to compile AppBundles. It can be only a matter of time before Google completely disables the direct installation of the APK or removes the APK build feature from the official release of Android Studio.

For the time being, developers will be able to download the signed standalone APK from the Play Store after submitting the App Bundle. These APKs are ready to be uploaded to a third-party app store, so there is no immediate risk to this deployment model. However, it is still inconvenient for developers. You will need to manually download the signed APK or build it separately on your local machine.

Google announced a compulsory switch to the AppBundle just days after Microsoft announced Windows 11, which supports Android apps from the Amazon AppStore. The move to App Bundles took place a few years ago, but Google’s decision to move now may be aimed at limiting the impact of Microsoft / Amazon partnerships that only support regular APKs. ..

Conclusion

Android App Bundle is a new app compilation format that is much more efficient than regular APKs. The devices will eventually receive the APK, but each device will be specially tuned for the OS version, device form factor, and active locale.

App Bundle should be welcomed by most Android users, but it’s not the perfect solution for developers and the broader Android ecosystem. The App Bundle model gives Google more control over the distribution of your app and requires disclosure of a signing key that could lead to forced updates of your app while threatening third-party storefronts.

