Android apps were previously distributed as APKs (Android Packages). The APK contains the compiled version of the app, along with important resources like icons and sounds. They also include a manifest file, which provides application information to the Android system, and a set of certificates and keys that verify the identity of the app publisher.
In May 2018, Google rolled out a new apk format to address some of the shortcomings of APKs. Android App Bundles (AAB) are similar to APKs but with significant implementation differences.
At Google I/O 2021, Google announced that AAB will become the default Android app format. From the end of August, CHPlay will require submission of new applications as AAB. End users using only CHPlay will not need to do anything. For developers, the story is a bit more complicated.
Benefits of AAB
AAB was originally introduced as a way to solve some of the common packaging challenges in the Android ecosystem. Android runs on thousands of devices with a variety of screen sizes and CPU architectures. The APK format cannot accommodate this variety because each package contains all of the application’s resources.
If you install an app on your phone, you don’t need to download different resolution variants of that app. With APKs, however, you’ll typically have to load every variant, which uses up more memory and network bandwidth. If developers want to deliver more streamlined builds, they need to compile and set up various APK files manually.
The App Bundle (AAB) takes a different approach. By AAB’s design, they “bundle” several different versions of the app into one streamlined package. After that, CHPlay only sends the relevant bits to each device it wants to install. It will produce the right package on demand for each user, so if a user has a 10 inch Intel device will get a different download than someone with a 5 inch ARM phone. Importantly, the devices still receive the APK file – the user will never interact directly with the AAB. These APK files will be generated dynamically in the cloud.
The App Bundle also benefits from simpler loading of additional modules and enhanced support for massive content like games. According to Google, AAB will reduce the download size by 15% compared to the same app distributed as an APK.
What happens to the APK?
Google will gradually remove support for APK formats from August 2021. New applications submitted to CHPlay must be in AAB format. Existing APK-based apps will still be supported and developers can continue to release updates. These apps are described as “currently exempt,” indicating that updates may need to be released as AAB in the future.
According to Google, this change is being made so that more users benefit from the advantages of the App Bundle. From an end-user perspective, App Bundles will reduce storage space more, good for users who use low-end devices and have slow internet connections.
Users on older Android versions won’t get this benefit because their device won’t be able to assemble “split” packages into a working app. Even so, outdated OS versions can still install AAB apps from CHPlay – the AAB system will notice that it’s dealing with an old device and will serve the APK file as usual.
Limitations of AAB?
Although the benefits of AAB are many, the App Bundle has a significant drawback for developers as well as advanced users as the App Bundle system focuses on creating dynamic APK files in the cloud, so the developers need to transfer their app keys to Google. Instead of developers signing app updates in their own infrastructure, Google will use AAB and convert it into a signed APK.
Signing allows Android devices to verify that updates come from the same developer as the installed app. This is an important part of the ecosystem that helps prevent bad guys from creating malicious apps that overwrite genuine downloads. Google promises that developers will be able to provide their own signing keys, but they still need to be kept in the Play Store.
Trusting Google to store the signing key gives the company better control over the distribution of Android apps. But anyone who successfully hacks CHPlay can issue app updates because all the signing keys are centralized in Google’s infrastructure.
So can a government agency ask Google to install a modified app on a criminal’s device? Such a request could allow the agency to view messages between criminals. Google could theoretically do so because Google holds the developer’s app signing key.
The “code transparency” system will prevent that from happening. This is intended to give developers and end users a way to verify downloaded APK files match the apk submitted to CHPlay and rule out the possibility of Google being compromised.
However, code transparency is completely optional and is only enabled when the APK includes a transparency file. Since Google already holds the keys needed to create a new APK file, Google can delete the transparency file whenever it wants.
App Bundle and third-party app stores
The App Bundle is also a threat to the open nature of the Android ecosystem. In recent years, Google is managing the ecosystem more aggressively. The App Bundle is another blow to third-party app stores that provide APK files.
Since developers will now need to compile apks, APK builds are being phased out. It may just be a matter of time before Google ditches APK files entirely or removes the ability to generate APKs from Android Studio.
Google announced the mandatory switch to App Bundles just days after Microsoft announced Windows 11 support for Android apps from the Amazon App Store. Although the move to App Bundles has been several years, Google’s decision now may be intended to limit the impact of Microsoft/Amazon.
Android App Bundles is a new app aggregator format with much higher performance than regular APKs. While users will still receive APKs, each APK will be specifically tailored to the device it’s installed on.
While App Bundles should be welcomed by most Android users, they are not the perfect solution for Android developers and the Android ecosystem. The App Bundle model gives Google more control over app distribution, revealing signing keys that could threaten third-party app stores.