Android apps have historically been distributed as APKs (Android Packages). An APK contains a compiled version of an app, along with critical media resources such as icons and sounds. They also include a manifest file, providing app information to the Android system, and a set of certificates and signing keys that verify the publisher’s identity.
In May 2018, Google launched a new app packaging format intended to address some of the shortcomings with APKs. Android App Bundles (AABs) fulfill the same role as APKs but with significant implementation differences.
At Google I/O 2021, Google announced that AAB will become the default Android app format. From the end of August, the Play Store will require new app publications to be submitted as an AAB. End users who only use the Play Store won’t need to do anything. For developers, the story’s a little more complicated.
App Bundle Benefits
AAB was originally introduced as a way to resolve some of the common packaging challenges in the Android ecosystem. Android runs on thousands of devices covering a huge range of screen sizes, performance baselines, and CPU architectures. The APK format doesn’t scale to meet this diversity as each package contains all the app’s resources.
If you install an app on your phone, you don’t really need to download the high-res tablet variants of its graphics. Yet with APK, you’ll normally get every variation, causing larger downloads and increased storage use. If a developer wants to offer more streamlined builds, they need to manually compile and sign multiple different APKs.
App Bundles take a different approach. By design, they “bundle” several different versions of an app into one logical package. The Play Store then sends only the relevant bits to each device which requests an install. It’ll produce the right bundle on-demand for each user, so an American user with a 10-inch Intel device will get a different download to a German individual with a 5-inch ARM phone. Crucially, devices still receive APKs – users won’t ever directly interact with an App Bundle. The difference is the APKs are generated dynamically, in the cloud.
App Bundles also benefit from simpler add-on module loading and enhanced support for large assets such as game content. According to Google, all of this typically results in a 15% reduction in download size, compared to the same app distributed as an APK.
What’s Changing For APKs?
Google will gradually phase out support for APKs from August 2021. New apps submitted to the Play Store will need to be issued as an app bundle. Existing APK-based apps will still be supported and developers will be able to keep issuing updates. These apps are described as “currently exempt,” suggesting updates might need to be released as AABs in the future.
According to Google, the change is being made so that more users will benefit from the App Bundle advantages. From a typical end user’s perspective, it is difficult to argue with the promise of App Bundles: smaller downloads and reduced storage space will be welcomed by many, particularly those on low-end devices and slow internet connections.
Users on older Android versions won’t see the benefits as their device will be unable to assemble “split” bundles into a functioning app. Outdated OS versions will still be able to install App Bundle apps from the Play Store though – the bundling system will realize it’s handling an older device and serve a regular all-in-one APK instead.
What About The Drawbacks?
While the headline benefits are undoubted, App Bundles have one significant drawback for developers and power users alike. As the App Bundle system centers on dynamic in-cloud generation of signed APKs, developers need to hand their app signing keys over to Google. Instead of developers signing app updates in their own build infrastructure, Google will take an App Bundle and convert it to signed APKs itself.
The signing process lets Android devices verify that updates come from the same publisher as the currently installed app. It’s a critical part of the ecosystem that prevents bad actors from producing malicious apps that silently overwrite genuine downloads. Google’s promising that developers will be able to supply their own keys but they’ll still need to be kept in the Play Store.
Trusting Google to store signing keys gives the company even more control of Android app distribution. Anyone who successfully compromised the Play Store could start to publish app updates to developer accounts, as all signing keys will be centralized within Google’s infrastructure.
Moreover, Google could now publish app updates itself, perhaps if a government compelled it to. It already has the ability to silently install apps on Android devices. Now it holds the keys to developer kingdoms, it could comply with requests to covertly install unapproved updates of existing apps.
Could a government agency get Google to install a modified encrypted messaging app on a target user’s device? Such a request could let the agency intercept messages, without the target being any the wiser. App Bundles and hosted signing make the scenario theoretically possible.
The risk is supposedly mitigated by a “code transparency” system. This is meant to give developers and end users a way to verify that downloaded APKs match the bundle that was submitted to the Play Store, eliminating the possibility of intrusion.
Android doesn’t actually check code transparency signatures though, so it’s up to the community to build out tooling around it. Furthermore, code transparency is entirely optional and only enabled when the APK includes a transparency file. As Google already holds the keys needed to generate new APKs, it could remove the code transparency file whenever it wanted to.
App Bundles and Third-Party App Stores
App Bundles are also a threat to the open nature of the Android ecosystem. In recent years, Google’s been asserting a stronger stewardship role. App Bundles are another knock against third-party app stores which offer direct APK downloads.
As developers will now need to compile App Bundles, APK builds are being sidelined. It could be only a matter of time before Google disables direct APK installation altogether, or removes APK build capabilities from official Android Studio releases.
For the time being, developers will be able to download signed standalone APKs from the Play Store, after they’ve submitted App Bundles. These APKs will be ready to upload to third-party app stores, so there’s no immediate risk to this deployment model. It’s still a developer inconvenience though – you’ve either got to manually download your signed APKs, or build them separately on your local machine.
Google announced the mandatory switch to App Bundles mere days after Microsoft unveiled Windows 11 with support for Android apps from the Amazon App Store. Although the shift to App Bundles has been a couple of years in the making, Google’s decision to make the move now could be intended to limit the impact of the Microsoft/Amazon partnership, which will only support regular APKs.
Android App Bundles are a new app compilation format with much greater efficiency than a regular APK. Although devices will still ultimately receive an APK, each one will be tailored specifically to the OS version, device form factor, and active locale.
While App Bundles should be welcomed by most Android users, they are not a perfect solution for developers and the wider Android ecosystem. The App Bundle model hands Google more control over app distribution, requiring the disclosure of signing keys which could make forced app updates a reality while threatening third-party storefronts.