This article is more than 1 year old

Android devs prepare to hand over app-signing keys to Google from August

Android App Bundle required, APK submission no longer allowed

Google will require mobile developers to use an Android App Bundle for submitting applications to its Play Store from August 2021, optimising distribution and also requiring Google to hold the developer's private signing key.

Dom Elliott, Google Play product manager said that from next month: "This will replace the APK as the standard publishing format."

The APK (Android Package) format will still be used on the device, but the idea of the App Bundle is that when a device requests the installer from Google Play, it will receive an APK optimised for the device rather than a universal APK prepared by the developer.

App Bundles also enable additional features, described here. On-demand delivery lets developers offer feature modules which are downloaded as required, reducing the size of the application for those who do not use those features.

Conditional delivery is a variation on the same theme, where certain modules may be installed only in certain countries, or if a device has certain hardware features.

Instant delivery lets developers configure a small base module and feature module (below 10MB) that can be tried by users without a full install.

Applications requiring large assets (generally games) formerly used OBB (Opaque Binary Blob) expansion files, but can now use Play Asset Delivery, with assets hosted by Google, offering several delivery modes. Play Asset Delivery is more secure, since OBBs are not signed.

Elliott called this "Modern Android Distribution" and said the "majority of the top 1,000 apps and games on Google Play" already use App Bundles.

There is one aspect giving developers pause for thought, though, which is that using App Bundles requires enrolling in a scheme called Play App Signing.

"With Play App Signing, Google manages and protects your app's signing key for you and uses it to sign your APKs for distribution," the docs explained. This is a departure from the old APK submission, where developers can sign with their own key.

Google's documentation for signing with a developer-managed key is full of warnings. "If you lose or misplace your key, you will not be able to publish updates to your existing app. You cannot regenerate a previously generated key. Your reputation as a developer entity depends on you securing your app signing key properly, at all times, until the key is expired," it says.

On the other hand, using Play App Signing means agreeing to give existing app-signing keys to Google and that Google can generate APKs, modify them, and sign them on the developer's behalf.

Google has said: "Your keys are stored on the same infrastructure that Google uses to store its own keys. Keys are protected by Google's Key Management Service."

Keep a copy

There is an option to keep a copy of the signing key locally, provided that it is also given to Google.

The Android App Bundle is a unique feature of Google's Play Store. Developers who wish to distribute through other channels, such as other app stores or direct downloads for users who allow installation from "unknown sources," can still do so.

It is possible to download distribution APKs from the Play Store, or to build APKs for distribution elsewhere, and to sign them with either the same key used by Google (if a copy is retained) or with a different key.

Google also has an optional feature intended to reassure developers, called Code transparency for app bundles. This uses a second signing key, held only by the developer, and can be used to verify that the APK delivered by the Play Store matches what the developer built, subject to some limitations.

This verification is "used solely for the purpose of inspection by developers and end users" – it is not enforced by Android or by Google in any other way.

Another aspect of "Modern Android Distribution" is that it underlines the advantages Google has in controlling app delivery on what is, after all, its own platform.

Efforts such as those by Microsoft/Amazon to enable Android apps to run on Windows 11 cannot use Android App Bundles or any Google Play Services, so they have to first persuade developers to support their Store as well as the Play Store, and second, to provide alternatives to any Play Services APIs that the app requires. ®

More about

TIP US OFF

Send us news


Other stories you might like