Google announced the Android App Bundle AAB  in 2018 and it looked like a good idea - better than the APK we have all been used to. Now it has been announced that in August 2021 the APK will be phased out in favour of the AAB. Is this equally as good? Or is Google simply making the Play store walls higher and stronger.

Android is open source, sort of. It should be the free alternative to iOS, but slowly Google has been moving it in the same, walled-garden direction, with the Play store being the control mechanism. If you want to see how tough it is to work with Android without Google just consider the problems that Huawei had making an Android phone when they were denied access to the Play store. 

The announcement is clear enough:

Google Play will start requiring new apps to be published with the Android App Bundle starting August 2021. This will replace the APK as the standard publishing format.

At the moment existing apps don't have to move from APKs to AABs.

The AAB is 15% smaller than the APK and much more flexible but it ties you into the Play store much more than ever before. The existence of APKs has made it easier for third-party Android stores to exist and side loading apps is currently easy, if not completely risk-free. The AAB is much more locked down than the APK and all this change is very much about security - but some suspect that Google are using security to make the Play store even more of a walled garden.

There are some surprising aspects of the AAB. The first is that you have to upload your private code signing key to Play App Signing - Google's secure infrastructure. It is Google who will sign your code for you and it promises:

"Soon, Play App Signing will start rolling out APK Signature Scheme v4 to select apps making it possible for them to optionally access upcoming performance features available on newer devices."

What does this mean exactly? Is Google promising to change your signed code to optimize it? It sounds like it. Would you give Google your private key so that they could change anything they felt like? It seems to negate the whole point of having a private key.

On the subject of other app stores offering Android apps, Google says that this is easy. You can keep a copy of your private key locally - nice of them - and use it to sign versions for other channels. You can also download APKs from the Play store using the app bundle explorer. However, the need to use the Play store to download what used to be extension files means things might not be quite as simple. There is no suggestion that other app stores could support ABBs.

This might well result in developers seeing the Play store as the only sensible outlet for their creations and it creates an interesting problem for the Amazon app store and the upcoming Windows 11 which is relying on APKs to side load Android apps.

There are many accounts of this development that make it sound as iif Google has finally put the last brick in the walled garden. If this was true it would be bad timing with app ecosystems coming under scrutiny as monopolies. I don't think Google is this clumsy, but its announcement lacks a lot in clarity. The fact that the Play store is no longer using APKs doesn't mean that other stores are being forced to stop using them. As long as we go to the extra trouble of creating APKs then all's well. However, to do this you have to give your private signing key to Google - this seems less than acceptable.

At the end of the day, all we really have is an unsettling feeling that Google is "up to something" that is restrictive and designed to tie us ever more strongly to Google's version of Android. But pinning down exactly what it is they are doing is more difficult. I guess we just don't trust them.

More Information

The future of Android App Bundles is here

Related Articles

Android Studio 4.2 Released

Android Jetpack Confusion As V1 Approaches

Oracle V Google Android Case Settled

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info