Unlike APKs, Android App Bundles cannot exist outside of Google Play and cannot be distributed outside of it. This means that developers switching from APK to App Bundles can no longer provide the exact same package or experience on other app sources unless they opt to maintain a separate APK version. This naturally puts third-party app stores at a disadvantage, but Google will most likely play up the Play Store’s security as a major reason to avoid those sources anyway.
Is this anything we have to worry about in terms of keeping apps available in the /e/ App store?
Will it impact Aurora?
Maybe this is a solved problem, I wasn’t actually sure.
Fortunately for them, Google Play Store’s Android App Bundle requirement, which becomes effective in August, only applies to new apps submitted to the app store. Of course, developers can voluntarily also adopt App Bundles if they want to improve the experience for users.
I won’t be so optimistic. It’s a common practice to replace an application with a new one (migration to Kotlin, new subcontractor, etc.). So from Google’s point-of-view : it’s a new application, full stop.
Only designated developers can sign a release apk
Other devs can verify the build (compile it locally, unpack the result, unpack the release candidate, compare)
Developer with access to release on GP uploads approved release candidate to GP and releases it
Clients who already have the app, know that their phone will reject any new APK that is signed by a different key or that decreases the versionCode
Clients have to trust the developer and no man in the middle can slip in a modified version of the app that did not originate from the intended developer
My understanding of App Bundles
Developer shares signing key with Google!!!
Developer builds App Bundles
Upload App Bundles to GP (signed with a different key, authorizing the version to GP)
Google does its magic
Google signs all parts with the old signing key
Clients accept whatever comes from Google, if it's signed with the signing key
Google wants to get control and secure its monopoly.
Question, with the new bundles it sounds as though more information about the device will need to be communicated upstream to know what pieces of the bundle need to be separated and put back together before downloaded and installed.
Will more information about the end user’s device be needed and shared during that process vs the process with current .apks?
If so, what are the privacy implications? Additional info for fingerprinting?