Android App Bundles are replacing APKs

This bit caught my eye:

Unlike APKs, Android App Bundles cannot exist outside of Google Play and cannot be distributed outside of it. This means that developers switching from APK to App Bundles can no longer provide the exact same package or experience on other app sources unless they opt to maintain a separate APK version. This naturally puts third-party app stores at a disadvantage, but Google will most likely play up the Play Store’s security as a major reason to avoid those sources anyway.

Is this anything we have to worry about in terms of keeping apps available in the /e/ App store?

Will it impact Aurora?

Maybe this is a solved problem, I wasn’t actually sure.


Better ask Rahul using his Telegram channel :wink:

Fortunately for them, Google Play Store’s Android App Bundle requirement, which becomes effective in August, only applies to new apps submitted to the app store. Of course, developers can voluntarily also adopt App Bundles if they want to improve the experience for users.

This will give us some time :wink:

I won’t be so optimistic. It’s a common practice to replace an application with a new one (migration to Kotlin, new subcontractor, etc.). So from Google’s point-of-view : it’s a new application, full stop.

1 Like

My understanding of current security

Only designated developers can sign a release apk

Other devs can verify the build (compile it locally, unpack the result, unpack the release candidate, compare)

Developer with access to release on GP uploads approved release candidate to GP and releases it

Clients who already have the app, know that their phone will reject any new APK that is signed by a different key or that decreases the versionCode

Clients have to trust the developer and no man in the middle can slip in a modified version of the app that did not originate from the intended developer

My understanding of App Bundles

Developer shares signing key with Google!!!

Developer builds App Bundles

Upload App Bundles to GP (signed with a different key, authorizing the version to GP)

Google does its magic

Google signs all parts with the old signing key

Clients accept whatever comes from Google, if it's signed with the signing key

Google wants to get control and secure its monopoly.

1 Like

From “Aurora Store” Telegram channel :

𝙎𝙮𝙣𝙩𝙝𝙚𝙩𝙞𝙘 𝙋𝙤𝙡𝙮𝙢𝙚𝙧, [03.07.21 06:37]
[Forwarded from Rahul Patel]
We already have support for aab.


This article does not paint the picture quite so bleak.

1 Like

Question, with the new bundles it sounds as though more information about the device will need to be communicated upstream to know what pieces of the bundle need to be separated and put back together before downloaded and installed.

Will more information about the end user’s device be needed and shared during that process vs the process with current .apks?

If so, what are the privacy implications? Additional info for fingerprinting?

This topic was automatically closed after 15 days. New replies are no longer allowed.