Android applications are distributed in the form of APK(Android package) files: basically they are signed zip archives including all the code required to run the application on a device: resources, assets, dex code and native libraries(.so). When you installing an app from Google Play you download an APK file.
This approach worked relatively fine for almost 10 years, however it didn't age really well. There is a handful of problems with APKs.
Size
As you distribute the application for all the processors architectures you have to include native libraries for arm, armv7, x86 and mips. Libraries(.so) are pretty heavy.
You also need to include all the resources for different screen densities, sizes, layout, locales etc.
That means the end user downloads a lot of unnecessary data for her/his particular device driving the conversion low.
This concern is mitigated for example with ABI splitting: with some gradle modifications you can generate APKs including only the libraries for the target processors, so you get 4 apk files per release instead of one, but instead you save a lot of time and traffic for your end users.
Read more about versioning for APK splitting here.
You can do the same for screen densities as well:
However, the locale support seems to be missing.
Signature
When you distribute the app you want to be sure nobody is replacing your app with a cracked or alternated version on a user device. In order to do that both Android and iOS require the developer to sign the apps. The single approach existed for many years for Android apps was to generate and keep the keystore file locally and sign the apps with it, uploading a signed application. This approach despite being very simple brings major risks:
- If the keystore is lost or password is forgotten you lose the ability to update your app, forever
- If the keystore is stolen or accessed by a malicious agent you lose the control of your application.
- Even if you want just to revoke access from a developer leaving your company it may not be possible if you haven't setup everything properly from the very beginning.
This problem is solved now for APK with using the uploading keys. In order to use them you need to enroll in App Signing by Google Play.
Android Application Bundles or AAB
In order to solve all those problems the App Bundles and Uploading Keys were introduced couple of years ago. The change in the approach is that you don't have to worry about APK split any more and you don't worry about the final application signing. Everything is happening on the Google Play side. It repackages the bundle into APKs for different processors, locales and configurations, sign them with the key stored in Google Play, and serve the optimized APKs to the end users.
This bring additional benefits like dynamic feature modules, ability to split by locale, ease of signing and rotating the uploading keys and many more.
And you know what: you have to transition to App Bundles, as this will be a requirement starting in 2021. Checkout the related video: