Directus Asset
To Overview

How to sign an .aab file for app distribution

Directus Asset
Martin Mattli
November 27, 2024

In this blog post, I would like to explain briefly and concisely what exactly Android app signing is. I would like to show you what the differences and purposes are between AAB (Android App Bundle) and APK (Android Package) and how an .aab file can be signed correctly using Updraft Mobile App Distribution

What is Android app signing?

Android app signing is a crucial step in the app development and distribution process of Android applications. It involves using cryptographic signatures to ensure the authenticity and integrity of an .apk file before it's installed on a user's device. Listed are the key reasons why Android app signing is important.

Authenticity

Identity verification: Android app signing allows users and devices to verify that the APK was created by a specific developer or organization. Each Android app is signed with a unique certificate (usually tied to the developer), and this certificate is used to confirm the developer's identity.

Integrity

Tamper prevention: App signing ensures that the .apk file hasn't been modified or tampered with after it was signed. When an Android app is installed or updated, the Android OS-system checks the signature to ensure the .apk file's contents haven't been altered.

Protection from malware: Unsigned or tampered Android apps can be harmful, so the signing process helps reduce the risk of installing malicious software on users' devices.

Updates and version control

Ensuring consistent updates: When Android developers release updates, the Android system checks if the new app version of the app was signed with the same certificate as the original app was signed with. If the certificate doesn’t match, the system will prevent the update, ensuring users don’t install updates from unauthorized other sources.

App ownership: Only the original developer who holds the Android signing key can publish updates of their application. This prevents malicious actors from pushing updates to an app they don’t own.

Play Store requirement

Mandatory for Play Store distribution: Google Play requires all apps to be signed before they are uploaded to the Play Store. This ensures a high level of trustworthiness and allows Google to verify the developer.

Play App Signing: Google also offers the Google Play App Signing service, where developers can upload their signed .aab files. With some magic, Google generates the signed APKs which are then downloadable via the Play Store.

Multi-app interactions

Shared user IDs and permissions: If two or more apps are signed with the same certificate, they can share code and data between them. For instance, apps signed by the same developer can share user IDs and permissions, allowing for tighter integration.

Security and trust

Building user trust: Signing an APK reassures users that the app comes from a trusted source and has not been altered by a third party.

Cryptographic assurance: The process uses a cryptographic hash to verify both the developer’s identity and the app’s integrity. If the APK doesn’t match the signed hash, the installation will fail.

In summary, app signing in Android ensures that the app is trustworthy, helps to prevent unauthorized modifications (or at least shows that something is happening), ensures secure updates, and is necessary for distribution via the Play Store. It plays a critical role in maintaining the security and stability of the Android ecosystem.

What’s the difference between .aab and .apk files?

To understand how the app distribution works and why the .aab file has to be signed correctly if you want to submit an Android app to the Play Store, it is important to know the difference between an .aab file and an .apk file. The main difference between .aab and .apk files lies in how they package and distribute Android apps, as well as their role in app deployment.

Packaging format

AAB (Android App Bundle): A newer format introduced by Google in 2018. It contains all the resources (code, assets, etc.) of the app but isn't directly installable on an end user's device. Instead, Google Play uses it to generate optimized APKs for each specific user's device.

APK (Android Package): The traditional format for Android apps. An APK is a single package that contains all resources and code needed to install and run the app on a device.

Size and optimization

AAB: The .aab format is designed to optimize the app for specific devices. Google Play processes the .aab file and generates "split APKs" tailored to each device's configuration (e.g. screen size, CPU architecture or language). This means users' devices download only the configurations and assets they need, resulting in smaller app downloads and installations.

APK: APKs contain resources for all device configurations (languages, screen densities, CPU types, etc.), which makes them larger in size. Users download the entire APK, even if their device doesn't need certain resources.

App distribution

AAB: AABs are primarily used for distribution through the Google Play Store only. When developers upload an .aab file, Google Play handles generating optimized APKs for different devices. The .aab format allows for features like Play Feature Delivery (installing app features only when needed) and Play Asset Delivery (downloading large game assets in chunks).

APK: Can be distributed directly to users outside of Google Play (sideloading), or through alternative app stores. It's also commonly used for beta testing, sharing, or when distributing apps without Google Play involvement.

Development and testing

AAB: Developers need to upload the AAB to Google Play for the final APKs to be generated and distributed. Testing directly from an .aab file requires tools to generate APKs from the AAB for local use (e.g. using bundletool).

APK: Developers can directly generate and distribute APKs, making it easy to test or share without the involvement of Google Play.

Adoption

AAB: Since August  2021 Google mandates that new apps published on the Play Store use the .aab format.

APK: APKs remain relevant for non-Play Store distribution, sideloading and older app versions.

In short, AAB focuses on optimization and modular delivery via Google Play, while APK is the standard package format still widely used for direct installs and distribution.

How to sign an .aab file?

To sign an .aab file you can use the service of Updraft. With Updraft you don't need to install Android Studio, the command line or tools like jarsigner or zipalign. 

What you’ll need are a few key components to ensure the app is properly signed and ready for distribution (typically on the Google Play Store). Here’s what you need:

Keystore file (.jks or .keystore)

  • keystore is a file that contains your private key and public certificate.

  • It is used to sign your .aab file, ensuring the identity of the developer and maintaining integrity during updates

  • You can use an existing keystore file or generate a new one using Android Studio or the keytool command.

Key alias

  • Each key in a keystore is identified by a unique key alias.

  • The key alias is used to reference the specific key in the keystore when signing the app.

  • You must remember the key alias and the password associated with it.

Keystore password

  • keystore password is required to access the keystore file.

  • You must provide this password when signing your .aab file.

Key password

  • Each key inside the keystore is protected by a key password.

  • This password is needed to sign the .aab file with the correct key.

Unsigned app bundle

  • You need the actual Android App Bundle (.aab) file generated from your project. This can be built in Android Studio or via the Gradle command line.

Sign an .aab file with the help of Updraft

  1. Go to Updraft

  2. Open your app project

  3. Switch to your Android app

  4. In the application overview of your Android app you can add your keystore

  5. Add the .jks file of your keystore there

  6. Click on Save

  7. Now switch to the app builds of your Android app

  8. Upload the unsigned .aab file

Application overview in Updraft

.aab settings in Updraft

Your .aab file is now automatically signed with your keystore key. You will find your .aab file in the details of the build history. To do this, select the uploaded Android app and you will find the .aab file in the build details. You can now use this to send it to the Play Store.

 

Android re-signing done right

With Updraft, whether you're an Android developer or a no-coder, you can easily resign your .aab files without needing any programming skills or installing any software like Android Studio or Jarsignr on your computer - as long as you have your key components at hand. The process is simple and secure. All re-signing happens on secure servers based in Switzerland, giving you peace of mind. We're excited for you to try it out! If you have any questions, feel free to reach out at info@getupdraft.com or explore our documentation at docs.getupdraft.com. Android app re-signing has never been easier!