Android App Bundle & Google App Signing
Google announced over in 2020 that all new apps will be required to upload the AAB format and gave it a hard deadline of August 2021. There were a lot of opinions at the time about the ramifications and I wanted to take the opportunity to analyze what AAB and Google App Signing each do and how they impact each other, end users, and developers.
AAB Format
To start - AAB is a format that lets Google Play and potentially other Android distribution platforms know how to split up your universal APK into the specific slice any given user needs. This results in smaller APKs, optimizations like shared native libraries, and the ability to dynamically deliver parts of an app. It does this using the open sourced bundletool. You can use it to bundle and then extract the split APKs or you can run the assembleBundle
Gradle task and upload the resulting AAB file to however many stores you want to publish to. So how does the format lock anyone in?
The controversial part of the AAB format is all about the signing requirement.
If you build and upload an Android App Bundle, you must enroll in app signing by Google Play.
Store App Signing
This allows Google to have a copy of your private keystore so that it can reassemble and sign your app to distribute. This is required in order to operate on the AAB format.
Should you let Google generate the original signing key and not have a copy for yourself? That seems like a silly option and its strange that it is the default - though it does make sense as it is easier for brand new Android developers who aren't familiar with the keystore creation process. But the downside of that option is it prevents publishing an app with the same signature across multiple stores - I know very few places that do this. My viewpoint is American and Google Play Store centric, so take that with a grain of salt.
What are the benefits?
In terms of risk mitigation - I've seen original private keys lost on several projects (and also seen posts on /r/androidev about it) - which is a crazy gotcha when getting started as an Android developer.
For users it enables all of the optimizations and dynamic delivery features that Google has been pushing with the AAB format: dramatically smaller file sizes simply make the Android ecosystem a faster and more accessible experience.
Future
Huawei already supported AAB & app signing[1] as of mid-2021. You're probably going to see other stores support AAB & store app signing eventually. Even in such a world it doesn't seem like any of this is actually platform lock-in - as long as we all keep our original private keys and consistently use them in the different stores. Otherwise yeah our apps will have different signatures on different stores, which would prevent an end user from downloading/upgrading your app from a store if they already have it installed from another store – which sounds only slightly annoying and just a couple more 1 star reviews in the endless tide.
1: Thanks to /u/_ALH_ for pointing out Huawei already implemented app signing.