Requirements for a Publishable APK File in Your Android App

By Barry Burd

When you create an Android app that runs on an emulator or a device, Android Studio packages your app in an APK file — one file specially formatted to contain all your app’s code and all your app’s data. While you’re still developing and testing your app, this APK file is fairly primitive. It doesn’t have any of the bells and whistles that the Play Store requires for real, distributable apps.

An app that’s ready for release requires a much more solid APK file. Here are some details:

  • The APK file must contain your own digital signature.

    A digital signature is a sequence of bits that only you (and no one else) can provide. If your APK file contains your digital signature, then no one can pretend to be you. (No one can write a malicious version of your app and publish it on the Play Store site.)

    When you use Android Studio to create your own digital signature. This signature lives in a directory on your computer’s hard drive. You can’t examine this signature with an ordinary text editor (with Notepad or with TextEdit, for example), but you should treat that directory the way you treat any other confidential information. Do whatever you normally do with data to prevent the loss of the data and to keep others from using it.

    For scenarios that require more security (scenarios not normally associated with mobile devices), a developer can get help from a certificate authority. A certificate authority is an organization that issues special digital signatures — signatures that the world recognizes as very trustworthy. To get such a signature, you convince a certificate authority that you’re a good person, and you pay some money.

  • The code must be obfuscated.

    Obfuscated code is confusing code. And, when it comes to foiling malicious hackers, confusing code is good code. If other people can make sense of your Java code, they can steal it. They can make money off of your ideas, or they can add snippets to your code to rob users’ credit card accounts.

    You want developers on your team to read and understand your code with ease, but you don’t want some outsider to understand your code. That’s why Android Studio creates an APK file with obfuscated code.

  • The code must be zipaligned.

    Zipaligned code is easier to execute than code that’s not zipaligned. Fortunately, Android Studio zipaligns your code (and does so behind your back, without any intervention on your part).