Understanding APK packaging in Android Studio 2.2

Posted by Wojtek Kaliciński, Android Developer Advocate


Android Studio 2.2 launched recently with href="http://android-developers.blogspot.com/2016/09/android-studio-2-2.html">many
new and improved features. Some of the changes are easy to miss because they
happened under the hood in the Android Gradle plugin, such as the newly
rewritten integrated APK packaging and signing step.






APK Signature Scheme v2



With the introduction of the new href="https://source.android.com/security/apksigning/v2.html">APK Signature
Scheme v2 in Android 7.0 Nougat, we decided to rewrite how assembling APKs
works in the Android Gradle plugin. You can read all about the low-level
technical details of v2 signatures in the href="https://source.android.com/security/apksigning/v2.html">documentation,
but here's a quick tl;dr summary of the info you need as an Android app
developer:


  • The cryptographic signature of the APK that is used to verify its integrity
    is now located immediately before the ZIP Central Directory.
  • The signature is computed and verified over the binary contents of the whole
    APK file, as opposed to decompressed file contents of each file in the archive
    in v1.
  • An APK can be signed by both v1 and v2 signatures at the same time, so it
    remains backwards compatible with previous Android releases.


Why introduce this change to how Android verifies APKs? Firstly, for enhanced
security and extensibility of this new signing format, and secondly for
performance - the new signatures take significantly less time to verify on the
device (no need for costly decompression), resulting in faster app installation
times.



The consequence of this new signing scheme, however, is that there are new
constraints on the APK creation process. Since only uncompressed file contents
were verified in v1, that allowed for quite a lot of modifications to be made
after APK signing - files could be moved around or even recompressed. In fact,
the zipalign tool which was part of the build process did exactly
that - it was used to align ZIP entries on correct byte boundaries for improved
runtime performance.



Because v2 signatures verify all bytes in the archive and not individual ZIP
entries, running zipalign is no longer possible after
signing
. That's why compression, aligning and signing now happens in a
single, integrated step of the build process.



If you have any custom tasks in your build process that involve tampering with
or post-processing the APK file in any way, please make sure you disable them or
you risk invalidating the v2 signature and thus making your APKs incompatible
with Android 7.0 and above.



Should you choose to do signing and aligning manually (such as from the command
line), we offer a new tool in the Android SDK, called href="https://developer.android.com/studio/command-line/apksigner.html?utm_campaign=android_discussion_api_111016&utm_source=anddev&utm_medium=blog">apksigner,
that provides both v1 and v2 APK signing and verification. Note that you need to
run zipalign before running apksigner
if you are using v2 signatures. Also remember the jarsigner tool
from the JDK is not compatible with Android v2 signatures, so you can't use it
to re-sign your APKs if you want to retain the v2 signature.


In case you want to disable adding v1 or v2 signatures when building with the
Android Gradle plugin, you can add these lines to your href="https://google.github.io/android-gradle-dsl/current/com.android.build.gradle.internal.dsl.SigningConfig.html">signingConfig
section in build.gradle:

class="prettyprint">v1SigningEnabled false
v2SigningEnabled false


Note: both signing schemes are enabled by default in Android Gradle plugin 2.2.


Release builds for smaller APKs



We took this opportunity when rewriting the packager to make some optimizations
to the size of release APKs, resulting in faster downloads, href="http://android-developers.blogspot.co.uk/2016/07/improvements-for-smaller-app-downloads.html">smaller
delta updates on the Play Store, and less wasted space on the device. Here
are some of the changes we made:


  • Files in the archive are now sorted to minimize differences between APK
    builds.
  • All file timestamps and metadata are zeroed out.
  • Level 6 and level 9 compression is checked for all files in parallel and the
    optimal one is used, i.e. if L9 provides little benefit in terms of size, then
    L6 may be chosen for better performance
  • Native libraries are stored uncompressed and page aligned in the APK. This
    brings support for the android:extractNativeLibs="false" option
    from Android 6.0 Marshmallow and lets applications use less space on the device
    as well as generate smaller updates on the Play Store
  • Zopfli compression is not used to better support Play Store update
    algorithms. It is not recommended to recompress your APKs with Zopfli.
    Pre-optimizing individual resources such as PNG files in your projects is still
    fine and recommended.


These changes help make your releases as small as possible so that users can
download and update your app even on a slower connection or on less capable
devices. But what about debug builds?


Debug builds for installation speed



When developing apps you want to keep the iteration cycle fast - change code,
build, and deploy on a connected device or emulator. Since Android Studio 2.0
we've been working to make all the steps as fast as possible. With Instant Run
we're now able to update only the changed code and resources during runtime,
while the new Emulator brings multi-processor support and faster ADB speeds for
quicker APK transfer and installation. Build improvements can cut that time even
further and in Android Studio 2.2 we're introducing incremental packaging and
parallel compression for debug builds. Together with other features like
selectively packaging resources for the target device density and ABI this will
make your development even faster.



A word of caution: the APK files created for Instant Run or by invoking a debug
build are not meant for distribution on the Play Store! They contain additional
instrumentation code for Instant Run and are missing resources for device
configurations other than the one that was connected when you started the build.
Make sure you only distribute release versions of the APK which you can create
using the Android Studio href="https://developer.android.com/studio/publish/app-signing.html?utm_campaign=android_discussion_api_111016&utm_source=anddev&utm_medium=blog#release-mode">Generate
Signed APK command or the assembleRelease Gradle task.