Creating an App Bundle (Android)
KOBIL App Security supports Android App Bundle ('AAB')
⚠️ Note: Create your own app signing key. Do not let the app store manage and protect your app signing key, there is a risk that app integrity values change over time and users cannot use the app afterwards until new app integrity values are stored in KOBIL's Security Server. ⚠️Sign your aab file with this key, otherwise you need different aab files with different app names for Google's Play Store and Huawei's App Gallery.
Upload Android App Bundle
Using androidpublisher API
If you are using google's androidpublisher API for uploading your .apk files, you have to make some minor changes to your projects setup in order to upload .aab files: You have to use the mime type "application/octet-stream" instead of the one you were using for your .apk uploads The upload request has to be generated with a Bundles object instead of an Apks object.
Manual upload
The manual upload does not differ from the upload of .apk files.
Signing Options
When it comes to signing there is no difference to .apk files, BUT we strongly recommend the use of certain options to ensure the functioning of our Integrity checks and app digest calculations with App Bundles. Below is a short overview of the Google Play Console signing options you may use, followed by our recommendation:
"Use the same key as another app in this developer account [2]"
If you want to sign your app with the same key locally as the one that is going to be used in google play, you can select the option [2] "Use the same key as another app in this developer account", or the below option [3] "Export and upload a key from Java keystore".
"Export and upload a key from Java keystore [3]"
Option [3] will allow you to test your app or upload it to other stores with the same signature as the one Google Play generates when using the key. When using that option, it is strongly recommended to use a dedicated upload key for more security.
"Export and upload a key (not using Java keystore) [4]"
Option [4] "Export and upload a key" is pretty much the same as option [3], but without the use of Java keystore file.
For already released apps
You may be presented the option to "Export and upload a key from Android Studio". Using that option has no difference to option [2] and [3]. Here too do not forget using a dedicated upload key.
To ensure the functioning of our Integrity checks and app digest calculations, we recommend selecting either of the following options:
- [2] "Use the same key as another app in this developer account"
- [3] "Export and upload a key from Java keystore"
- [4] "Export and upload a key"
- "Export and upload a key from Android Studio"
IMPORTANT: We do NOT recommend using any other signing option provided by Google Play Console! Using any of the other available options we cannot guarantee that our integrity checks and digest calculations will work reliably in the future, because Google might potentially choose to update the Key when they deem it necessary (here google states that they are able to upgrade keys).
Note: Do not forget to use a dedicated upload key for increased security when uploading apps.
Common Issues
Depending on your project setup you might encounter some issues you need to resolve in order to successfully upload your bundle:
"Your App Bundle contains the following configurations where the initial install would exceed the maximum size of 150 MB: ..."
inside of android{}
add:
bundle {
density {
enableSplit true
}
abi {
enableSplit true
}
language {
//you might need to set this to false if you have the issue described below
enableSplit = true
}
}
Note: setting one of the above parameters to false can significantly increase the on-device installation size of your app
"Your App Bundle targets the following unrecognized languages.."
inside of android{}
add a resConfigs
flag with all languages supported by your app:
defaultConfig {
...
resConfigs "en", "US", "de", "tr"
}
Another common issue with Android App Bundle uploads after enrolling Play App Signing:
If you see the above message when uploading an .aab after just recently enrolling in Play App Signing with an App that you already had in Google Play, you can do the following to solve the issue:
- Build an APK of your app using the new Key that you provided when enrolling in Play App Signing.
- Upload that APK to Google Console.
- Now Build your AAB with that same key. (do not forget increasing the version code in your app's build.gradle)
- The AAB upload should work now.
Links and resources
- https://developer.android.com/guide/app-bundle
- https://developer.android.com/studio/command-line/bundletool
- https://developers.google.com/android-publisher/api-ref/rest
- https://developer.android.com/guide/playcore/feature-delivery
- https://support.google.com/googleplay/android-developer/answer/9842756?hl=en