Is it possible to merge split APK apps?

An APK file is actually little more than a glorified ZIP archive. Back then, the idea was to bundle all resources of an app into a single, easy to distribute container. The plan, however, had (at least) two shortcomings:

1. Android runs on a wide variety of devices and so APKs grew rather large, containing everything the app could need (e.g. graphic assets for different screen sizes, multiple language packs,…)
2. Easy to distribute, of course, meant that people could simply grab apps and upload them to APK mirror websites (never install APKs from a mirror website! You can’t make sure they are genuine).

App distribution outside of Play eventually grew into a problem that threatened Google’s appstore monopoly (how do I get APK files from Google Play?). So download size was a welcome excuse to introduce a new distribution format in 2018: App Bundles.

App Bundles still use the same old ZIP container format, but no longer pack everything in just a single file. Instead, the app is split into modules (“split APK”), each being distributed separately.

Base module

Always present, contains the “core of the app.

Language module

Contains the language pack, corresponding to the downloading device’s locale.

Graphics

Graphic assets corresponding to the downloading device’s screen size.

ABI

Native code, corresponding to the downloading device’s CPU architecture (if required).

When downloading an App Bundle, you never get the entire app. Only those parts that apply to your device. After all, the whole point behind App Bundles is to make scraping Play as difficult as possible.

Merging Split APK modules

At a first glance, merging modules into a traditional APK should be easy: just unzip the modules into a common directory, then zip that directory again. Unfortunately, it’s not so simple. There may will be filename conflicts among other issues.

Every APK contains a 🗋 AndroidManifest.xml file, describing its contents. Make sure to pick the right one: only the one from the base module matters. Without it, the app cannot even be installed.

All APKs that deal with resources (language packs, graphic assets) also come with a 🗋 resources.asrc file. These are a bit more tricky as they need to be decompiled before and recompiled after being merged into a single file.

The final challenge with merging modules is signing the resulting APK. You can’t do that properly since you don’t have the developer’s private key. This is, of course, kinda a bad joke and someone at Google ought to be slapped silly for it. The whole reason for mandating code signing is so that Google, in it’s role as a distributor, can wave their arms and tell governments to “fuck off”, in case they ever got the idea that Google should push a trojaned update of an (messenger) app to a person of interest. With traditional APKs, the POIs phone would simply reject the update. With App Bundles, developers need to share their private(!) keys with Google, so Google can build the modules on the fly. So there, App Bundles are also a bad idea securitywise.

Conclusion

Can App Bundles be merged into traditional APKs? Absolutely! Can it be done automatically? By the Raccoon apk downloader? Sadly, no. Not really. Merging the files itself is rather trivial, but being forced to use a made up signing key means the APK can’t be installed as an update to the genuine app and in case the app also checks itself for tempering (banking apps like to do that - not that they should be distributed as bundles in the first place), there will be trouble.

There’s also virtually no benefit to merging modules unless you want to run an APK mirror website. Otherwise, Raccoon got you covered.