Why Android signs every app

Android requires every APK to be signed before it can be installed. The signature lets the OS confirm the package came from a known author and was not tampered with after building. Crucially, Android enforces signing-key continuity: an update will install only if it is signed with the same key as the existing app, which prevents a malicious package from masquerading as a legitimate update.

Signing keys also establish trust between apps from the same developer, enabling shared user IDs and signature-level permissions. Unlike iOS, Android does not require a central authority to issue the certificate; developers can self-sign, though Google Play adds its own verification layer.

Signature scheme versions

Android has evolved its signing schemes. v1 (JAR signing) signs individual files inside the archive and is the legacy format. v2 signs the whole APK as a block for stronger, faster verification and is required for apps targeting modern API levels. v3 adds key rotation so a developer can change keys while proving lineage, and v4 supports incremental installation. APKs are typically signed with apksigner from the Android SDK build tools.

When publishing through Google Play, Play App Signing is the standard: developers upload an Android App Bundle signed with an upload key, and Google manages the final app signing key used to sign the split APKs delivered to devices. This protects the long-lived signing key while still allowing the developer to ship updates.

What it means on device

Signing is part of why Android can sandbox apps and verify them at install. A sideloaded APK that fails signature verification, or that is re-signed with a different key than the installed app, will be rejected by the package manager. For everyday users this is invisible, but it underpins update safety. Cleanor helps with the more visible side of app storage, finding the large apps, leftover APK files, and app cache that quietly consume space.