So far, here’s what I have learned about how the Gradle build process works when you are ready to sign and deploy your Android application:

1. The application source code needs to be in DEX (Dalvik Executable) files. The compiler converts all source code into compiled resources that include the bytecode that runs on Android Devices.
2. DEX files and compiled resources are organized in one package by the APK Packager. The final product is an unsigned APK and needs to have a signature in order to be installed or deployed.
3. There are two ways the APK Packager signs your app:

a. The debug version of your app is for testing and profiling only and will receive a debug keystore which is also the default keystore for new projects in Android Studio.

b. The release version (the one you will release externally) will receive a release keystore.

4. The packager will use zipalign tool before generating your final APK. This ensures it is optimized to use less memory when running on a physical device.

A signed APK file will include a “META-INF” folder containing three files: manifest.mf, cert.sf, and cert.rsa. Unsigned APKs will require a user to enable Unknown Sources to be able to install it. Amazon accepts unsigned apps for their store and Google Play Console does not. When you want to market your application, many users prefer signed ones over unsigned ones because downloading from unknown sources could be dangerous as it might include viruses, malware, or spyware.

References

Google Developers. (2019, January 23). Configure Your Build. Retrieved from Android Developers: https://developer.android.com/studio/build/#build-process

Mangroliya, S. (2012, April 23). Android differences between signed and unsigned .apk files? Retrieved from StackOverflow: https://stackoverflow.com/questions/10280278/android-differences-between-signed-and-unsigned-apk-files/10280362