APK file in Android

App Package: Android apps are written in Java. The compiled Java code for an app’s components is further transformed into Dalvik’s DEX format. The resulting code files along with any other required data and resources are subsequently bundled into an App PacKage

(APK), a file identified by the .apk suffix.

An APK is not an app, but is used to distribute an app and install it on a mobile device. It’s not an app because its components may reuse another APK’s components, and (in this situation) not all of the app would reside in a single APK. However, it’s common to refer to an APK as representing a single app.

An APK must be signed with a certificate (which identifies the app’s author) whose private key is held by its developer. The certificate doesn’t need to be signed by a certificate authority. Instead, Android allows APKs to be signed with self-signed certificates, which is typical. 

APK FILES, USER IDS, AND SECURITY: Each APK installed on an Android device is given its own unique Linux user ID, and this user ID remains unchanged for as long as the APK resides on that device. Security enforcement occurs at the process level, so the code contained in any two APKs cannot normally run in the same process, because each APK’s code needs to run as a different Linux user.

However, you can have the code in both APKs run in the same process by assigning the same name of a user ID to the tag’s sharedUserId attribute in each APK’s AndroidManifest.xml file. When you make these assignments, you tell Android that the two packages are to be treated as being the same app, with the same user ID and file permissions. In order to retain security, only two APKs signed with the same signature (and requesting the same sharedUserId value in their manifests) will be given the same user ID.