apkeep hits 1.0.0 as Android app research gets steadier

EFF says apkeep has reached a stable 1.0.0 release, with new Play Store handling, more metadata support, and continued use in Android research workflows.

2026-05-11 GIGATAP Team #privacy
#android#privacy#research

EFF’s apkeep has reached version 1.0.0. The headline is not a dramatic rewrite. It is a signal that the command-line Android package downloader has matured after more than four years of iteration. For people who archive apps, audit variants, or study app behavior, that kind of stability is the point.

What apkeep 1.0.0 adds#

The new release stays close to the tool’s core job: download Android packages from multiple providers, especially Google Play. EFF says the latest version adds several Play Store-focused improvements. Those include better handling of store metadata connected to app performance, anonymous login support through a token, improved support for device-specific variants, and a fix for an authentication bug introduced by the Play Store API.

The project also continues to run across Linux, Windows, and Android. That matters because a tool like this is only useful if it works in the environments researchers already have. A downloader that is easy to script on a laptop, a lab machine, or a phone-adjacent workflow is more practical than a one-off utility that only behaves on one platform.

Why researchers care#

EFF frames apkeep as part of a broader effort to understand the Android app landscape. That is the right level of ambition for a downloader. It is not just about grabbing APKs. It is about getting the same package, metadata, and surrounding context in a form that can be inspected, compared, and archived.

The release also adds support for downloading dex metadata that includes Google Cloud Profiles. EFF says this helps researchers use the tool to study how compilation profiles shape app behavior and to evaluate dynamic testing. That is a narrow technical detail, but it is a useful one. In Android analysis, the packaging details can be as important as the binary itself. If a tool helps preserve those details, it gives analysts a cleaner baseline.

The source also points to concrete use in the wild. Other projects use apkeep downloads when they monitor the privacy properties of apps. Research teams have cited it in whitepapers as part of their own workflows. One example EFF gives is a team that used apkeep to download 21,154 apps for a study of Android evasive malware. That is the kind of scale where a reliable downloader stops being convenience and starts being infrastructure.

What not to overclaim#

A 1.0.0 tag can sound like a grand threshold. Here, it reads more like the opposite. EFF says the milestone reflects maturity, not a sudden wave of radical new features. The tool has been iterated for years. This release consolidates that work and adds a few practical improvements.

It is also worth keeping the tool in its lane. apkeep is a downloader. It does not replace analysis, and it does not make app research easy by itself. It gives you access to packages from a set of providers, with Google Play still the main focus and other stores, including open source app sources, also in scope. The value is in repeatable collection. The rest still depends on the analyst.

That distinction matters if you are reading the release as a privacy story. Reliable collection can support privacy auditing, malware analysis, and app archiving, but it does not prove anything on its own. It is a means to examine apps under controlled conditions. The findings still have to come from the researcher.

What to watch next#

EFF says it wants to keep broadening the list of supported providers. That is the most important part of the project direction. The more sources a downloader can handle, the easier it becomes to compare how the same app appears across contexts, stores, and packaging rules.

For users, the practical takeaway is simple. If your work depends on Android app collection, keep an eye on the current provider list, the release notes, and any changes in Play Store handling. If you use tools like apkeep for malware analysis, privacy auditing, or archive work, a stable release and broader metadata support can reduce friction without changing your workflow much.

For the project itself, the ask is familiar and reasonable: use it, test it, and contribute if it fits your toolbox. A downloader only stays useful if the people who rely on it keep pushing it toward the edge cases they actually hit.