Android APK signed vs unsigned

By default when you build your Android project, there will be some variants of APK generated for example debug, debug unaligned, release, release signed, release unsigned, etc.

The debug version and release version are exactly the same in many ways for example the binaries, resources, manifest files, but the release APK can be signed with your certificate and be optimized with zipalign tool.

The signed and unsigned APK are exactly the same except the signed APK has some extra files that indicates the APK is signed. To generate signed APK, you just run the JDK jarsigner tool on the unsigned APK, the results is a new APK file but contains some new files under the folder META-INF.

Different contents in META-INF in signed and unsigned APK:

As you can see, there are three extra files in signed APK: MANIFEST.MF, CERT.SF, CERT.RSA.

The unsigned APK can not be installed on Android devices, don't be confused with the Unknown sources option in Settings -> Security, check the option won't let the unsigned APK install, it just means allows to install APK from sources other than Google Play Store.

To verify that, just open a normal APK file with zip tools and remove the three files, you will find it can not install.