ZipToolView zip files online — 100% private

What is an APK file?

An APK (Android Package) is the file format Android uses to distribute and install applications. When you install an app from Google Play or sideload one from a download, what lands on the device is a single .apk file — a self-contained archive that carries everything the app needs to run: compiled code, resources (images, layouts, text), native libraries, and a signature proving it has not been tampered with.

The detail that matters for anyone inspecting one: an APK is, structurally, a ZIP file. It uses the standard ZIP container with deflate compression, so any tool that understands ZIP can list its contents and extract them — including an in-browser viewer. That is not an accident. The format was designed to be a signed, packaged bundle that build tools assemble and the Android installer unpacks.

What is actually inside an APK

Because an APK is a ZIP, opening it reveals a predictable internal structure. The exact entries vary by app, build configuration, and Android Gradle plugin version, but the core files are consistent across virtually every APK:

  • AndroidManifest.xml — the app's manifest: package name, version, permissions, declared activities and services, and the minimum Android version. Inside the APK this file is compiled to Android binary XML, not plain text, so you cannot read it with a text editor — you need aapt / aapt2 dump or a binary-XML-aware tool to decode it.
  • classes.dex (one or more) — the app's compiled bytecode in Dalvik Executable format. Every .dex file holds the application's code translated into Dalvik bytecode that the Android runtime (ART) executes. Large apps are split into classes.dex, classes2.dex, classes3.dex, and so on because a single DEX is limited to 65,536 method references (a count that includes framework and library methods, not just your own).
  • resources.arsc — the compiled resource table. It maps resource IDs (like 0x7f010002) to their values and handles resource lookup at runtime. Text strings, layout references, and theme values are indexed here.
  • res/ — compiled resources as produced by the build: layouts, drawables (images), strings, colors, and styles. Most XML here is also in Android binary-XML format.
  • assets/ — raw files shipped as-is: fonts, bundled HTML, configuration JSON, databases, or any file the app wants to read at runtime without compilation. These are plain files, not binary-XML.
  • lib/ — native libraries, one .so (shared object) per CPU architecture, grouped into subfolders: arm64-v8a/ (modern 64-bit ARM), armeabi-v7a/ (older 32-bit ARM), x86_64/ (emulators and some Chromebooks), and x86/. A given APK usually ships only a subset.
  • META-INF/ — the v1 (JAR-style) app signature: MANIFEST.MF (hashes every file), one or more *.SF files (the signature file), and *.RSA or *.EC files (the cryptographic signature block). Tampering with any signed file breaks the signature, which is how Android verifies integrity. Modern APKs additionally use APK Signature Scheme v2/v3, which lives in a dedicated APK Signing Block placed immediately before the ZIP central directory (not as a regular file under META-INF/) — which is why v2/v3-only APKs no longer carry .SF/.RSA entries at all.

How Android uses the APK

When you tap install, Android's package installer verifies the APK's signature, checks that the manifest's requirements are met, and copies the app into place. At runtime, the Android Runtime (ART) — the successor to the older Dalvik VM — runs the .dex bytecode. On install, ART performs ahead-of-time (AOT) compilation of the dex into optimized native machine code, which is what actually executes when the app runs; the original .dex remains for fallback and verification.

The resources in res/ and assets/ are read at runtime via the Android resource system and the AssetManager. Native libraries under lib/ are extracted or loaded directly so the app can call C/C++ code — common for games, media codecs, and performance-critical paths.

APK vs AAB (App Bundle)

Google Play no longer ships a single universal APK to most devices. Since 2021 it has used the Android App Bundle (.aab) as the upload format: developers upload an .aab, and Google Play's servers split it into per-device APKs — shipping only the native library for your device's CPU architecture and only the resources for your screen density and language. The result is a smaller download for each user.

For practical purposes, the distinction matters when you download an app: from Google Play you get an optimized APK generated server-side; from any other source (sideloading, alternative stores, a direct download) you get a plain APK, which may be a universal build carrying every architecture and density and thus larger. An .aab is also a ZIP container internally, but it is not directly installable on a phone — it has to be processed (by bundletool or Google Play) into one or more APKs first.

How to open or inspect an APK without a phone

Because an APK is structurally a ZIP, you have several options for looking inside one without installing it on a device. The quick method: rename app.apk to app.zip and double-click it — your OS will open it like any folder. From a terminal, unzip -l app.apk lists every entry without even renaming. These work because the file is a real ZIP archive.

The cleaner method is to open the APK in an in-browser viewer, which lets you browse the full file tree and preview text, images, and assets without extracting anything to disk. ZipTool parses the archive entirely in your browser (via zip.js) and never uploads it — useful if the APK is sensitive, untrusted, or covered by a data-handling policy. Step by step:

  • Open ziptool.app in any modern browser — nothing to install.
  • Drag-and-drop the .apk onto the page, use the file picker, or paste a URL (or deep-link with ?zip=<url>&file=<path> to open a remote APK and jump to a specific file).
  • The full tree appears: AndroidManifest.xml, classes.dex, res/, assets/, lib/, and META-INF/. Search across filenames to find a specific entry.
  • Click any file to preview it inline — images under res/ or assets/ render directly, text and config files open in a syntax-highlighting editor, and a nested .zip entry can be added to the list and browsed separately.
  • Nothing is written to disk and nothing is uploaded. Close the tab and the APK is gone. (Note: AndroidManifest.xml and res/ XML are in Android binary-XML format, so they preview as binary rather than readable text — decode them with aapt2 if you need the human-readable manifest.)

Safety: inspecting an APK is low-risk, installing one is the real risk

Browsing an APK's contents — treating it as a ZIP and looking at the tree — is low-risk. You are reading a file's structure, not executing its code, and inspecting an unknown APK before installing it is a genuinely good habit. It is how you spot an app asking for surprising permissions (in the manifest), an unexpectedly large native library for your architecture, or resources that do not match what the app claims to be.

The serious risk is installing and running an APK from an untrusted source. A sideloaded APK can be malware — spyware, banking trojans, adware, or a repackaged legitimate app with malicious code injected. Android warns about installs from unknown sources for exactly this reason. The signature only proves the file has not been modified since the developer signed it; it says nothing about whether the developer or the app itself is trustworthy.

One accuracy caveat worth stating plainly: inspecting contents in a browser is safer than blindly installing, but it is not a guarantee that nothing can go wrong. Parsing still runs JavaScript in a sandboxed browser tab, where library or browser bugs are theoretically exploitable, and any file you later extract and run can still be malware. For the full privacy-vs-safety breakdown — what client-side processing does and does not protect you from — see security and privacy.

Frequently asked questions

What does APK stand for?

APK stands for Android Package (historically Android Package Kit). It is the file format Android uses to distribute and install applications. Every app you install from Google Play or sideload from a download arrives as an .apk file containing the app's compiled code, resources, native libraries, and signature.

Is an APK just a zip file?

Structurally, yes — an APK is a ZIP archive. It uses the standard ZIP container with deflate compression, so any ZIP tool can list and extract its contents. The difference from a plain .zip is the required internal structure and the signature: an APK must contain an AndroidManifest.xml, at least one classes.dex, the compiled resources, and (under META-INF/ for v1 signing, or in the APK Signing Block for v2/v3) a cryptographic signature proving the package has not been tampered with.

How do I open an APK file?

Three ways. On an Android device, just tap the file (with installs from unknown sources enabled) and the package installer runs it. On any computer, rename app.apk to app.zip and open it, or run unzip -l app.apk to list the contents — this works because an APK is a ZIP. Or open it in an in-browser viewer like ZipTool: drag-and-drop the .apk, browse the tree, and preview images, assets, and text files without extracting anything to disk or uploading the file.

Can an APK contain a virus?

Yes. A sideloaded APK from an untrusted source can be malware — spyware, banking trojans, adware, or a legitimate app repackaged with malicious code. The APK's signature only proves the file was not modified after the developer signed it; it says nothing about whether the app itself is safe. This is why Android warns about installs from unknown sources. Inspecting an APK's contents before installing (browsing it as a ZIP) is low-risk and a good habit; actually installing and running an untrusted APK is the real danger.

What is the difference between APK and AAB (app bundle)?

An APK is directly installable on a device. An AAB (Android App Bundle, .aab) is a publishing format developers upload to Google Play, which then generates optimized per-device APKs from it — shipping only the native libraries and resources each device needs, for a smaller download. You cannot install an .aab directly on a phone; it must be processed (by bundletool or Google Play's servers) into one or more APKs first. Apps downloaded from anywhere other than Google Play are plain APKs.