Automated Android App Builds for F-Droid

The F-Droid project is an app store for Open Source Android applications. Applications are built automatically, signed and published. The tools and required infrastructure for the integrated solution are developed and operated by F-Droid themselves.

Building any (previously unknown) Android app from source requires to pull in not only the Android SDK but of course the apps dependencies as well. Different apps may pull any untrusted source code during their build process and finally share the same dependencies.

Challenge

Build arbitrary Android applications in a predefined environment and cache as much as possible without sharing any untrusted data between different apps. Different Android SDK and Gradle versions may lead to different file paths of the dependencies.

Approach

Analyse current apps and their build setup for the most commonly used Android SDK and dependencies. Build a Docker image containing those dependencies. Leverage the Docker filesystem to mount well known necessary dependencies and build the app within the Docker container. All other dependencies are retrieved by Gradle during build and discarded afterwards once the Docker container shuts down.