The Google Play Store is not available in all parts of the world, the US restricts its use in certain countries like Iran, and many countries block access to the Play Store, like China. Also, the Google Play Store tracks it users actions, reporting back to Google what apps have been installed and also run on the phone. Because of the NSA leaks, we’re seeing that governments are actively tapping into the raw data streams of Google, Yahoo, and others. So that means that the information that the Google Play Store sends back to Google is also intercepted by the NSA and other country’s agencies like it, and they in turn also share that information with other governments. Lastly, the Google Play Store is not free software, unlike the core of Android itself. It is proprietary software that Google entirely controls.
F-Droid is a wonderful, free app store for Android. It is modeled after Debian or other GNU/Linux distros in that it has its own package repositories (repos) and build servers for all the apps that are part of the official OS. Like Debian and Ubuntu, you can also setup your own repos for anyone to use. Any free software can be added to the official F-Droid repos, where they are built and signed by the F-Droid server. This can be annoying because it means that your apps in F-Droid are signed by a different key than your apps in the Google Play Store. If you host your own F-Droid repo, then people can use F-Droid to install your own builds signed by your own signing key.
This is a quick HOWTO for how to setup such a repository on a Debian or Ubuntu box. It is somewhat technical, you will use the terminal, but you don’t need to be a terminal expert to follow along. First you need a the fdroidserver tools and a webserver. For the webserver, here we use nginx for the webserver since its lightweight, but any will do if you already have one running. The fdroidserver tools are not yet in the official Debian/Ubuntu/etc repos, so you have to add our PPA (Personal Package Archive) to get it (fingerprint: F50E ADDD 2234 F563):
In the case of this HOWTO, we're going to setup a "Simple Binary Repository" to host our official APKs. Let's give our normal user control over the web root (with nginx, that is /usr/share/nginx/www, it is different for other webservers) so that we don't need to run the F-Droid tools as root. In my case, my username name is hans, change it to your username when you run this:
sudo chown -R hans /usr/share/nginx/www
Now put your APK files into /usr/share/nginx/www/repo and you are ready to run the commands to build the repo (if fdroid init cannot find your Android SDK in /opt/android-sdk or $ANDROID_HOME it will prompt you for the path):
Voila! Now you have a working F-Droid Repo! Add it to an F-Droid client on your Android device to test it out. That is done in the Manage Repos screen available from the menu. Your repo URL will be the hostname or IP address of your machine with /repo/ added to the end of it, i.e. https://mysecureserver.com/repo/ or http://192.168.2.53/repo/. You can temporarily uncheck the official repos to easily see what F-Droid found in your new repo.
Customization
You can also customize your repo by editing the config file. Be sure to use a programming text editor, like editor /usr/share/nginx/www/config.py. In the config file, you can set the name of the repo, the description, the icon, paths to specific versions of the build tools, links to a related wiki, and whether to keep stats. Here's the basic repo description block:
To put your icon into your repo, choose a PNG image to put in your repo. The PNG goes in /usr/share/nginx/www/, the file can be named whatever you want (by default its fdroid-icon.png). If you change the name from the default, be sure to update repo_icon and archive_icon in /usr/share/nginx/www/config.py
More Security
If you are concerned about the security of your repo, then you should set things up a bit differently. Generating a repo in place is very easy, that is why we started there. When generating the repo in place, make sure that config.py is not accessible via the web, since it contains passwords. If the file permissions are correct (0600), then config.py will not be readable by the webserver. But the signing keys will still be that public server. To improve this situation, generate the repo on your own machine, keeping config.py and the keystore only on that machine, then use fdroid server update to publish the changes to your repo on a separate server. You just need to set serverwebroot in config.py properly, then fdroid server update will do the publishing via rsync over ssh.
You can also use your own existing signing key rather than the one generated by fdroid init, just edit repo_keyalias, keystore, keystorepass, keypass, and keydname in /usr/share/nginx/www/config.py
Since we like Tor and its Hidden Services for providing privacy, we also want to setup an F-Droid repository that is accessible over a Tor Hidden Service aka onion address. This will be covered in a future HOWTO.