Actions

Run Anbox inside Whonix-Workstation ™

From Whonix



Anbox apps short.png

Introduction[edit]

Community Support Only!:
Info

Community Support Only means Whonix ™ developers are unlikely to provide free support for wiki chapters or pages with this tag. See Community Support for further information, including implications and possible alternatives.

Ambox warning pn.svg.png Anbox disables the majority of the Android security model [1] and it uses a very outdated Android version with known vulnerabilities. [2]

Anbox [archive] is a third party project that allows Android applications and mobile games to run inside Whonix ™. According to the Anbox website: [3]

Anbox puts the Android operating system into a container, abstracts hardware access and integrates core system services into a GNU/Linux system. Every Android application will be integrated with your operating system like any other native application. To achieve our goal we use standard Linux technologies like containers (LXC) to separate the Android operating system from the host. Any Android version is suitable for this approach and we try to keep up with the latest available version from the Android Open Source Project.

The project is open source and theoretically any application can be run. Anbox does not have direct access to a user's hardware or data. It should be noted that while it is possible to install the Google Play Store, Google will not allow anyone to ship applications if the device is not certified and the vendor has not signed an agreement. [4]

Anbox inside Whonix ™ vs. Android x86 Workstation[edit]

There are both distinct advantages and disadvantages of running Android applications in a native Whonix-Workstation ™ versus an Android x86 Workstation. [5]

Table: Anbox Advantages and Disadvantages [6]

Category Notes
Bootloader / Ramdisk Anbox does not have any type of bootloader and ramdisk. Consequently it is impossible to install Magisk or some kind of recovery tool which is probably necessary for some operations like hiding root from applications (for example Magisk Hide).
Emulation No emulation is required, therefore Android applications can be run in a native Whonix-Workstation ™ environment.
Flexibility It is easy to use adb to install/remove apps and to push/pull files from/to the Anbox environment.
Networking Anbox does not provide a virtual Wi-Fi (wlan0) interface so some applications will not see the Internet connection.
Speed Android applications run faster in this configuration.

Table: Android x86 Workstation Advantages and Disadvantages

Category Notes
Bootloader / Ramdisk It is possible to use Magisk to achieve root permissions and hide root from applications on Android x86. [7]
Flexibility It is not possible to use adb because no connection between Whonix-Workstation ™ and Android x86 is established. [8]
Networking Android x86 provides a virtual Wi-Fi interface (wlan0) so applications think that a real Wi-Fi connection is established (Anbox uses a bridge network interface).
Operating System The full Android stack implemented as Android x86 is a full operating system which requires hardware virtualization (unlike Anbox).
Security This configuration is less secure than utilizing a Whonix-Workstation ™. [9]
Software Any version of Android from 4.x to 9.x can be installed (Anbox provides only Nougat).
Speed This configuration is slower as Android x86 does not provide any type of Guest Additions meaning no graphic card drivers are supported.

Anbox Installation[edit]

Base Software[edit]

Perform all installation steps inside Whonix-Workstation ™. No Whonix-Gateway ™ modifications are required.

Install linux-image-amd64 linux-headers-amd64 adb fastboot anbox.

1. Update the package lists. 

sudo apt-get update

2. Upgrade the system. 

sudo apt-get dist-upgrade

3. Install the linux-image-amd64 linux-headers-amd64 adb fastboot anbox package.

Using apt-get command line parameter --no-install-recommends is in most cases optional. 

sudo apt-get install --no-install-recommends linux-image-amd64 linux-headers-amd64 adb fastboot anbox

The procedure of installing linux-image-amd64 linux-headers-amd64 adb fastboot anbox is complete.

Android Image[edit]

1. Download Anbox Android image.

If this is required inside a Qubes TemplateVM then parameter --proxy http://127.0.0.1:8082 must be added to scurl as shown below.

  • Non-Qubes-Whonix or Qubes StandaloneVM: 
    scurl --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img

  • Qubes-Whonix TemplateVM: 
    scurl --proxy http://127.0.0.1:8082 --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img

2. Download Anbox Android image sha256sum file.

  • Non-Qubes-Whonix or Qubes StandaloneVM: 
    curl --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img.sha256sum

  • Qubes-Whonix TemplateVM: 
    curl --proxy http://127.0.0.1:8082 --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img.sha256sum

3. Verify the image. 

sha256sum --check android_amd64.img.sha256sum

Should show: 

android_amd64.img: OK

4. Move (rename) android_amd64.img to /var/lib/anbox/android.img. [10] 

sudo mv android_amd64.img /var/lib/anbox/android.img

[11]

Anbox Configuration[edit]

Whonix[edit]

Disabling Whonix-Workstation ™ Firewall is unfortunately required. Otherwise there would be no network access. [12]

Ambox warning pn.svg.png This reduces security! Especially when using multiple Whonix-Workstation ™ behind the same Whonix-Gateway ™.

1. Inside Whonix-Workstation ™.

(Qubes-Whonix ™: inside StandaloneVM (better!) or TemplateVM). 

sudo systemctl mask whonix-firewall

2. Disable whonixcheck in Whonix-Workstation ™ Firewall.

Open file /etc/whonix.d/50_whonixcheck_user.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link. 

sudoedit /etc/whonix.d/50_whonixcheck_user.conf

Paste. 

whonixcheck_skip_functions+=" check_whonix_firewall_systemd_status "

Save.

3. Reboot.

This is required to unload Whonix-Workstation ™ firewall rules and to have Anbox load its firewall rules. 

sudo reboot

Qubes[edit]

Info Qubes users only.

A StandaloneVM is most suitable, otherwise changes will be non-persistent (lost after VM restart). Instructions on how to make Anbox persistent using a TemplateBased AppVM do not exist yet; see footnote for experimental instructions. [13]

Qubes-Whonix ™ requires the use of a Qubes VM kernel [archive]. [14] Users can follow the instructions from the Qubes website Installing kernel in Debian VM [archive] which are equally functional in Qubes-Whonix ™.

It has been reported [archive] that it is necessary to enable Anbox software rendering [archive], but it is unclear how to accomplish that at present. The command from the previous link is likely non-functional because this guide does not use snap. Snap is not utilized because that would break the Always Verify Signatures recommendation (snap does not verify software signatures). [15]

Start Anbox[edit]

From Start Menu[edit]

Start menuAccessoriesAnbox

From Command Line[edit]

[16] 

anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity

Usage[edit]

F-Droid Installation[edit]

It is suggested to install F-Droid. The instructions below document how to download and verify F-Droid inside Whonix-Workstation ™. [17]

1. Download the F-Droid signing key.

Securely download the key. 

scurl-download "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x37d2c98789d8311948394e3e41e7044e1dba2e89"

Display the key's fingerprint. 

gpg --keyid-format long --import --import-options show-only --with-fingerprint 'lookup?op=get&search=0x37d2c98789d8311948394e3e41e7044e1dba2e89'

Verify the fingerprint. Should show.

gpg: key 41E7044E1DBA2E89: 42 signatures not checked due to missing keys pub rsa4096/41E7044E1DBA2E89 2014-04-25 [C] Key fingerprint = 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89 uid F-Droid <admin@f-droid.org> sub rsa3072/5DCCB667F9BF9046 2014-04-25 [E] [expires: 2021-04-24] sub rsa3072/7A029E54DD5DCE7A 2014-04-25 [S] [expires: 2021-04-24]

Ambox warning pn.svg.png Warning:

Do not continue if the fingerprint does not match! This risks using infected or erroneous files! The whole point of verification is to confirm file integrity.

Add the signing key. 

gpg --import 'lookup?op=get&search=0x37d2c98789d8311948394e3e41e7044e1dba2e89'

2. Download F-Droid. 

scurl-download https://f-droid.org/FDroid.apk

3. Download F-Droid signature. 

scurl-download https://f-droid.org/FDroid.apk.asc

4. Verify F-Droid. 

gpg --verify FDroid.apk.asc

Should show. 

gpg: assuming signed data in 'FDroid.apk'
gpg: Signature made Thu 11 Apr 2019 12:41:19 PM UTC
gpg:                using RSA key 0x7A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37D2 C987 89D8 3119 4839  4E3E 41E7 044E 1DBA 2E89
     Subkey fingerprint: 802A 9799 0161 1234 6E1F  EFF4 7A02 9E54 DD5D CE7A

5. Install F-Droid inside Anbox using adb. 

adb install FDroid.apk

Figure: F-Droid Images

Fdroid.png Fdroid2.png Fdroid3.png

File Sharing[edit]

In a terminal, run. [18] 

lxsudo thunar

Browse to: 

/var/lib/anbox/rootfs/data/media/0/

Files dropped to this download directory are readily visible to applications within Anbox.

Forum Discussion[edit]

Footnotes[edit]

  1. For example it disables SELinux which is a core part of the security model; see https://github.com/anbox/platform_system_core/commit/71907fc5e7833866be6ae3c120c602974edf8322 [archive]
  2. See the dates on the Github repositories. https://github.com/anbox [archive]
  3. https://anbox.io/#about [archive]
  4. https://anbox.io/#faq [archive]
  5. https://forums.whonix.org/t/integrate-anbox-into-whonix-workstation/9642 [archive]
  6. The networking and software disadvantages below are very critical.
  7. Some individuals have already achieved this on Android x86.
  8. Although it may be possible to run ssh-server on Whonix-Workstation ™ and connect your Android x86 through Termux or similar.
  9. Although it may have more flexibility, as static IP connections on the Android x86 Workstation have been accomplished.
  10. anbox-container-manager.service expects this file name.
  11. The following steps are probably not required because it should work out of the box after rebooting.

    Start kernel module. 

    sudo modprobe ashmem_linux

    Start kernel module. 

    sudo modprobe binder_linux

    Start anbox systemd service. 

    sudo systemctl start anbox-container-manager.service

    Check if anbox systemd service is functional. 

    sudo systemctl status anbox-container-manager.service

    Should show something similar to the following. 

    ● anbox-container-manager.service - Anbox Container Manager
   Loaded: loaded (/lib/systemd/system/anbox-container-manager.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2018-12-31 06:23:49 EST; 874ms ago
     Docs: man:anbox(1)
  Process: 1996 ExecStartPre=/usr/share/anbox/anbox-bridge.sh start (code=exited, status=0/SUCCESS)
  Process: 1991 ExecStartPre=/sbin/modprobe binder_linux (code=exited, status=0/SUCCESS)
  Process: 1986 ExecStartPre=/sbin/modprobe ashmem_linux (code=exited, status=0/SUCCESS)
 Main PID: 2074 (anbox)
    Tasks: 9 (limit: 4915)
   Memory: 5.1M
      CPU: 51ms
   CGroup: /system.slice/anbox-container-manager.service
           └─2074 /usr/bin/anbox container-manager --daemon --privileged --data-path=/var/lib/anbox

Dec 31 06:23:48 debian systemd[1]: Starting Anbox Container Manager...
Dec 31 06:23:49 debian systemd[1]: Started Anbox Container Manager.
  12. This is because Anbox comes with its own bridged network. Whitelisting that interface in Whonix-Workstation ™ firewall is undocumented and might require source code modifications. Patches are Welcome.
  13. These steps do not work yet. 
    [ 2019-10-14 11:00:41] [launch.cpp:214@operator()] Session manager failed to become ready

    1. Increase VM private storage.

    • Power off the VM.
    • Add at least 2 GB more private storage to the VM. This can be done using Qubes VM Manager (QVMM).
    • Reboot the VM.

    2. Add /var/lib/anbox to Qubes bind-dirs [archive].

    Create folder /rw/config/qubes-bind-dirs.d. 

    sudo mkdir -p /rw/config/qubes-bind-dirs.d

    Create a new configuration file /rw/config/qubes-bind-dirs.d/50_user.conf. 

    sudoedit /rw/config/qubes-bind-dirs.d/50_user.conf

    Paste. 

    binds+=( '/var/lib/anbox' )

    Save.

    3. Reboot the VM.

    This results in storing /var/lib/anbox in the private rather than the root image. This means changes will persist rather than be lost after a VM restart.

    4. Fix file permissions.

    Ambox warning pn.svg.png Warning: the following steps might cause security issues. 

    sudo systemctl stop anbox-container-manager.service

    sudo chown --recursive user:user /var/lib/anbox

    sudo systemctl start anbox-container-manager.service
  14. Using a VM kernel is currently challenging to use because Anbox is implemented using kernel modules, see: Simplify and promote using in-vm kernel [archive].
  15. https://forums.whonix.org/t/snap-store-snaps-snapcraft-io-a-new-software-source/7631 [archive]
  16. /usr/share/applications/anbox.desktop
  17. https://f-droid.org/docs/Release_Channels_and_Signing_Keys/ [archive]
  18. https://forums.whonix.org/t/running-android-apps-inside-whonix-workstation-anbox-proof-of-concept/7441/13 [archive]

text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg Hacker.news.jpg 200px-Mastodon Logotype (Simple).svg.png

We are looking for video makers to help create demonstration, promotional and conceptual videos or tutorials.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.

Retrieved from "https://www.whonix.org/w/index.php?title=Anbox&oldid=64125"
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
More information