Actions

Run Anbox inside Whonix-Workstation ™

From Whonix


Anbox apps short.png

Anbox [archive] allows Android applications and mobile games to run inside Whonix ™.

Install Anbox[edit]

All installation steps inside Whonix-Workstation ™. No modifications of Whonix-Gateway ™ required.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the linux-image-amd64 linux-headers-amd64 adb fastboot anbox package.

sudo apt-get install linux-image-amd64 linux-headers-amd64 adb fastboot anbox

The procedure is complete.

Download Anbox Android image.

If you want to do this inside a Qubes TemplateVM then parameter --proxy http://127.0.0.1:8082 [archive] needs to be added to scurl as shown below.

  • Non-Qubes-Whonix or Qubes StandaloneVM:
    scurl --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img
  • Qubes-Whonix TemplateVM:
    scurl --proxy http://127.0.0.1:8082 --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img

Download Anbox Android image sha256sum file.

  • Non-Qubes-Whonix or Qubes StandaloneVM:
    curl --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img.sha256sum
  • Qubes-Whonix TeplateVM:
    curl --proxy http://127.0.0.1:8082 --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img.sha256sum

Verify.

sha256sum --check android_amd64.img.sha256sum

Should show:

android_amd64.img: OK


Move (rename) android_amd64.img to /var/lib/anbox/android.img:[1]

sudo mv android_amd64.img /var/lib/anbox/android.img

[2]

Whonix Configuration[edit]

Disabling Whonix-Workstation ™ Firewall is unfortunately required. Otherwise there would be no network access. [3]

Ambox warning pn.svg.png This reduces security! Especially when using multiple Whonix-Workstation ™ behind the same Whonix-Gateway ™.

Inside Whonix-Workstation ™.

sudo systemctl mask whonix-firewall

Disable whonixcheck of Whonix-Workstation ™ Firewall.

Open file /etc/whonix.d/50_whonixcheck_user.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/whonix.d/50_whonixcheck_user.conf

Paste.

whonixcheck_skip_functions+=" check_whonix_firewall_systemd_status "

Save.

Reboot required. [4]

sudo reboot

Qubes Configuration[edit]

Qubes users only.

Qubes-Whonix ™ requires using Qubes VM kernel [archive]. [5] Users can follow the instructions from the Qubes website Installing kernel in Debian VM [archive] which are equally functional in Qubes-Whonix ™.

The following steps are required to make changes in Anbox persist when using a TemplateBased AppVM. These are not required in a StandaloneVM.

Does not work yet. [6] Experimental instructions [7]

Start Anbox[edit]

From Start Menu[edit]

Start menuAccessoriesAnbox

From Command Line[edit]

[8]

anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity

Usage[edit]

F-Droid[edit]

Fdroid.png Fdroid2.png Fdroid3.png

Installation[edit]

Might want to install F-Droid.

Here are instructions document how to download and verify F-Droid inside Whonix-Workstation ™.

[9]

Securely download the key.

scurl-download "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x37d2c98789d8311948394e3e41e7044e1dba2e89"

Display the key's fingerprint.

gpg --keyid-format long --import --import-options show-only --with-fingerprint 'lookup?op=get&search=0x37d2c98789d8311948394e3e41e7044e1dba2e89'

Verify the fingerprint. Should show.

gpg: key 41E7044E1DBA2E89: 42 signatures not checked due to missing keys
pub rsa4096/41E7044E1DBA2E89 2014-04-25 [C]
Key fingerprint = 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89
uid F-Droid <admin@f-droid.org>
sub rsa3072/5DCCB667F9BF9046 2014-04-25 [E] [expires: 2021-04-24]
sub rsa3072/7A029E54DD5DCE7A 2014-04-25 [S] [expires: 2021-04-24]

Ambox warning pn.svg.png Warning:

Do not continue if the fingerprint does not match! This risks using infected or erroneous files! The whole point of verification is to confirm file integrity.

Add the signing key.

gpg --import 'lookup?op=get&search=0x37d2c98789d8311948394e3e41e7044e1dba2e89'

Download F-Droid.

scurl-download https://f-droid.org/FDroid.apk

Download F-Droid signature.

scurl-download https://f-droid.org/FDroid.apk.asc

Verify F-Droid.

gpg --verify FDroid.apk.asc

Should show.

gpg: assuming signed data in 'FDroid.apk'
gpg: Signature made Thu 11 Apr 2019 12:41:19 PM UTC
gpg:                using RSA key 0x7A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37D2 C987 89D8 3119 4839  4E3E 41E7 044E 1DBA 2E89
     Subkey fingerprint: 802A 9799 0161 1234 6E1F  EFF4 7A02 9E54 DD5D CE7A

Install F-Droid inside Anbox using adb.

adb install FDroid.apk

File Sharing[edit]

[10]

lxsudo thunar

Browse to:

/var/lib/anbox/rootfs/data/media/0/

Files dropped to this download directory are readily visible to apps within Anbox.

Forum Discussion[edit]

https://forums.whonix.org/t/running-android-apps-inside-whonix-workstation-proof-of-concept/7441/11 [archive]

Footnotes[edit]

  1. anbox-container-manager.service expects this file name.
  2. These steps are probably not required. Should work out of the box after reboot.

    Start kernel module.

    sudo modprobe ashmem_linux

    Start kernel module.

    sudo modprobe binder_linux

    Start anbox systemd service.

    sudo systemctl start anbox-container-manager.service

    Check if anbox systemd service is functional.

    sudo systemctl status anbox-container-manager.service

    Should show something similar to the following.

    ● anbox-container-manager.service - Anbox Container Manager
       Loaded: loaded (/lib/systemd/system/anbox-container-manager.service; enabled; vendor preset: enabled)
       Active: active (running) since Mon 2018-12-31 06:23:49 EST; 874ms ago
         Docs: man:anbox(1)
      Process: 1996 ExecStartPre=/usr/share/anbox/anbox-bridge.sh start (code=exited, status=0/SUCCESS)
      Process: 1991 ExecStartPre=/sbin/modprobe binder_linux (code=exited, status=0/SUCCESS)
      Process: 1986 ExecStartPre=/sbin/modprobe ashmem_linux (code=exited, status=0/SUCCESS)
     Main PID: 2074 (anbox)
        Tasks: 9 (limit: 4915)
       Memory: 5.1M
          CPU: 51ms
       CGroup: /system.slice/anbox-container-manager.service
               └─2074 /usr/bin/anbox container-manager --daemon --privileged --data-path=/var/lib/anbox
    
    Dec 31 06:23:48 debian systemd[1]: Starting Anbox Container Manager...
    Dec 31 06:23:49 debian systemd[1]: Started Anbox Container Manager.
    
  3. This is because Anbox comes with its own bridged network. Whitelisted that interface in Whonix-Workstation ™ firewall is undocumented and might require source code modifications. Patches are Welcome.
  4. To unload Whonix-Workstation ™ firewall rules and to make anbox load its firewall rules.
  5. Using VM kernel may come with its own challenges currently. https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012 [archive] Since Anbox is implemented using kernel modules.
  6. [ 2019-10-14 11:00:41] [launch.cpp:214@operator()] Session manager failed to become ready
  7. 1) Increase VM private storage. Power off the VM. Add at least 2 GB more private storage to VM. This can be done using Qubes VM Manager (QVMM). Reboot the VM. 2) Add /var/lib/anbox to Qubes bind-dirs [archive]. Create folder /rw/config/qubes-bind-dirs.d.
    sudo mkdir -p /rw/config/qubes-bind-dirs.d
    Create a new configuration file /rw/config/qubes-bind-dirs.d/50_user.conf.
    sudoedit /rw/config/qubes-bind-dirs.d/50_user.conf
    Paste.
    binds+=( '/var/lib/anbox' )
    Save. Reboot the VM. This results in storing /var/lib/anbox in the private rather than root image. Thereby changes would persist rather than be lost after VM restart. Fix file permissions. Warning: might have security issues
    sudo systemctl stop anbox-container-manager.service
    sudo chown --recursive user:user /var/lib/anbox
    sudo systemctl start anbox-container-manager.service
  8. /usr/share/applications/anbox.desktop
  9. https://f-droid.org/docs/Release_Channels_and_Signing_Keys/ [archive]
  10. https://forums.whonix.org/t/running-android-apps-inside-whonix-workstation-anbox-proof-of-concept/7441/13 [archive]


Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

Check out the Whonix News Blog [archive].

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.