Run Anbox inside Whonix-Workstation ™
From Whonix
Anbox [archive] (third party project) allows Android applications and mobile games to run inside Whonix ™.
Warning[edit]
Anbox disables the majority of the Android security model [1] and it uses an incredibly outdated version of Android with known vulnerabilities [2].
Install Anbox[edit]
All installation steps inside Whonix-Workstation ™. No modifications of Whonix-Gateway ™ required.
Install linux-image-amd64 linux-headers-amd64 adb fastboot anbox
.
1. Update the package lists.
sudo apt-get update
2. Upgrade the system.
sudo apt-get dist-upgrade
3. Install the linux-image-amd64 linux-headers-amd64 adb fastboot anbox
package.
Using apt-get
command line parameter --no-install-recommends
is in most cases optional.
sudo apt-get install --no-install-recommends linux-image-amd64 linux-headers-amd64 adb fastboot anbox
The procedure of installing linux-image-amd64 linux-headers-amd64 adb fastboot anbox
is complete.
Download Anbox Android image.
If you want to do this inside a Qubes TemplateVM then parameter --proxy http://127.0.0.1:8082
needs to be added to scurl
as shown below.
- Non-Qubes-Whonix or Qubes StandaloneVM:
scurl --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img
- Qubes-Whonix TemplateVM:
scurl --proxy http://127.0.0.1:8082 --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img
Download Anbox Android image sha256sum
file.
- Non-Qubes-Whonix or Qubes StandaloneVM:
curl --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img.sha256sum
- Qubes-Whonix TeplateVM:
curl --proxy http://127.0.0.1:8082 --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img.sha256sum
Verify.
sha256sum --check android_amd64.img.sha256sum
Should show:
android_amd64.img: OK
Move (rename) android_amd64.img
to /var/lib/anbox/android.img
:[3]
sudo mv android_amd64.img /var/lib/anbox/android.img
Whonix Configuration[edit]
Disabling Whonix-Workstation ™ Firewall is unfortunately required. Otherwise there would be no network access. [5]
This reduces security! Especially when using multiple Whonix-Workstation ™ behind the same Whonix-Gateway ™.
Inside Whonix-Workstation ™.
(Qubes-Whonix ™: inside StandaloneVM (better!) or TemplateVM.
sudo systemctl mask whonix-firewall
Disable whonixcheck of Whonix-Workstation ™ Firewall.
Open file /etc/whonix.d/50_whonixcheck_user.conf
in an editor with root rights.
(Qubes-Whonix ™: In TemplateVM)
This box uses sudoedit
for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /etc/whonix.d/50_whonixcheck_user.conf
Paste.
whonixcheck_skip_functions+=" check_whonix_firewall_systemd_status "
Save.
Reboot required. [6]
sudo reboot
Qubes Configuration[edit]
Qubes users only.
You probably want to use a StandaloneVM. Otherwise changes would be non-persistent, i.e. lost after VM restart. Instructions on how to make Anbox persistent using a TemplateBased AppVM are not existing yet. (See footnote for experimental instructions. [7])
Qubes-Whonix ™ requires using Qubes VM kernel [archive]. [8] Users can follow the instructions from the Qubes website Installing kernel in Debian VM [archive] which are equally functional in Qubes-Whonix ™.
It has been reported [archive] that it is required to enable Anbox software rendering [archive] but how to do this in this guide is unknown at this point. The command from previous link probably won't work as this guide does not use snap and it shouldn't use snap either because that would break recommendation Always Verify Signatures since snap does not verify software signatures. [9]
Start Anbox[edit]
From Start Menu[edit]
Start menu
→ Accessories
→ Anbox
From Command Line[edit]
anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity
Usage[edit]
F-Droid[edit]
Installation[edit]
Might want to install F-Droid.
Here are instructions document how to download and verify F-Droid inside Whonix-Workstation ™.
Securely download the key.
scurl-download "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x37d2c98789d8311948394e3e41e7044e1dba2e89"
Display the key's fingerprint.
gpg --keyid-format long --import --import-options show-only --with-fingerprint 'lookup?op=get&search=0x37d2c98789d8311948394e3e41e7044e1dba2e89'
Verify the fingerprint. Should show.
gpg: key 41E7044E1DBA2E89: 42 signatures not checked due to missing keys pub rsa4096/41E7044E1DBA2E89 2014-04-25 [C] Key fingerprint = 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89 uid F-Droid <admin@f-droid.org> sub rsa3072/5DCCB667F9BF9046 2014-04-25 [E] [expires: 2021-04-24] sub rsa3072/7A029E54DD5DCE7A 2014-04-25 [S] [expires: 2021-04-24]
Do not continue if the fingerprint does not match! This risks using infected or erroneous files! The whole point of verification is to confirm file integrity.
Add the signing key.
gpg --import 'lookup?op=get&search=0x37d2c98789d8311948394e3e41e7044e1dba2e89'
Download F-Droid.
scurl-download https://f-droid.org/FDroid.apk
Download F-Droid signature.
scurl-download https://f-droid.org/FDroid.apk.asc
Verify F-Droid.
gpg --verify FDroid.apk.asc
Should show.
gpg: assuming signed data in 'FDroid.apk' gpg: Signature made Thu 11 Apr 2019 12:41:19 PM UTC gpg: using RSA key 0x7A029E54DD5DCE7A gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89 Subkey fingerprint: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A
Install F-Droid inside Anbox using adb
.
adb install FDroid.apk
File Sharing[edit]
lxsudo thunar
Browse to:
/var/lib/anbox/rootfs/data/media/0/
Files dropped to this download directory are readily visible to apps within Anbox.
Forum Discussion[edit]
https://forums.whonix.org/t/running-android-apps-inside-whonix-workstation-proof-of-concept/7441/11 [archive]
Footnotes[edit]
- ↑ For example, it disables SELinux, a core part of the security model. https://github.com/anbox/platform_system_core/commit/71907fc5e7833866be6ae3c120c602974edf8322 [archive]
- ↑ See the dates on the Github repositories. https://github.com/anbox [archive]
- ↑
anbox-container-manager.service
expects this file name. - ↑
These steps are probably not required. Should work out of the box after reboot.
Start kernel module.
sudo modprobe ashmem_linux
Start kernel module.
sudo modprobe binder_linux
Start anbox systemd service.
sudo systemctl start anbox-container-manager.service
Check if anbox systemd service is functional.
sudo systemctl status anbox-container-manager.service
Should show something similar to the following.
● anbox-container-manager.service - Anbox Container Manager Loaded: loaded (/lib/systemd/system/anbox-container-manager.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2018-12-31 06:23:49 EST; 874ms ago Docs: man:anbox(1) Process: 1996 ExecStartPre=/usr/share/anbox/anbox-bridge.sh start (code=exited, status=0/SUCCESS) Process: 1991 ExecStartPre=/sbin/modprobe binder_linux (code=exited, status=0/SUCCESS) Process: 1986 ExecStartPre=/sbin/modprobe ashmem_linux (code=exited, status=0/SUCCESS) Main PID: 2074 (anbox) Tasks: 9 (limit: 4915) Memory: 5.1M CPU: 51ms CGroup: /system.slice/anbox-container-manager.service └─2074 /usr/bin/anbox container-manager --daemon --privileged --data-path=/var/lib/anbox Dec 31 06:23:48 debian systemd[1]: Starting Anbox Container Manager... Dec 31 06:23:49 debian systemd[1]: Started Anbox Container Manager.
- ↑ This is because Anbox comes with its own bridged network. Whitelisted that interface in Whonix-Workstation ™ firewall is undocumented and might require source code modifications. Patches are Welcome.
- ↑ To unload Whonix-Workstation ™ firewall rules and to make anbox load its firewall rules.
- ↑
Does not work yet.
[ 2019-10-14 11:00:41] [launch.cpp:214@operator()] Session manager failed to become ready
1) Increase VM private storage.
Power off the VM.
Add at least 2 GB more private storage to VM. This can be done using Qubes VM Manager (QVMM).
Reboot the VM.
2) Add
/var/lib/anbox
to Qubes bind-dirs [archive].Create folder
/rw/config/qubes-bind-dirs.d
.sudo mkdir -p /rw/config/qubes-bind-dirs.d
Create a new configuration file
/rw/config/qubes-bind-dirs.d/50_user.conf
.sudoedit /rw/config/qubes-bind-dirs.d/50_user.conf
Paste.
binds+=( '/var/lib/anbox' )
Save.
Reboot the VM.
This results in storing
/var/lib/anbox
in the private rather than root image. Thereby changes would persist rather than be lost after VM restart.Fix file permissions.
Warning: might have security issues
sudo systemctl stop anbox-container-manager.service
sudo chown --recursive user:user /var/lib/anbox
sudo systemctl start anbox-container-manager.service
- ↑ Using VM kernel may come with its own challenges currently. https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012 [archive] Since Anbox is implemented using kernel modules.
- ↑ https://forums.whonix.org/t/snap-store-snaps-snapcraft-io-a-new-software-source/7631 [archive]
- ↑
/usr/share/applications/anbox.desktop
- ↑ https://f-droid.org/docs/Release_Channels_and_Signing_Keys/ [archive]
- ↑ https://forums.whonix.org/t/running-android-apps-inside-whonix-workstation-anbox-proof-of-concept/7441/13 [archive]
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Want to make Whonix ™ safer and more usable? We're looking for helping hands. Check out the Open Issues and development forum.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.