Actions

Run Anbox inside Whonix-Workstation ™

From Whonix



Anbox apps short.png

Anbox [archive] (third party project) allows Android applications and mobile games to run inside Whonix ™.

Warning[edit]

Anbox disables the majority of the Android security model [1] and it uses an incredibly outdated version of Android with known vulnerabilities [2].

Install Anbox[edit]

All installation steps inside Whonix-Workstation ™. No modifications of Whonix-Gateway ™ required.

Install linux-image-amd64 linux-headers-amd64 adb fastboot anbox.

1. Update the package lists. 

sudo apt-get update

2. Upgrade the system. 

sudo apt-get dist-upgrade

3. Install the linux-image-amd64 linux-headers-amd64 adb fastboot anbox package. 

sudo apt-get install linux-image-amd64 linux-headers-amd64 adb fastboot anbox

The procedure of installing linux-image-amd64 linux-headers-amd64 adb fastboot anbox is complete.

Download Anbox Android image.

If you want to do this inside a Qubes TemplateVM then parameter --proxy http://127.0.0.1:8082 needs to be added to scurl as shown below.

  • Non-Qubes-Whonix or Qubes StandaloneVM: 
    scurl --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img

  • Qubes-Whonix TemplateVM: 
    scurl --proxy http://127.0.0.1:8082 --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img

Download Anbox Android image sha256sum file.

  • Non-Qubes-Whonix or Qubes StandaloneVM: 
    curl --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img.sha256sum

  • Qubes-Whonix TeplateVM: 
    curl --proxy http://127.0.0.1:8082 --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img.sha256sum

Verify. 

sha256sum --check android_amd64.img.sha256sum

Should show: 

android_amd64.img: OK


Move (rename) android_amd64.img to /var/lib/anbox/android.img:[3] 

sudo mv android_amd64.img /var/lib/anbox/android.img

[4]

Whonix Configuration[edit]

Disabling Whonix-Workstation ™ Firewall is unfortunately required. Otherwise there would be no network access. [5]

Ambox warning pn.svg.png This reduces security! Especially when using multiple Whonix-Workstation ™ behind the same Whonix-Gateway ™.

Inside Whonix-Workstation ™.

(Qubes-Whonix ™: inside StandaloneVM (better!) or TemplateVM. 

sudo systemctl mask whonix-firewall

Disable whonixcheck of Whonix-Workstation ™ Firewall.

Open file /etc/whonix.d/50_whonixcheck_user.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link. 

sudoedit /etc/whonix.d/50_whonixcheck_user.conf

Paste. 

whonixcheck_skip_functions+=" check_whonix_firewall_systemd_status "

Save.

Reboot required. [6] 

sudo reboot

Qubes Configuration[edit]

Qubes users only.

You probably want to use a StandaloneVM. Otherwise changes would be non-persistent, i.e. lost after VM restart. Instructions on how to make Anbox persistent using a TemplateBased AppVM are not existing yet. (See footnote for experimental instructions. [7])

Qubes-Whonix ™ requires using Qubes VM kernel [archive]. [8] Users can follow the instructions from the Qubes website Installing kernel in Debian VM [archive] which are equally functional in Qubes-Whonix ™.

It has been reported [archive] that it is required to enable Anbox software rendering [archive] but how to do this in this guide is unknown at this point. The command from previous link probably won't work as this guide does not use snap and it shouldn't use snap either because that would break recommendation Always Verify Signatures since snap does not verify software signatures. [9]

Start Anbox[edit]

From Start Menu[edit]

Start menuAccessoriesAnbox

From Command Line[edit]

[10] 

anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity

Usage[edit]

F-Droid[edit]

Fdroid.png Fdroid2.png Fdroid3.png

Installation[edit]

Might want to install F-Droid.

Here are instructions document how to download and verify F-Droid inside Whonix-Workstation ™.

[11]

Securely download the key. 

scurl-download "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x37d2c98789d8311948394e3e41e7044e1dba2e89"

Display the key's fingerprint. 

gpg --keyid-format long --import --import-options show-only --with-fingerprint 'lookup?op=get&search=0x37d2c98789d8311948394e3e41e7044e1dba2e89'

Verify the fingerprint. Should show.

gpg: key 41E7044E1DBA2E89: 42 signatures not checked due to missing keys pub rsa4096/41E7044E1DBA2E89 2014-04-25 [C] Key fingerprint = 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89 uid F-Droid <admin@f-droid.org> sub rsa3072/5DCCB667F9BF9046 2014-04-25 [E] [expires: 2021-04-24] sub rsa3072/7A029E54DD5DCE7A 2014-04-25 [S] [expires: 2021-04-24]

Ambox warning pn.svg.png Warning:

Do not continue if the fingerprint does not match! This risks using infected or erroneous files! The whole point of verification is to confirm file integrity.

Add the signing key. 

gpg --import 'lookup?op=get&search=0x37d2c98789d8311948394e3e41e7044e1dba2e89'

Download F-Droid. 

scurl-download https://f-droid.org/FDroid.apk

Download F-Droid signature. 

scurl-download https://f-droid.org/FDroid.apk.asc

Verify F-Droid. 

gpg --verify FDroid.apk.asc

Should show. 

gpg: assuming signed data in 'FDroid.apk'
gpg: Signature made Thu 11 Apr 2019 12:41:19 PM UTC
gpg:                using RSA key 0x7A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37D2 C987 89D8 3119 4839  4E3E 41E7 044E 1DBA 2E89
     Subkey fingerprint: 802A 9799 0161 1234 6E1F  EFF4 7A02 9E54 DD5D CE7A

Install F-Droid inside Anbox using adb. 

adb install FDroid.apk

File Sharing[edit]

[12] 

lxsudo thunar

Browse to: 

/var/lib/anbox/rootfs/data/media/0/

Files dropped to this download directory are readily visible to apps within Anbox.

Forum Discussion[edit]

https://forums.whonix.org/t/running-android-apps-inside-whonix-workstation-proof-of-concept/7441/11 [archive]

Footnotes[edit]

  1. For example, it disables SELinux, a core part of the security model. https://github.com/anbox/platform_system_core/commit/71907fc5e7833866be6ae3c120c602974edf8322 [archive]
  2. See the dates on the Github repositories. https://github.com/anbox [archive]
  3. anbox-container-manager.service expects this file name.
  4. These steps are probably not required. Should work out of the box after reboot.

    Start kernel module. 

    sudo modprobe ashmem_linux

    Start kernel module. 

    sudo modprobe binder_linux

    Start anbox systemd service. 

    sudo systemctl start anbox-container-manager.service

    Check if anbox systemd service is functional. 

    sudo systemctl status anbox-container-manager.service

    Should show something similar to the following. 

    ● anbox-container-manager.service - Anbox Container Manager
   Loaded: loaded (/lib/systemd/system/anbox-container-manager.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2018-12-31 06:23:49 EST; 874ms ago
     Docs: man:anbox(1)
  Process: 1996 ExecStartPre=/usr/share/anbox/anbox-bridge.sh start (code=exited, status=0/SUCCESS)
  Process: 1991 ExecStartPre=/sbin/modprobe binder_linux (code=exited, status=0/SUCCESS)
  Process: 1986 ExecStartPre=/sbin/modprobe ashmem_linux (code=exited, status=0/SUCCESS)
 Main PID: 2074 (anbox)
    Tasks: 9 (limit: 4915)
   Memory: 5.1M
      CPU: 51ms
   CGroup: /system.slice/anbox-container-manager.service
           └─2074 /usr/bin/anbox container-manager --daemon --privileged --data-path=/var/lib/anbox

Dec 31 06:23:48 debian systemd[1]: Starting Anbox Container Manager...
Dec 31 06:23:49 debian systemd[1]: Started Anbox Container Manager.
  5. This is because Anbox comes with its own bridged network. Whitelisted that interface in Whonix-Workstation ™ firewall is undocumented and might require source code modifications. Patches are Welcome.
  6. To unload Whonix-Workstation ™ firewall rules and to make anbox load its firewall rules.
  7. Does not work yet. 
    [ 2019-10-14 11:00:41] [launch.cpp:214@operator()] Session manager failed to become ready

    1) Increase VM private storage.

    Power off the VM.

    Add at least 2 GB more private storage to VM. This can be done using Qubes VM Manager (QVMM).

    Reboot the VM.

    2) Add /var/lib/anbox to Qubes bind-dirs [archive].

    Create folder /rw/config/qubes-bind-dirs.d. 

    sudo mkdir -p /rw/config/qubes-bind-dirs.d

    Create a new configuration file /rw/config/qubes-bind-dirs.d/50_user.conf. 

    sudoedit /rw/config/qubes-bind-dirs.d/50_user.conf

    Paste. 

    binds+=( '/var/lib/anbox' )

    Save.

    Reboot the VM.

    This results in storing /var/lib/anbox in the private rather than root image. Thereby changes would persist rather than be lost after VM restart.

    Fix file permissions.

    Warning: might have security issues 

    sudo systemctl stop anbox-container-manager.service

    sudo chown --recursive user:user /var/lib/anbox

    sudo systemctl start anbox-container-manager.service

  8. Using VM kernel may come with its own challenges currently. https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012 [archive] Since Anbox is implemented using kernel modules.
  9. https://forums.whonix.org/t/snap-store-snaps-snapcraft-io-a-new-software-source/7631 [archive]
  10. /usr/share/applications/anbox.desktop
  11. https://f-droid.org/docs/Release_Channels_and_Signing_Keys/ [archive]
  12. https://forums.whonix.org/t/running-android-apps-inside-whonix-workstation-anbox-proof-of-concept/7441/13 [archive]

text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: Twitter.png Facebook.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Want to make Whonix safer and more usable? We're looking for helping hands. Check out the Open Issues [archive] and development forum [archive].

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.

Retrieved from "https://www.whonix.org/w/index.php?title=Anbox&oldid=59891"