Integrate Anbox into Whonix-Workstation

Hello. I have a suggestion. Nowadays there is no life without android apps. More and more services are provided only through Android apps not web-sites. And Anbox is the only stable working solution to run Android apps natively using current linux kernel. I know that there is an instruction how to install Anbox into Workstation but it is required to disable Whonix firewall. It is not a safe way. Is there a way to integrate Anbox into Whonix-Workstation environment without decreasing a security? I’d really like Anbox to be preinstalled natively in Whonix.
Hope you understand me. Thank you.

Realistically, for users: no

Unrealistically: someone with deep pockets could bring anbox project (fork) back to live.

Also https://www.whonix.org/wiki/Free_Support_Principle applies.

Thank you. So what are the practical not theoretical risks of disabling a firewall for using Anbox on Whonix-Workstation? If IP leak is impossible because of routing all traffic through a Gateway, then what are the real risks of disabling firewall on Workstation? Only social engineering based on leaked fingerprints and metadata such as screen size, OS type, language etc?

The purpose of Whonix-Workstation firewall is documented here:

https://www.whonix.org/wiki/Whonix-Workstation_Firewall#Purpose (which links to:)


The main risk maybe isn’t even disabling Whonix-Workstation firewall but that anbox is very outdated, i.e. possibly containing public known security issues. (And also doesn’t include any of the Android security model.)

Thank you. Is there another way to run android apps on Whonix? Such as Chromium or even Android x86 project through Whonix-Gateway?

Is there another way to run android apps in Debian?
That would be the perfect question according to https://www.whonix.org/wiki/Free_Support_Principle

Whonix ™-Android-Workstation

Thank you.

I would not recommend Anbox or Android-x86 at all. They both disable the majority of the security model and are outdated.

Where did you see that? I don’t remember that using Anbox on Workstation required disabling Whonix firewall. But I might be mistaken, it was a long time ago.

What firewall? The one in the workstation is not essential for how Whonix functions.

It can never be natively installed because it requires a third party Android x86 ROM (which isn’t GPG signed) that includes non free Google Apps - which are illegal to redistribute according to Google.

Compatibility rather than security is probably the main concern here. No one will ever claim that running .exe turds in wine is a security booster either.

That’s not the same. Anbox advertises itself as secure when it’s the opposite.



Anbox puts Android apps into a tightly sealed box without direct access to hardware or your data.

Wine doesn’t do this.


Anbox doesn’t ship Google Apps (or other nonfree as far as I know). Therefore F-Droid installation is mentioned:


At least Whonix website won’t claim that is an excellent idea before/if anbox makes major progress. Already mentions:

Anbox release is already very old. Might be bad for security.

I think I may have confused Android x86 with the image that Anbox provides. I am sure the former did have the stuff out of the box.

There are guides to install gapps on Anbox so this implies it is not a default.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]