[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Integrate Anbox into Whonix-Workstation

Hello. I have a suggestion. Nowadays there is no life without android apps. More and more services are provided only through Android apps not web-sites. And Anbox is the only stable working solution to run Android apps natively using current linux kernel. I know that there is an instruction how to install Anbox into Workstation but it is required to disable Whonix firewall. It is not a safe way. Is there a way to integrate Anbox into Whonix-Workstation environment without decreasing a security? I’d really like Anbox to be preinstalled natively in Whonix.
Hope you understand me. Thank you.

Realistically, for users: no

Unrealistically: someone with deep pockets could bring anbox project (fork) back to live.

Also https://www.whonix.org/wiki/Free_Support_Principle applies.

Thank you. So what are the practical not theoretical risks of disabling a firewall for using Anbox on Whonix-Workstation? If IP leak is impossible because of routing all traffic through a Gateway, then what are the real risks of disabling firewall on Workstation? Only social engineering based on leaked fingerprints and metadata such as screen size, OS type, language etc?

The purpose of Whonix-Workstation firewall is documented here:

https://www.whonix.org/wiki/Whonix-Workstation_Firewall#Purpose (which links to:)

https://github.com/Whonix/whonix-firewall/blob/master/man/whonix_firewall.8.ronn#whonix-workstation-firewall-design-notes


The main risk maybe isn’t even disabling Whonix-Workstation firewall but that anbox is very outdated, i.e. possibly containing public known security issues. (And also doesn’t include any of the Android security model.)

Thank you. Is there another way to run android apps on Whonix? Such as Chromium or even Android x86 project through Whonix-Gateway?

Is there another way to run android apps in Debian?
That would be the perfect question according to https://www.whonix.org/wiki/Free_Support_Principle

Whonix ™-Android-Workstation

Thank you.

I would not recommend Anbox or Android-x86 at all. They both disable the majority of the security model and are outdated.

Where did you see that? I don’t remember that using Anbox on Workstation required disabling Whonix firewall. But I might be mistaken, it was a long time ago.

What firewall? The one in the workstation is not essential for how Whonix functions.

It can never be natively installed because it requires a third party Android x86 ROM (which isn’t GPG signed) that includes non free Google Apps - which are illegal to redistribute according to Google.

Compatibility rather than security is probably the main concern here. No one will ever claim that running .exe turds in wine is a security booster either.

That’s not the same. Anbox advertises itself as secure when it’s the opposite.

https://anbox.io/

Secure

Anbox puts Android apps into a tightly sealed box without direct access to hardware or your data.

Wine doesn’t do this.

https://www.whonix.org/wiki/Anbox#Whonix_Configuration

Anbox doesn’t ship Google Apps (or other nonfree as far as I know). Therefore F-Droid installation is mentioned:
https://www.whonix.org/wiki/Anbox#F-Droid

Right.

At least Whonix website won’t claim that is an excellent idea before/if anbox makes major progress. Already mentions:

Anbox release is already very old. Might be bad for security.

I think I may have confused Android x86 with the image that Anbox provides. I am sure the former did have the stuff out of the box.

There are guides to install gapps on Anbox so this implies it is not a default.

I need to up this topic. Android apps are really required nowadays so there are only two ways to browse them anonymously: using native Android device with Orbot with/without OpenVPN or using Anbox on top of Whonix-Workstation. Android-x86 doesn’t fit at all because it’s extremely slow in a virtual machine. Anbox is a container not an emulator that’s why it’s the best way.

I could make Google Play Services work in an open-source way: you need to install microG services, they are open-source re-implementation of proprietary Google Play Services provided by Google.

But I have a problem: I cannot connect to VPN on Anbox withous bridges. They are only two open-source android apps in F-Droid for VPN on Android: Calyx VPN and Riseup VPN. Riseup VPN has bridges function and Calyx hasn’t. I cannot connect to VPN on Anbox on top of Whonix because when I do this, every 60 seconds the connection is dropped because of ‘ping-restart’ on a server side. Only using bridges solves the problem. So, the question is: how to make VPN as an Android app work with Anbox on top of Whonix-Workstation without using bridges? I’m tired of ‘ping-restart’. Thank you.

Let me get this straight, you’re saying you need to connect to Tor via a bridge in order to run a vpn daemon in the workstation then use that with an Anbox installed app?

Well this isn’t emulated either. Maybe you need to increase VM resources for a better experience.

No. I don’t mean tor bridges. I mean when you use Anbox in combination with Whonix-Workstation, I need to connect to a “bridge” (such as SSL-tunnel or built-it “bridge” in android VPN app such as “bridge” functionality in RiseupVPN Android app) in order to make VPN work, otherwise it will drop connection after every 60 seconds because of “ping-restart” on VPN provider server-side.

The idea is that I cannot connect to OpenVPN server after TOR (when I say tor I mean Whonix-Workstation) because every 60 seconds it drops the connection. I don’t know how to fix this issue. OpenVPN providers don’t want to get rid of “ping-restart” option. So we need to read OpenVPN documentation to find out how we can deal with OpenVPN in combination with Whonix.

No. It doesn’t work that way. There are no Linux kernel module such as VirtualBox guest additions for Android-X86 guest. That’s why it’s extremely slow.

Have you tired to connect to the VPN using a Linux desktop client on the workstation instead of doing it from inside Anbox?

Whonix specific part:

Quote https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN

User → Tor → VPN → Internet

Note that UDP-style VPN connections are incompatible with Tor; the VPN must be configured to use TCP. [13] To do that, add proto tcp to the VPN configuration file /etc/openvpn/openvpn.conf . Most, but not all VPN providers support this configuration.

At time of writing… Quote https://www.whonix.org/wiki/Anbox

Disabling Whonix-Workstation ™ Firewall is unfortunately required. Otherwise there would be no network access. [5]

This is because Anbox comes with its own bridged network. Whitelisted that interface in Whonix-Workstation ™ firewall is undocumented and might require source code modifications. Patches are Welcome.

Therefore a VPN inside the workstation cannot Use a Fail Closed Mechanism.


Probably Whonix unspecific part:

VPN inside Anbox might not be possible due to how Anbox is technically implemented. Even if it did work, there might be leaks. I.e. you might think it is using the VPN but it actually is not. Without any tests / statements by either the Anbox developers and/or VPN software developers or own leak testing, I discourage to rely on it.

I suggest scratch Whonix from the equation during experimentation / research. The same issue of non-functional VPN inside Anbox would quite possibly also happen when using Anbox on top of Debian buster. Therefore, I suggest to sort this out as per:
https://www.whonix.org/wiki/Free_Support_Principle

My experience: in general, it’s hard to use Android (Anbox) on top of Whonix because some proprietary Android apps use bad mechanisms such as SafetyNet and Wi-Fi detection. Some of apps tell that there is no Internet connection and some of apps don’t work on Anbox because they detect that it’s an “emulator” and not a certified device. So, Google is winning. That’s sad.

But anyway, you CAN use Android (Anbox) on Whonix if you use free and open source apps from F-Droid, as they don’t use Google mechanisms at all. Also, if you need to install some proprietary apps (sorry, mr. Stallman), you CAN install microG, which is Google Play Services open source re-implementation, and use them. The only thing is that if an app uses SafetyNet features, or Wi-Fi/mobile data detection, then you have no chance.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]