Hello. I have a suggestion. Nowadays there is no life without android apps. More and more services are provided only through Android apps not web-sites. And Anbox is the only stable working solution to run Android apps natively using current linux kernel. I know that there is an instruction how to install Anbox into Workstation but it is required to disable Whonix firewall. It is not a safe way. Is there a way to integrate Anbox into Whonix-Workstation environment without decreasing a security? Iâd really like Anbox to be preinstalled natively in Whonix.
Hope you understand me. Thank you.
Realistically, for users: no
Unrealistically: someone with deep pockets could bring anbox project (fork) back to live.
Also Free Support for Whonix ⢠applies.
Thank you. So what are the practical not theoretical risks of disabling a firewall for using Anbox on Whonix-Workstation? If IP leak is impossible because of routing all traffic through a Gateway, then what are the real risks of disabling firewall on Workstation? Only social engineering based on leaked fingerprints and metadata such as screen size, OS type, language etc?
The purpose of Whonix-Workstation firewall is documented here:
Whonix-Workstation Firewall - Whonix (which links to:)
whonix-firewall/man/whonix_firewall.8.ronn at master ¡ Whonix/whonix-firewall ¡ GitHub
The main risk maybe isnât even disabling Whonix-Workstation firewall but that anbox is very outdated, i.e. possibly containing public known security issues. (And also doesnât include any of the Android security model.)
Thank you. Is there another way to run android apps on Whonix? Such as Chromium or even Android x86 project through Whonix-Gateway?
Is there another way to run android apps in Debian?
That would be the perfect question according to Self Support First Policy for Whonix
Thank you.
I would not recommend Anbox or Android-x86 at all. They both disable the majority of the security model and are outdated.
Where did you see that? I donât remember that using Anbox on Workstation required disabling Whonix firewall. But I might be mistaken, it was a long time ago.
What firewall? The one in the workstation is not essential for how Whonix functions.
It can never be natively installed because it requires a third party Android x86 ROM (which isnât GPG signed) that includes non free Google Apps - which are illegal to redistribute according to Google.
Compatibility rather than security is probably the main concern here. No one will ever claim that running .exe turds in wine is a security booster either.
Thatâs not the same. Anbox advertises itself as secure when itâs the opposite.
Secure
Anbox puts Android apps into a tightly sealed box without direct access to hardware or your data.
Wine doesnât do this.
Anbox - Run Android Applications and Games
Anbox doesnât ship Google Apps (or other nonfree as far as I know). Therefore F-Droid installation is mentioned:
Anbox - Run Android Applications and Games
Right.
At least Whonix website wonât claim that is an excellent idea before/if anbox makes major progress. Already mentions:
Anbox release is already very old. Might be bad for security.
I think I may have confused Android x86 with the image that Anbox provides. I am sure the former did have the stuff out of the box.
There are guides to install gapps on Anbox so this implies it is not a default.
I need to up this topic. Android apps are really required nowadays so there are only two ways to browse them anonymously: using native Android device with Orbot with/without OpenVPN or using Anbox on top of Whonix-Workstation. Android-x86 doesnât fit at all because itâs extremely slow in a virtual machine. Anbox is a container not an emulator thatâs why itâs the best way.
I could make Google Play Services work in an open-source way: you need to install microG services, they are open-source re-implementation of proprietary Google Play Services provided by Google.
But I have a problem: I cannot connect to VPN on Anbox withous bridges. They are only two open-source android apps in F-Droid for VPN on Android: Calyx VPN and Riseup VPN. Riseup VPN has bridges function and Calyx hasnât. I cannot connect to VPN on Anbox on top of Whonix because when I do this, every 60 seconds the connection is dropped because of âping-restartâ on a server side. Only using bridges solves the problem. So, the question is: how to make VPN as an Android app work with Anbox on top of Whonix-Workstation without using bridges? Iâm tired of âping-restartâ. Thank you.
Let me get this straight, youâre saying you need to connect to Tor via a bridge in order to run a vpn daemon in the workstation then use that with an Anbox installed app?
Well this isnât emulated either. Maybe you need to increase VM resources for a better experience.
No. I donât mean tor bridges. I mean when you use Anbox in combination with Whonix-Workstation, I need to connect to a âbridgeâ (such as SSL-tunnel or built-it âbridgeâ in android VPN app such as âbridgeâ functionality in RiseupVPN Android app) in order to make VPN work, otherwise it will drop connection after every 60 seconds because of âping-restartâ on VPN provider server-side.
The idea is that I cannot connect to OpenVPN server after TOR (when I say tor I mean Whonix-Workstation) because every 60 seconds it drops the connection. I donât know how to fix this issue. OpenVPN providers donât want to get rid of âping-restartâ option. So we need to read OpenVPN documentation to find out how we can deal with OpenVPN in combination with Whonix.
No. It doesnât work that way. There are no Linux kernel module such as VirtualBox guest additions for Android-X86 guest. Thatâs why itâs extremely slow.
Have you tired to connect to the VPN using a Linux desktop client on the workstation instead of doing it from inside Anbox?
Whonix specific part:
Quote Connecting to Tor before a VPN
User â Tor â VPN â Internet
Note that UDP-style VPN connections are incompatible with Tor; the VPN must be configured to use TCP. [13] To do that, add
proto tcpto the VPN configuration file /etc/openvpn/openvpn.conf . Most, but not all VPN providers support this configuration.
At time of writing⌠Quote Anbox - Run Android Applications and Games
Disabling Whonix-Workstation ⢠Firewall is unfortunately required. Otherwise there would be no network access. [5]
This is because Anbox comes with its own bridged network. Whitelisted that interface in Whonix-Workstation ⢠firewall is undocumented and might require source code modifications. Patches are Welcome.
Therefore a VPN inside the workstation cannot Use a Fail Closed Mechanism.
Probably Whonix unspecific part:
VPN inside Anbox might not be possible due to how Anbox is technically implemented. Even if it did work, there might be leaks. I.e. you might think it is using the VPN but it actually is not. Without any tests / statements by either the Anbox developers and/or VPN software developers or own leak testing, I discourage to rely on it.
I suggest scratch Whonix from the equation during experimentation / research. The same issue of non-functional VPN inside Anbox would quite possibly also happen when using Anbox on top of Debian buster. Therefore, I suggest to sort this out as per:
Self Support First Policy for Whonix
My experience: in general, itâs hard to use Android (Anbox) on top of Whonix because some proprietary Android apps use bad mechanisms such as SafetyNet and Wi-Fi detection. Some of apps tell that there is no Internet connection and some of apps donât work on Anbox because they detect that itâs an âemulatorâ and not a certified device. So, Google is winning. Thatâs sad.
But anyway, you CAN use Android (Anbox) on Whonix if you use free and open source apps from F-Droid, as they donât use Google mechanisms at all. Also, if you need to install some proprietary apps (sorry, mr. Stallman), you CAN install microG, which is Google Play Services open source re-implementation, and use them. The only thing is that if an app uses SafetyNet features, or Wi-Fi/mobile data detection, then you have no chance.