Integrate Anbox into Whonix-Workstation

Hello. I have a suggestion. Nowadays there is no life without android apps. More and more services are provided only through Android apps not web-sites. And Anbox is the only stable working solution to run Android apps natively using current linux kernel. I know that there is an instruction how to install Anbox into Workstation but it is required to disable Whonix firewall. It is not a safe way. Is there a way to integrate Anbox into Whonix-Workstation environment without decreasing a security? I’d really like Anbox to be preinstalled natively in Whonix.
Hope you understand me. Thank you.

Realistically, for users: no

Unrealistically: someone with deep pockets could bring anbox project (fork) back to live.

Also https://www.whonix.org/wiki/Free_Support_Principle applies.

Thank you. So what are the practical not theoretical risks of disabling a firewall for using Anbox on Whonix-Workstation? If IP leak is impossible because of routing all traffic through a Gateway, then what are the real risks of disabling firewall on Workstation? Only social engineering based on leaked fingerprints and metadata such as screen size, OS type, language etc?

The purpose of Whonix-Workstation firewall is documented here:

https://www.whonix.org/wiki/Whonix-Workstation_Firewall#Purpose (which links to:)


The main risk maybe isn’t even disabling Whonix-Workstation firewall but that anbox is very outdated, i.e. possibly containing public known security issues. (And also doesn’t include any of the Android security model.)

Thank you. Is there another way to run android apps on Whonix? Such as Chromium or even Android x86 project through Whonix-Gateway?

Is there another way to run android apps in Debian?
That would be the perfect question according to https://www.whonix.org/wiki/Free_Support_Principle

Whonix ™-Android-Workstation

Thank you.

I would not recommend Anbox or Android-x86 at all. They both disable the majority of the security model and are outdated.

Where did you see that? I don’t remember that using Anbox on Workstation required disabling Whonix firewall. But I might be mistaken, it was a long time ago.

What firewall? The one in the workstation is not essential for how Whonix functions.

It can never be natively installed because it requires a third party Android x86 ROM (which isn’t GPG signed) that includes non free Google Apps - which are illegal to redistribute according to Google.

Compatibility rather than security is probably the main concern here. No one will ever claim that running .exe turds in wine is a security booster either.

That’s not the same. Anbox advertises itself as secure when it’s the opposite.



Anbox puts Android apps into a tightly sealed box without direct access to hardware or your data.

Wine doesn’t do this.


Anbox doesn’t ship Google Apps (or other nonfree as far as I know). Therefore F-Droid installation is mentioned:


At least Whonix website won’t claim that is an excellent idea before/if anbox makes major progress. Already mentions:

Anbox release is already very old. Might be bad for security.

I think I may have confused Android x86 with the image that Anbox provides. I am sure the former did have the stuff out of the box.

There are guides to install gapps on Anbox so this implies it is not a default.

I need to up this topic. Android apps are really required nowadays so there are only two ways to browse them anonymously: using native Android device with Orbot with/without OpenVPN or using Anbox on top of Whonix-Workstation. Android-x86 doesn’t fit at all because it’s extremely slow in a virtual machine. Anbox is a container not an emulator that’s why it’s the best way.

I could make Google Play Services work in an open-source way: you need to install microG services, they are open-source re-implementation of proprietary Google Play Services provided by Google.

But I have a problem: I cannot connect to VPN on Anbox withous bridges. They are only two open-source android apps in F-Droid for VPN on Android: Calyx VPN and Riseup VPN. Riseup VPN has bridges function and Calyx hasn’t. I cannot connect to VPN on Anbox on top of Whonix because when I do this, every 60 seconds the connection is dropped because of ‘ping-restart’ on a server side. Only using bridges solves the problem. So, the question is: how to make VPN as an Android app work with Anbox on top of Whonix-Workstation without using bridges? I’m tired of ‘ping-restart’. Thank you.

Let me get this straight, you’re saying you need to connect to Tor via a bridge in order to run a vpn daemon in the workstation then use that with an Anbox installed app?

Well this isn’t emulated either. Maybe you need to increase VM resources for a better experience.

No. I don’t mean tor bridges. I mean when you use Anbox in combination with Whonix-Workstation, I need to connect to a “bridge” (such as SSL-tunnel or built-it “bridge” in android VPN app such as “bridge” functionality in RiseupVPN Android app) in order to make VPN work, otherwise it will drop connection after every 60 seconds because of “ping-restart” on VPN provider server-side.

The idea is that I cannot connect to OpenVPN server after TOR (when I say tor I mean Whonix-Workstation) because every 60 seconds it drops the connection. I don’t know how to fix this issue. OpenVPN providers don’t want to get rid of “ping-restart” option. So we need to read OpenVPN documentation to find out how we can deal with OpenVPN in combination with Whonix.

No. It doesn’t work that way. There are no Linux kernel module such as VirtualBox guest additions for Android-X86 guest. That’s why it’s extremely slow.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]