I would not recommend Anbox or Android-x86 at all. They both disable the majority of the security model and are outdated.
Where did you see that? I don’t remember that using Anbox on Workstation required disabling Whonix firewall. But I might be mistaken, it was a long time ago.
What firewall? The one in the workstation is not essential for how Whonix functions.
It can never be natively installed because it requires a third party Android x86 ROM (which isn’t GPG signed) that includes non free Google Apps - which are illegal to redistribute according to Google.
Compatibility rather than security is probably the main concern here. No one will ever claim that running .exe turds in wine is a security booster either.
That’s not the same. Anbox advertises itself as secure when it’s the opposite.
Secure
Anbox puts Android apps into a tightly sealed box without direct access to hardware or your data.
Wine doesn’t do this.
Anbox - Run Android Applications and Games
Anbox doesn’t ship Google Apps (or other nonfree as far as I know). Therefore F-Droid installation is mentioned:
Anbox - Run Android Applications and Games
Right.
At least Whonix website won’t claim that is an excellent idea before/if anbox makes major progress. Already mentions:
Anbox release is already very old. Might be bad for security.
I think I may have confused Android x86 with the image that Anbox provides. I am sure the former did have the stuff out of the box.
There are guides to install gapps on Anbox so this implies it is not a default.
I need to up this topic. Android apps are really required nowadays so there are only two ways to browse them anonymously: using native Android device with Orbot with/without OpenVPN or using Anbox on top of Whonix-Workstation. Android-x86 doesn’t fit at all because it’s extremely slow in a virtual machine. Anbox is a container not an emulator that’s why it’s the best way.
I could make Google Play Services work in an open-source way: you need to install microG services, they are open-source re-implementation of proprietary Google Play Services provided by Google.
But I have a problem: I cannot connect to VPN on Anbox withous bridges. They are only two open-source android apps in F-Droid for VPN on Android: Calyx VPN and Riseup VPN. Riseup VPN has bridges function and Calyx hasn’t. I cannot connect to VPN on Anbox on top of Whonix because when I do this, every 60 seconds the connection is dropped because of ‘ping-restart’ on a server side. Only using bridges solves the problem. So, the question is: how to make VPN as an Android app work with Anbox on top of Whonix-Workstation without using bridges? I’m tired of ‘ping-restart’. Thank you.
Let me get this straight, you’re saying you need to connect to Tor via a bridge in order to run a vpn daemon in the workstation then use that with an Anbox installed app?
Well this isn’t emulated either. Maybe you need to increase VM resources for a better experience.
No. I don’t mean tor bridges. I mean when you use Anbox in combination with Whonix-Workstation, I need to connect to a “bridge” (such as SSL-tunnel or built-it “bridge” in android VPN app such as “bridge” functionality in RiseupVPN Android app) in order to make VPN work, otherwise it will drop connection after every 60 seconds because of “ping-restart” on VPN provider server-side.
The idea is that I cannot connect to OpenVPN server after TOR (when I say tor I mean Whonix-Workstation) because every 60 seconds it drops the connection. I don’t know how to fix this issue. OpenVPN providers don’t want to get rid of “ping-restart” option. So we need to read OpenVPN documentation to find out how we can deal with OpenVPN in combination with Whonix.
No. It doesn’t work that way. There are no Linux kernel module such as VirtualBox guest additions for Android-X86 guest. That’s why it’s extremely slow.
Have you tired to connect to the VPN using a Linux desktop client on the workstation instead of doing it from inside Anbox?
Whonix specific part:
Quote Connecting to Tor before a VPN
User → Tor → VPN → Internet
Note that UDP-style VPN connections are incompatible with Tor; the VPN must be configured to use TCP. [13] To do that, add
proto tcpto the VPN configuration file /etc/openvpn/openvpn.conf . Most, but not all VPN providers support this configuration.
At time of writing… Quote Anbox - Run Android Applications and Games
Disabling Whonix-Workstation ™ Firewall is unfortunately required. Otherwise there would be no network access. [5]
This is because Anbox comes with its own bridged network. Whitelisted that interface in Whonix-Workstation ™ firewall is undocumented and might require source code modifications. Patches are Welcome.
Therefore a VPN inside the workstation cannot Use a Fail Closed Mechanism.
Probably Whonix unspecific part:
VPN inside Anbox might not be possible due to how Anbox is technically implemented. Even if it did work, there might be leaks. I.e. you might think it is using the VPN but it actually is not. Without any tests / statements by either the Anbox developers and/or VPN software developers or own leak testing, I discourage to rely on it.
I suggest scratch Whonix from the equation during experimentation / research. The same issue of non-functional VPN inside Anbox would quite possibly also happen when using Anbox on top of Debian buster. Therefore, I suggest to sort this out as per:
Self Support First Policy for Whonix
My experience: in general, it’s hard to use Android (Anbox) on top of Whonix because some proprietary Android apps use bad mechanisms such as SafetyNet and Wi-Fi detection. Some of apps tell that there is no Internet connection and some of apps don’t work on Anbox because they detect that it’s an “emulator” and not a certified device. So, Google is winning. That’s sad.
But anyway, you CAN use Android (Anbox) on Whonix if you use free and open source apps from F-Droid, as they don’t use Google mechanisms at all. Also, if you need to install some proprietary apps (sorry, mr. Stallman), you CAN install microG, which is Google Play Services open source re-implementation, and use them. The only thing is that if an app uses SafetyNet features, or Wi-Fi/mobile data detection, then you have no chance.
There’s always decompiling, changing the behavior and compiling back
So, finally, I’m going to combine using Anbox inside Whonix-Workstation and Android x86 Workstation.
Android x86 provide some extra features that Anbox does not provide. In general, advantages and disadvantages of Anbox and Android x86 Workstation are the following.
Anbox. Advantages:
- No emulation needed, run Android apps in a native Whonix Workstation environment
- Android apps run faster
- You can use adb easily to install/remove apps and to push/pull files from/to Anbox environment
Disadvantages: - Anbox doesn’t provide virtual Wi-Fi (wlan) interface so some apps won’t see the Internet connection.
- Anbox doesn’t have any type of bootloader and ramdisk so you won’t be able to install Magisk or some kind of recovery which is probably needed to do some operations like hide root from apps (Magisk Hide) and so on
These two disadvantages are very critical.
So, Android x86 Workstation advantages are the following:
- Full Android stack implemented as Android x86 is a full OS which requires hardware virtualization (not as Anbox)
- Android x86 provides virtual Wi-Fi interface (wlan0) so apps think that a real Wi-Fi connection is established (Anbox uses bridge network interface)
- You can install any version of Android from 4.x to 9.x (Anbox provides only Nougat)
- You CAN use Magisk to achieve root permissions and hide root from apps on Android x86 as some geeks succeeded to install it on Android x86 !!!
Disadvantages: - Less secure (may be) as you don’t work with Whonix-Workstation (but I could solve 7-year issue with static IP connection on Android x86 Workstation)
- Slower speed as Android x86 doesn’t provide any type of Guest Additions so no graphic card drivers are supported
- You cannot use adb because no connection between Whonix Workstation and Android x86 established (but may be you can run ssh-server on Whonix-Workstation and connect your Android x86 through Termux or something like that)
2 Likes
Great work @helpmeplzz. Consider pasting this info on our wiki (don’t worry about formatting for now) s it can help others.
1 Like
Unfortunately, I don’t have a lot of free time, but I can try to add it to wiki. How can I do that? Do I need any permissions to add infos to Wiki?
So, now I have new research results working with Android x86 Workstation. I found out that you CAN establish adb connection with Android x86 the same way as you can do it with Anbox. You should start Whonix-Workstation and type
adb connect 10.152.152.11 (assuming 10.152.152.11 is the IP address of Android x86 Workstation)
in order to connect Android x86 with Whonix-Workstation machine. Then, you can type
adb shell and so on to start debugging.
The biggest problem with Android x86 right now is passing SafetyNet by Google. As you may know, Android consists of two parts:
- The Android system itself (Android Open Source Project)
- Proprietary software called Google Play Services
Generally, there are two scenarios of working with Android system:
- Executing only free software from F-Droid store or building it from sources (recommended)
- Executing non-free software (apps from Google Play Store) something like WhatsApp, Viber, Tinder and so on
If you are going to run only free apps, then you don’t need Google Play Services at all as all apps from F-Droid are built without need of Google Play Services. But if you need to run proprietary apps, it can be problem for you as some of them use Google Play Services mechanism.
Generally, Google Play Services is consists of two important parts:
- GCM (Google Cloud Messages)
- SafetyNet
GCM is used by 70-80% of proprietary apps from Google Play Store as these apps uses proprietary mechanism of delivering Push Notifications from Google servers. It is not hard to enable support GCM both for Android x86 and Anbox. Android x86 comes with built-in Google Play Services so GCM is enabled by default. With Anbox, you can install either proprietary Google Play Services (OpenGAPPS) or open-source implementation of Google Play Services called Micro-G.
But SafetyNet is a nightmare. It is the mechanism which verifies the integrity of the device. If a device is not certified by Google, then you cannot run app with Android x86 or Anbox as they are not certified (and will never be) by Google. I cannot find any way to pass SafetyNet neither on Android x86 nor on Anbox. SafetyNet is used by 30-50% of Google Play Store apps. A lot of banking apps, social network apps such as Tinder and other apps such as Pokemon Go use SafetyNet mechanism.
Generally, there are two Google Play Services implementations:
- Proprietary Google Play Services
- Open-source Micro-G
Open source one is better as in takes only 50 MiB of memory (proprietary one needs 500 MiB) and Micro-G allows user to control which apps can be used with GCM. Moreover, Micro-G allows user to manually register/ungerister device in Google Cloud Messages system. But Micro-G doesn’t have working SafetyNet implementation as it has been broken by Google in 2019. So, Google is our main enemy for now 
So, I think, this info should be added to Wiki.
I am writing about Android on Whonix Wiki right now. Please accept my changes. I also suggest to unite articles about Anbox
http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Anbox
and
http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Other_Operating_Systems#Whonix_.E2.84.A2-Android-Workstation
into one Android wiki page in Whonix Wiki. Thank you!
2 Likes
Therefore closing.