Running Android Apps inside Whonix-Workstation - Anbox - Proof of concept

Why?

It may be the easiest way to get a functional asynchronous IM app that has E2E encryption.

gpg --recv-key 37D2C98789D8311948394E3E41E7044E1DBA2E89

scurl-download FDroid.apk https://f-droid.org/FDroid.apk
scurl-download FDroid.apk.asc https://f-droid.org/FDroid.apk.asc
gpg -v FDroid.apk.asc

sudo apt-get install anbox adb

adb install FDroid.apk

An Adnroid x86 image turns out to be needed at a certain location
scurl-download android_amd64.img https://build.anbox.io/android-images/2018/07/19/android_amd64.img

scurl-download android.img.sha256sum https://build.anbox.io/android-images/2018/07/19/android_amd64.img.sha256sum

Not signed but hashed. Server uses Let’s Encrypt which is better than nothing.

sha256sum android_amd64.img
cat android_amd64.img.sha256sum

sudo mv /home/user/android_amd64.img /var/lib/anbox/android.img

sudo modprobe ashmem_linux
sudo modprobe binder_linux
sudo service anbox-container-manager start

anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity

Process stumbles at adb apk install step. Anbox doesn’t appear under the adb devices list. Launching it manually, a window opens and then it crashes.

Other problems:
FDroid apk signing key still uses SHA1 despite a SHATTERED 2 attack published recently. Someone needs to let them know. They already had a forum topic about it two years ago but it never went anywhere.

Some related bug reports.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917516

https://linuxconfig.org/how-to-install-anbox-and-run-android-apps-in-linux#h4-3-install-the-app

https://www.2daygeek.com/anbox-best-android-emulator-for-linux/

A post was split to a new topic: Why Should Whonix should support or be interested in Android ?

I used chromium in Whonix workstation when I needed to run a certain app. Can be installed with apt. Worked well. Sure, not ideal, but I didn’t see any better option to use that app, and that was neccessary.

How does chromium help to run android apps?

Not a general solution for android apps. Specifically for those that have a chrome app version.

https://developer.chrome.com/apps/about_apps

Done.

I’m not a technical user so there is not much I can do to contribute to topics such as this. However, if there is anything I can do to help, please let me know.

I tried using anbox in combination with Debian, but I downloaded it via snap. I’m not sure how recent the anbox package in the Debian repositories actually is, but I had the same quoted error multiple times.

If you search for the quoted part, a lot of topics will come up, but I can’t remember how I solved it myself back then.

I think if you start anbox in a certain way or a certain component of it directly from the command line, it should be more verbose and tell you what exactly makes it crash or return something that will lead you to a fix after searching for the reported error.

May I ask a question?

I estimated the RAM usage of a minimalist graphical base Linux OS to maybe be around 200-300 MB, the Whonix-Gateway could be run with 256 MB in CLI mode and the Whonix-Workstation itself with a minimum of 768 MB in graphical mode.

Since I’m not familiar with virtualization and Whonix in detail, what would be your estimated absolute minimum RAM requirement for a working base Linux installation in combination with Whonix-Gateway and Whonix-Workstation with an anbox installation?

I’m guessing a gig of RAM is enough. Anbox doesn’t do emulation so it’s not resource intensive.

Funny thing, I tried installing anbox in Whonix-Workstation (both with snap and apt) lately and it always failed, though I don’t remember exactly why.
The only time it worked was with snap on Xubuntu 18.04 (torified by the Gateway).

I didn’t remember we even have this stub:

https://www.whonix.org/wiki/Anbox

Major progress was made. Manged to get Anbox working in Whonix 15 (Debian buster based). I have a “proof of concept” on my local disk.

Comes with a caveat (Whonix-Workstation firewall needs to be disabled). This is already documented and rationale added as footnote.

Instructions might work but I didn’t test yet if they actually do. See footnotes for steps which may or may not be required. Help getting it tested and fully documented welcome.

Fantastic since Android x86 comes bundled with Google’s spyware.

Bravo Patrick.

I went ahead and tested the OMEMO IM app “Conversations” and it works flawlessly.

Please add to documentation:

To share files between Whonix and Anbox apps without complicated mounting instructions run

lxsudo thunar

Browse to:

/var/lib/anbox/rootfs/data/media/0/

Files dropped in the Dowload directory are readily visible to apps within Anbox - useful for sending receiving files from Conversations.

Next up testing the installation of non-free apps without resorting to the Play store that requires a Gmail account which can’t be created anonymously.

It’s useful for those needing to use the spyware ridden apps without having to walk around with a non-free spydevice dedicated to running this crap. They can be safely quarantined in a VM routed over Tor.

A good source for this is the apkmirror site whose ploads are vetted. It depends if closed source companies provide x86 versions off their apps. How likely it is to work without the Google framework stuff depends. YMMV.

The Yalp store app in F-Droid which fetches apks from a generic account is unavailable for x86 apparently.

Waydroid is looking like a better maintained alternative:

Hi, I installed it, everything seems to have been done according to the manual, but anbox does not start.
Another question is how to disable/enable the firewall? what command is used to check whether the firewall is enabled/disabled?Do I need to disable firewalls in workstation or getway?