Anyone tried Anbox ('Android in a box') under Qubes

[P R]

Hello,

I'm interested in running Android as HVM within Qubes.

Has anyone trying to do so already with the code from the Anbox Project?

https://anbox.io

"(...) Anbox puts the Android operating system into a container, abstracts hardware access and integrates core system services into a GNU/Linux system. Every Android application will be integrated with your operating system like any other native application. (...)"

I haven't seen it yet, but having the application  integrated with the OS sounds like what Qubes is doing with AppVMs to the user, so very user-friendly.

- PhR

[Steve Coleman]

On 07/17/2017 03:21 AM, 'P R' via qubes-users wrote:
> Hello,
>
> I'm interested in running Android as HVM within Qubes.
> Has anyone trying to do so already with the code from the Anbox Project?
>
> https://anbox.io

Just did, and it only supports Ubuntu, LinuxMint, neon, elementary at
the moment. So the fedora-fcNN template/VM's won't work. It refuses to
install using snap.

> /"(...) Anbox puts the Android operating system into a container,

> abstracts hardware access and integrates core system services into a
> GNU/Linux system. Every Android application will be integrated with your

> operating system like any other native application. (...)"/
> /
> /

[spta...@gmail.com]

Steve, when you tested the snap and it refused to install, was that on e.g. Debian AppVM or an Ubuntu HVM?

I think Anbox could be useful for a more user-friendly setup of an TOTP AppVM, since there don't seem to be any good TOTP desktop clients. With Anbox you could have a dedicated FreeOTP appVM.

https://freeotp.github.io/

The current recommended setup is using a CLI tool (oathtool), with manual administration of accounts in text files. FreeOTP would offer a handier setup.

https://www.qubes-os.org/doc/multifactor-authentication/

You get a larger attack surface with FreeOTP on Anbox than with oathtool on a minimal Fedora, but the AppVM can still be network-isolated, so it doesn't seem very problematic.

[pixel fairy]

Just tried on ubuntu 17.04. it installed, but kept crashing, as it warned would happen. Dont think this is ready for end users yet.

[Heinrich Ulbricht]

Two years later - did anybody try this again and succeeded?

I tried installing it in an Debian 10 template VM (there is now apt install anbox!) but got stuck at the kernel modules as another person trying it here.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2019-10-15 7:46 AM, 'Heinrich Ulbricht' via qubes-users wrote:
> Two years later - did anybody try this again and succeeded?
>

> I tried installing it in an Ubuntu 10 template VM (there is now *apt
> install anbox*!) but got stuck at the kernel modules as another person
> trying it here
> <https://groups.google.com/d/msg/qubes-users/10F_y5X9HDk/thlz-iSbBAAJ>.
>

Patrick just mentioned that he managed to run it inside Whonix-Workstation:

https://github.com/QubesOS/qubes-issues/issues/2233#issuecomment-541558115

>
> On Monday, July 17, 2017 at 9:21:15 AM UTC+2, P R wrote:
>>

>> Hello,
>>
>> I'm interested in running Android as HVM within Qubes.
>> Has anyone trying to do so already with the code from the Anbox Project?
>>
>> https://anbox.io

>> *"(...) Anbox puts the Android operating system into a container,

>> abstracts hardware access and integrates core system services into a
>> GNU/Linux system. Every Android application will be integrated with your

>> operating system like any other native application. (...)"*

>>
>> I haven't seen it yet, but having the application integrated with the OS
>> sounds like what Qubes is doing with AppVMs to the user, so very
>> user-friendly.
>>
>> - PhR
>>

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl2miNEACgkQ203TvDlQ
MDBnKg/9G0hSE3xa7LAaXS4XlO8Kowh/ZsizXE5UsSp2zPnvYpXIUIUhTkx7/ToK
W/0albATCskfHNno3Asvi0+fYS7siPiMmzpQmPPhSrCbm9Fw36IKaybzEzLS6uQV
X9zkU6g2T9cpWq4kyW/K+5etgY8p7m5d7pLS3vKGBfXQ+z49r2MaLFgfAP/kRR81
0sCvux96xSlHYrKe+W4mY3Z+/tTU+qeuH0zSXXoweH1gA9Dq4pQ3of/ER59ZxJEX
gMD0SDh1abOa3eBRf92n3BibebF9JMDSD4BD1LwgvD9cU5CjollJPBJ7nQBqrvpO
OxWLjlgDYR2FKCMC8vY1w2oiDPf6fd7BEAJ+PVJLJs2WWwFq/6EPe4NPpSe4R/Qz
rd0rtjKbxQRssa+axikrLhf0s2mWwHN/Jk5gPAqyN4mF8xaGnC80/5Dsq6oGtwCT
PBDGHxXSxaA6mOzfaboBsgpVn9hxVMo3DlgEG/ZQtNT20FStj45qIDiLGZmOoCGP
5raWL+uW1sxsr5CFeSnePprrw6uY02YMFCFYX7QSd0UjJ1FcKPRnlK7Pkr8AFhot
NsgJcdwgQz+GMl0IBX/ctllVpFltVyoIqIChzyeCDvVQHRd4Qgp7FYBnc6hRMwyV
yJysDVM7ZcbnuJFtj+duPokioTB3X8wT4P4/EffhZhz4WYt4bk4=
=/2BC
-----END PGP SIGNATURE-----

[Jin-oh Kang]

Sorry I might be out of touch, but can't you just install Android directly on your HVM without a container? Anbox is meant to run Android *without* a hypervisor like Xen which is the whole point of using Qubes. Anbox does allow you to run Android under PV/PVH but that sounds just as absurd. Plus if the Android system you're trying to emulate is ARM-based there's no advantage over running a plain Android emulator on QEMU.

If what you need is a QEMU build, then unfortunately the qemu package from upstream Fedora conflicts with the versions of the Xen libraries the guest VMs depend on. You can still try to e.g. force install qemu anyway and stub the xen libs away from it or build the RPMs from source.

[Steve Coleman]

On 2019-10-16 11:57, Jin-oh Kang wrote:
> Sorry I might be out of touch, but can't you just install Android directly on your HVM without a container? Anbox is meant to run Android *without* a hypervisor like Xen which is the whole point of using Qubes. Anbox does allow you to run Android under PV/PVH but that sounds just as absurd. Plus if the Android system you're trying to emulate is ARM-based there's no advantage over running a plain Android emulator on QEMU.

There is an issue, at least with the Andoroid-x86 distribution when used
under Xen, in that the Android installer can't even see the Qubes disk
space as to partition and install the android system. This is due to the
specific Xen driver support not being recognized by the Android
installer, so the fix required is not within Qubes. Likewise qemu isn't
going to work to resolve a missing system disk. As I see it, one can can
either recompile Xen to provide a different disk type, or recompile the
Android-x86/installer to recognize a new disk type. The funny thing is
they used to work together before Xen changed how they did this
particular driver. I actually had one running under Qubes 3.0 but lost
it around the R3.1 time frame.

Anbox looks like it might be worth a shot if someone really wants to
work with android apps, and having a disassembler/debugger within the
same AppVM would be possible as well. At one point I was wanting to do
some security analysis of a few specific android apps in my free time,
but figuring out how to get Android to install again took too way too
much of my time, and it just was not worth it.

At least with Anbox you are starting from a bootable system and simply
adding executables to it, so that is a much more reasonable approach
rather than perhaps recompiling Xen and causing all kinds of potential
issues with Qubes general security model. Since the Qube that Anbox runs
in is confined to just that AppVM its still isolated from the rest of
the Qubes system and doesn't break that security model. I may just dust
off that old project and take another stab at it using Anbox when I find
some 'extra' time on my hands.

[Jin-oh Kang]

Oops, didn't CC the list...

On Thu, Oct 17, 2019, 02:37 Steve Coleman <Steve....@jhuapl.edu> wrote:

On 2019-10-16 11:57, Jin-oh Kang wrote:
> Sorry I might be out of touch, but can't you just install Android directly on your HVM without a container? Anbox is meant to run Android *without* a hypervisor like Xen which is the whole point of using Qubes.  Anbox does allow you to run Android under PV/PVH but that sounds just as absurd.  Plus if the Android system you're trying to emulate is ARM-based there's no advantage over running a plain Android emulator on QEMU.

There is an issue, at least with the Andoroid-x86 distribution when used
under Xen, in that the Android installer can't even see the Qubes disk
space as to partition and install the android system. This is due to the
specific Xen driver support not being recognized by the Android
installer, so the fix required is not within Qubes. Likewise qemu isn't
going to work to resolve a missing system disk. As I see it, one can can
either recompile Xen to provide a different disk type, or recompile the
Android-x86/installer to recognize a new disk type. The funny thing is
they used to work together before Xen changed how they did this
particular driver. I actually had one running under Qubes 3.0 but lost
it around the R3.1 time frame.

Oh so it's just x86? Nice.

Qubes R4 is based on libvirt, and it geneates all domain configuration files based on a jinja XML template at /usr/share/qubes/templates/libvirt/. Details at https://dev.qubes-os.org/projects/core-admin/en/latest/libvirt.html . Maybe doing a per-domain override so that it closely matches what Android expects would work.

Anbox looks like it might be worth a shot if someone really wants to
work with android apps, and having a disassembler/debugger within the
same AppVM would be possible as well. At one point I was wanting to do
some security analysis of a few specific android apps in my free time,
but figuring out how to get Android to install again took too way too
much of my time, and it just was not worth it.

Fair point.

At least with Anbox you are starting from a bootable system and simply
adding executables to it, so that is a much more reasonable approach
rather than perhaps recompiling Xen and causing all kinds of potential
issues with Qubes general security model. Since the Qube that Anbox runs
in is confined to just that AppVM its still isolated from the rest of
the Qubes system and doesn't break that security model. I may just dust
off that old project and take another stab at it using Anbox when I find
some 'extra' time on my hands.

There's an unofficial Qubes template based on Ubuntu though, check out https://www.qubes-os.org/doc/templates/ubuntu/ .