Kicksecure ™

Download

Debian morph to Kicksecure (Hardware) Windows (VM) Linux (VM) Mac (VM) VirtualBox (VM) KVM (VM) Qubes (VM) USB ISO (coming soon) More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Free Plus Premium Contact

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Anbox allows Android applications and mobile games to run inside Kicksecure.

Introduction[edit]

Anbox is a third party project that allows Android applications and mobile games to run inside Kicksecure. According to the Anbox website: ^[3]

Anbox puts the Android operating system into a container, abstracts hardware access and integrates core system services into a GNU/Linux system. Every Android application will be integrated with your operating system like any other native application. To achieve our goal we use standard Linux technologies like containers (LXC) to separate the Android operating system from the host. Any Android version is suitable for this approach and we try to keep up with the latest available version from the Android Open Source Project.

The project is open source and theoretically any application can be run. Anbox does not have direct access to a user's hardware or data. It should be noted that while it is possible to install the Google Play Store, Google will not allow anyone to ship applications if the device is not certified and the vendor has not signed an agreement. ^[4]

Security Specific[edit]

• Do not use physical devices (mobile phones or tablets) for any kind of privacy activities because any physical device has a unique IMEI number which can be easily fetched by Android applications. Always use virtual devices such as Anbox or Waydroid or Android x86 for these kind of activities.
• Always prefer using free and open source (FOSS) Android applications because they usually don't use any kind of surveillance. Using applications from F-Droid repositories is recommended.
• Do not install Android Package Kits (APKs) directly from untrusted sources. ^[5]
• Always check permissions before starting an application. Note the Android settings menu only allows the user to manage dangerous permissions (such as Camera, Storage, Location, Phone etc.) but not AppOps (application operations) permissions. ADB shell or extended GUI application/permission manager (root required) is needed in order to display and manage not only dangerous but AppOps permissions.
• Do not store any private information inside Anbox or Waydroid or Android x86 filesystems.
• As the Android system cannot prevent applications from accessing the Internet, additional firewall management is required. Android uses Linux iptables firewall manager so a GUI application like AFWall+ can be used to control what applications are allowed to access the Internet (root needed).
• If a proprietary, non-free Android application installation is required An Aurora Store application can be useful for this purpose. Do not use any real (linked to your identity) account. ^[6]

General Issues[edit]

There are several issues with running popular Android applications using Anbox or Android x86 Workstation on top of a non-physical, certified Android device.

Unsupported CPU Architecture[edit]

Most popular Android applications (especially from Google Play Store) were written for ARMv7 and rarely for ARMv8 architectures. Therefore, some applications do not have support for x86 or x86_64 architectures. Android x86 users can use the libhoudini library in order to try to emulate ARMv7 architecture but many Android applications written for ARM still don't work.

Device Fingerprint[edit]

Many non-free, popular Android applications check the device fingerprint for hardware identification purposes. Anbox and Waydroid and Android x86 have emulator fingerprints so applications can easily detect that an emulator is in use. It is generally possible to spoof the device fingerprint, but it is necessary to rebuild the Android image for Anbox/Waydroid. Android x86 can utilize the Magisk module called MagiskHide Props Config in order to spoof the device fingerprint.

Network Interface Detection[edit]

Most popular Android applications detect network adapters and will not work properly if no Wi-Fi or mobile connection is established. Anbox/Waydroid uses a bridge network interface by default so some applications will not see the Internet connection. However, Android x86 starting from Nougat has a built-in virtual Wi-Fi interface so applications think that a real Wi-Fi connection is established.

Google Play Services Mechanisms[edit]

At present, the biggest problem with running popular Android applications on top of a non-physical Android device is passing SafetyNet by Google. Android consists of two parts:

• The Android system itself (Android Open Source Project). This is a base system.
• A proprietary subsystem called Google Play Services. This helps applications from Google Play Store to interact with Google servers. This is an optional subsystem but all Android devices which are certified by Google have this arrangement.

If only free software (FOSS) applications will be run, then Google Play Services is unneeded since all applications from F-Droid are built without a dependency upon Google Play Services. If some types of proprietary applications are needed, this can be problematic because some will use the Google Play Services mechanism.

Generally, Google Play Services consists of two important parts:

• GCM (Google Cloud Messages)
• SafetyNet

GCM is a proprietary mechanism for delivering Push Notifications from Google servers. GCM is used by ~70-80% of proprietary applications from Google Play Store which rely upon the mechanism. It is not difficult to enable GCM support for Android x86 and Anbox and Waydroid. The Android x86 image comes with built-in, non-free Google Play Services so GCM is enabled by default. With Anbox/Waydroid, it is possible to install either proprietary Google Play Services (OpenGAPPS) or an open-source implementation of Google Play Services called Micro-G.

SafetyNet is a mechanism which verifies the integrity of the device. If a device is not certified by Google Corporation then most of the proprietary Android applications from Google Play Store will not run because many use SafetyNet to check the device is authentic and has not been tampered with. Nowadays there is no way to pass SafetyNet on Android x86 or Anbox/Waydroid because Google uses its own closed-source algorithm for non-real devices detection. SafetyNet is used by ~30-50% of Google Play Store applications, especially those relating to banking and social networks such as Tinder.

Anbox inside Kicksecure Advantages and Disadvantages[edit]

There are both distinct advantages and disadvantages of running Android applications in Kicksecure. ^[7]

Table: Anbox Advantages and Disadvantages ^[8]

Anbox Installation[edit]

Base Software[edit]

Android Image[edit]

android_amd64.img: OK

^[11]

Qubes[edit]

A StandaloneVM is most suitable, otherwise changes will be non-persistent (lost after VM restart). Instructions on how to make Anbox persistent using a TemplateBased AppVM do not exist yet; see footnote for experimental instructions. ^[12]

Kicksecure-Qubes requires the use of a Qubes VM kernel. ^[13] Users can follow the instructions from the Qubes website Installing kernel in Debian VM which are equally functional in Kicksecure-Qubes.

It has been reported that it is necessary to enable Anbox software rendering, but it is unclear how to accomplish that at present. The command from the previous link is likely non-functional because this guide does not use snap.

Start Anbox[edit]

From Start Menu[edit]

Start menu → Accessories → Anbox

From Command Line[edit]

^[14]

anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity

Usage[edit]

F-Droid Installation[edit]

It is suggested to install F-Droid. The instructions below document how to download and verify F-Droid inside Kicksecure. ^[15]

gpg: assuming signed data in 'FDroid.apk'
gpg: Signature made Fri 16 Apr 2021 09:26:14 AM UTC
gpg:                using RSA key 802A9799016112346E1FEFF47A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 37D2 C987 89D8 3119 4839  4E3E 41E7 044E 1DBA 2E89
     Subkey fingerprint: 802A 9799 0161 1234 6E1F  EFF4 7A02 9E54 DD5D CE7A

Images[edit]

Figure: F-Droid Images

File Sharing[edit]

Start a file manager with root rights. ^[17]

lxsudo thunar

Browse to:

/var/lib/anbox/rootfs/data/media/0/

Files dropped to this download directory are readily visible to applications within Anbox.

Alternatives[edit]

• Successor of anbox as alternative is Waydroid but it requires wayland compatible desktop environment which is what xfce still lack at the moment of writing thus Undocumented for Kicksecure.

Footnotes[edit]

---

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

FREE  ·  PLUS  ·  PREMIUM Support

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012-2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!