Just a lvl 27 guy from 🇫🇮 Finland. Full-stack web developer and Scrum Master by trade, but more into server-side programming, networking, and sysadmin stuff.
During the summer, I love trekking, camping, and going on long hiking adventures. Also somewhat of an avgeek and a huge Lego fanatic.
My use case is a bit different than yours but still worth mentioning, I think; I have Sharry running in Docker and it makes sharing and receiving files super easy. All downloads and uploads are resumable so they work well even in unstable networks.
Nope. But as mentioned in the article, some support for display servers might be coming in Android 16.
Networking does work. I was able to install packages using apt and also ping machines on my local network. Could be useful.
I guess in a pinch it could be used to ssh into other machines. However, I’m sure there are plenty of SSH clients available for Android, which are much more lightweight solution than running a whole VM.
It has access to /sdcard as a shared folder.
How does this work? The app doesn’t seem to have any settings related to it yet. Under /mnt in the VM I noticed folder shared that seems to match the downloads folder on my phone, which seems odd
Tested this on my Pixel 8a. Works as you would expect. Personally I have a little hard time coming up with use cases for this but I guess it’s kinda cool.
They can include runnable JavaScript too, which can cause vulnerabilities in certain contexts. One example from work some years back: We had a web app where users could upload files, and certain users could view files uploaded by others. They had the option to download the file or, if it was a file type that the browser could display (like an image or a PDF), the site would display it directly on the page.
To prevent any XSS (scripts from user-provided files), we served all files with the CSP sandbox header, which prevents any scripts from running. However, at the time, that header broke some features of the video player on certain browsers (I think in Safari, at least), so we had to serve some file types without the header. Mistakenly, we also included image files in the exclusion, as everyone through image files couldn’t contain scripts. But the MIME type for SVG files is
image/svg+xml… It was very embarrassing to have such a simple XSS vuln flagged in a security audit.