If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/asLody/VirtualApp shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Missing license — unclear to depend on

• Last commit 1w ago
• Tests present
• ⚠ Solo or near-solo (1 contributor active in recent commits)
• ⚠ No license — legally unclear to depend on
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live asLody/VirtualApp repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/asLody/VirtualApp.

What it runs against: a local clone of asLody/VirtualApp — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in asLody/VirtualApp | Confirms the artifact applies here, not a fork | | 2 | Default branch master exists | Catches branch renames | | 3 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 4 | Last commit ≤ 38 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of asLody/VirtualApp. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/asLody/VirtualApp.git
#   cd VirtualApp
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of asLody/VirtualApp and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "asLody/VirtualApp(\\.git)?\\b" \\
  && ok "origin remote is asLody/VirtualApp" \\
  || miss "origin remote is not asLody/VirtualApp (artifact may be from a fork)"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "VirtualApp/app/src/main/java/io/virtualapp/VApp.java" \\
  && ok "VirtualApp/app/src/main/java/io/virtualapp/VApp.java" \\
  || miss "missing critical file: VirtualApp/app/src/main/java/io/virtualapp/VApp.java"
test -f "VirtualApp/app/src/main/java/io/virtualapp/delegate/MyComponentDelegate.java" \\
  && ok "VirtualApp/app/src/main/java/io/virtualapp/delegate/MyComponentDelegate.java" \\
  || miss "missing critical file: VirtualApp/app/src/main/java/io/virtualapp/delegate/MyComponentDelegate.java"
test -f "VirtualApp/app/src/main/java/io/virtualapp/delegate/MyPhoneInfoDelegate.java" \\
  && ok "VirtualApp/app/src/main/java/io/virtualapp/delegate/MyPhoneInfoDelegate.java" \\
  || miss "missing critical file: VirtualApp/app/src/main/java/io/virtualapp/delegate/MyPhoneInfoDelegate.java"
test -f "VirtualApp/app/src/main/java/io/virtualapp/home/repo/AppRepository.java" \\
  && ok "VirtualApp/app/src/main/java/io/virtualapp/home/repo/AppRepository.java" \\
  || miss "missing critical file: VirtualApp/app/src/main/java/io/virtualapp/home/repo/AppRepository.java"
test -f "VirtualApp/app/src/main/java/io/virtualapp/home/HomeActivity.java" \\
  && ok "VirtualApp/app/src/main/java/io/virtualapp/home/HomeActivity.java" \\
  || miss "missing critical file: VirtualApp/app/src/main/java/io/virtualapp/home/HomeActivity.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 38 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~8d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/asLody/VirtualApp"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

VirtualApp (VA) is an Android sandbox engine that creates a lightweight 'virtual machine' within Android, enabling multiple instances of the same app to run simultaneously with complete isolation. It intercepts and proxies all system service calls between virtual apps and the Android Framework, spoofing installation state and file paths so uninstalled apps execute as if installed. Core capabilities include app multi-opening, process isolation via IO redirection, and full behavioral control through hook SDKs. Hybrid monorepo: VirtualApp/app/ is the demo host application (UI in HomeActivity), VirtualApp/lib/ contains the core VA engine (Framework interception layer in Java), and native/ contains C/C++/Assembly code for IO redirection and JNI hooking. Process architecture spans three layers—VA Framework (Java proxies), VA Space (isolated install directory), VA Native (libc/syscall hooking)—with dual 32/64-bit support requiring separate APK binaries.

Android developers and security engineers building multi-account apps (WhatsApp clones, dual WeChat), mobile security solutions (data isolation, audit logging), game aggregators, mobile device management systems, and anyone needing app sandboxing or app cloning without root access. Both individual developers and enterprise teams licensing the commercial version.

Moderately mature but stale: GitHub code stopped updating in December 2017; the 32-bit/64-bit dual-APK architecture and multi-process design (VA Host Main, VA Host Plugin, VAServer, VAPP Client, CHILD) show production-grade thinking. However, last public commit is 5+ years old. Commercial version reportedly in active development (per README contact: wechat 10890), but open source is effectively abandoned. Suitable for learning but risky for new production work without commercial support.

High risk for greenfield projects: no test coverage visible, no CI pipeline mentioned, relies on deep Android Framework hooking (fragile across versions 14+), supports only armeabi/armeabi-v7a/x86 ABIs (excludes arm64-v8a modern standard), and depends on undocumented commercial updates for Android 14 support. Single maintainer (asLody), no community activity, and hooking libc/Framework internals creates fragility to OS updates and Magisk conflicts.

Nothing—public repository is dormant (last commit Dec 2017). README mentions commercial version under active development for Android 14 support with continuous updates, but no public activity. The open-source codebase is frozen; real development moved to private/commercial channels.

Clone and open in Android Studio: git clone https://github.com/asLody/VirtualApp.git && cd VirtualApp && ./gradlew assembleDebug. Requires Android SDK 26+, NDK for C/C++ compilation. Import VirtualApp/app and VirtualApp/lib as a Gradle multi-project build. Test APK output goes to app/build/outputs/apk/.

Daily commands: Build and run: cd VirtualApp && ./gradlew app:assembleDebug produces APK. Install via adb install app/build/outputs/apk/app-debug.apk. Launch the VA host app; it provides a UI to install virtual apps via HomeActivity (see VirtualApp/app/src/main/java/io/virtualapp/home/HomeActivity.java). Requires API 15+, tested up to Android 6 (SDK 22 target in build.gradle).

• VirtualApp/app/src/main/java/io/virtualapp/VApp.java — Main entry point and singleton for VirtualApp initialization; all contributors must understand the core VA lifecycle and service exposure mechanism
• VirtualApp/app/src/main/java/io/virtualapp/delegate/MyComponentDelegate.java — Central proxy handler that intercepts and spoofs component (Activity, Service) info to deceive Android Framework; core to the sandboxing deception strategy
• VirtualApp/app/src/main/java/io/virtualapp/delegate/MyPhoneInfoDelegate.java — Virtualizes device hardware info (IMEI, model, etc.) reported to apps; critical for multi-device spoofing and isolation use cases
• VirtualApp/app/src/main/java/io/virtualapp/home/repo/AppRepository.java — Manages virtual app installation, storage, and lifecycle; every feature that installs or manages vApps depends on this abstraction
• VirtualApp/app/src/main/java/io/virtualapp/home/HomeActivity.java — Main UI launcher and app list management; entry point for end users and integration point for custom app management workflows
• VirtualApp/app/build.gradle — Gradle build config with multi-ABI native library loading (armeabi, armeabi-v7a, x86) and minSdkVersion 15; essential for understanding build toolchain and platform support
• VirtualApp/app/src/main/AndroidManifest.xml — Declares all framework services, permissions, and hosted components that VA exposes; defines the attack surface and capability permissions

Add support for a new app-specific behavior (e.g., custom spoofing for a new platform)

1. Create a new PlatformInfo subclass in VirtualApp/app/src/main/java/io/virtualapp/home/platform/ (VirtualApp/app/src/main/java/io/virtualapp/home/platform/NewAppPlatformInfo.java)
2. Implement platform-specific overrides (e.g., getDeviceModel(), getSpoofedIMEI()) following the pattern in WechatPlatformInfo.java (VirtualApp/app/src/main/java/io/virtualapp/home/platform/NewAppPlatformInfo.java)
3. Register the platform in AppRepository or the delegate selection logic to detect and apply the new PlatformInfo (VirtualApp/app/src/main/java/io/virtualapp/home/repo/AppRepository.java)
4. Update delegates (MyComponentDelegate, MyPhoneInfoDelegate) if custom spoofing beyond standard hooks is needed (VirtualApp/app/src/main/java/io/virtualapp/delegate/MyPhoneInfoDelegate.java)

Add a new cloning feature (e.g., multi-account cloning with custom IMEI per clone)

1. Extend MultiplePackageAppData to store per-clone metadata (e.g., cloneId, spoofedIMEI, spoofedPhoneNumber) (VirtualApp/app/src/main/java/io/virtualapp/home/models/MultiplePackageAppData.java)
2. Update PackageAppDataStorage to persist and deserialize the new clone metadata fields (VirtualApp/app/src/main/java/io/virtualapp/home/repo/PackageAppDataStorage.java)
3. Modify MyPhoneInfoDelegate to query the cloneId context and return clone-specific device info (VirtualApp/app/src/main/java/io/virtualapp/delegate/MyPhoneInfoDelegate.java)
4. Add UI in CloneAppListAdapter or a new CloneDetailActivity to allow user input of clone-specific settings (VirtualApp/app/src/main/java/io/virtualapp/home/adapters/CloneAppListAdapter.java)

Add a new virtual app installation method (e.g., from cloud or QR code)

1. Create a new AppDataSource implementation in VirtualApp/app/src/main/java/io/virtualapp/home/repo/ (VirtualApp/app/src/main/java/io/virtualapp/home/repo/CloudAppDataSource.java)
2. Implement loadApps() and getAppData() to fetch and parse app metadata from your source (VirtualApp/app/src/main/java/io/virtualapp/home/repo/CloudAppDataSource.java)
3. Update AppRepository to composite or switch between PackageAppDataStorage and your new source (VirtualApp/app/src/main/java/io/virtualapp/home/repo/AppRepository.java)
4. Add UI (new Activity or Fragment) to capture and initiate the installation flow (e.g., QR scanner, cloud search) (VirtualApp/app/src/main/java/io/virtualapp/home/LoadingActivity.java)

Add a new device info spoofing field (e.g., fake Build.FINGERPRINT or ro.product.cpu.abi)

1. Add the new field to MyPhoneInfoDelegate.java with a getter method that returns the spoofed value (VirtualApp/app/src/main/java/io/virtualapp/delegate/MyPhoneInfoDelegate.java)
2. Create a storage/config model in home/models/ to persist per-app or global spoofing settings (VirtualApp/app/src/main/java/io/virtualapp/home/models/AppData.java)
3. Hook the new spoofing field into MyComponentDelegate or framework service interception points (VirtualApp)

Critical: (1) Dual APK requirement—build both 32-bit main + 64-bit plugin; android { defaultConfig { ndk { abiFilters } } } must be set in both. (2) NDK build steps not visible in gradle; native .so files precompiled in libs/. (3) Binder IPC—VAServer must run in separate process and be declared in AndroidManifest.xml (not shown in snippet). (4) Android Framework version lock—hooking relies on reflection of private APIs; breaks on major Android releases (README says Android 14 support in commercial version only). (5) Proguard rules in app/proguard-rules.pro likely disable obfuscation for Hook SDK classes (verify before release). (6) Tencent Map/Location SDK jars in libs/ are third-party; check licensing. (7) multiDexEnabled true required due to method count; legacy setup.

• Genymobile/genymotion — Commercial Android emulator that also creates isolated app environments; used as reference for framework hooking techniques
• containers/bubblewrap — Userspace sandbox for Linux/Android using namespaces; complementary approach to VA's Framework-level proxying for process isolation
• tun2socks/tun2socks — Network-level isolation and redirection tool often paired with VA for complete network sandboxing in multi-app scenarios
• Xposed-Framework/XposedBridge — Predecessor hooking framework for Android; VA's hook SDK implements similar Zygote/Framework interception but without requiring Xposed
• facebookarchive/FBSimulatorControl — iOS simulator + device control framework; architectural patterns (process spawning, IPC, spoofing) parallel VA's multi-process model

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add unit tests for VirtualApp delegate system (MyAppRequestListener, MyComponentDelegate, MyPhoneInfoDelegate, MyTaskDescriptionDelegate)

The delegate package in VirtualApp/app/src/main/java/io/virtualapp/delegate/ contains critical intercept logic for hooking system calls and app requests. These components are central to the VA Framework's 'deception' mechanism described in the README, but there are no visible test files. Adding unit tests would ensure delegates properly intercept and transform requests, preventing regressions as the codebase evolves.

• [ ] Create VirtualApp/app/src/test/java/io/virtualapp/delegate/ directory
• [ ] Write unit tests for MyAppRequestListener.java covering request interception scenarios
• [ ] Write unit tests for MyComponentDelegate.java verifying component resolution hooking
• [ ] Write unit tests for MyPhoneInfoDelegate.java testing device info spoofing
• [ ] Write unit tests for MyTaskDescriptionDelegate.java for task description transformation
• [ ] Add Mockito and JUnit4 dependencies to build.gradle if not present

Add instrumented Android tests for app cloning/multi-opening functionality (CloneAppListAdapter, AppData, AppInfo models)

The VirtualApp/app/src/main/java/io/virtualapp/home/ package contains adapters and models for the core multi-open feature. The CloneAppListAdapter.java and data models (AppInfo.java, AppData.java, AppInfoLite.java) handle UI and state management for virtual apps. No visible instrumented tests exist to verify that cloned apps are properly tracked, isolated, and managed. This is high-value since multi-opening is a primary VA use case.

• [ ] Create VirtualApp/app/src/androidTest/java/io/virtualapp/home/ directory
• [ ] Write instrumented test for CloneAppListAdapter verifying proper data binding and lifecycle
• [ ] Write instrumented tests for AppInfo/AppData models verifying serialization and app state isolation
• [ ] Write integration test verifying multiple app instances don't share data inappropriately
• [ ] Add AndroidTestDependencies (androidx.test, espresso) to build.gradle

Refactor and document the location spoofing system (VirtualLocationSettings, MarkerActivity) with missing implementation guide

The VirtualApp/app/src/main/java/io/virtualapp/home/location/ package integrates TencentLocation/TencentMap SDKs (visible in libs/) for location spoofing. However, there is no documentation explaining how location interception hooks into the VA Framework layer, how developers customize location spoofing, or what the asset file 'OaceOaT8w5Xda6wa' contains. Creating a LOCATION_SPOOFING.md guide would help contributors understand this complex feature and reduce integration friction.

• [ ] Analyze VirtualLocationSettings.java and MarkerActivity.java to understand location injection mechanism
• [ ] Create VirtualApp/LOCATION_SPOOFING.md documenting the location spoofing architecture
• [ ] Document the relationship between TencentLocation SDKs and VA Framework hook points
• [ ] Clarify the purpose of assets/OaceOaT8w5Xda6wa and explain configuration/data stored there
• [ ] Add code comments to VirtualLocationSettings.java and MarkerActivity.java explaining key interception points
• [ ] Include a code example showing how to programmatically set/update spoofed locations

• Add unit tests for MyPhoneInfoDelegate phone spoofing: No test directory visible; add tests to VirtualApp/lib/src/test to verify IMEI, serial, ABI spoofing works correctly across API levels
• Document the VAServer IPC protocol with code examples: README describes VAServer abstractly but provides no schema or example AIDL messages; create doc/VAServer-IPC.md with concrete request/response format
• Update ABI filter to include arm64-v8a support: build.gradle only lists armeabi, armeabi-v7a, x86; arm64-v8a is now standard on modern devices. Add 64-bit support as main ABI and adjust plugin split logic

• High · Outdated Android SDK and Build Tools — VirtualApp/app/build.gradle. The project uses compileSdkVersion 26 (Android 8.0) and buildToolsVersion 26.0.2, which are significantly outdated (released in 2017). This exposes the application to known security vulnerabilities patched in newer SDK versions. Modern Android versions include critical security fixes for framework-level vulnerabilities. Fix: Update compileSdkVersion to at least 33-34 (Android 13-14), and buildToolsVersion to the latest stable version. Update targetSdkVersion to match the compileSdkVersion.
• High · Low Target SDK Version — VirtualApp/app/build.gradle. The targetSdkVersion is set to 22 (Android 5.1), which is extremely outdated. This bypasses modern Android security features including runtime permissions (introduced in API 23), scoped storage, and other security hardening mechanisms. Apps targeting API 22 lack modern permission frameworks. Fix: Update targetSdkVersion to at least 33 or higher (current Google Play requirement is 34+). This will enforce compliance with modern Android security standards.
• High · Outdated and Vulnerable Dependencies — VirtualApp/app/build.gradle and VirtualApp/app/libs/. Multiple dependencies are severely outdated: Flurry Analytics 6.9.2 (from 2016), appcompat-v7 25.4.0 (2016), design 25.4.0 (2016). These libraries contain known CVEs and security vulnerabilities. The project also uses old Tencent SDKs (libtencentloc.so) which may have unpatched security issues. Fix: Update all support libraries to the latest versions. Replace deprecated Flurry Analytics 6.9.2 with a current version or alternative. Verify and update the Tencent Location/Map SDKs to their latest secure versions.
• High · Disabled Minification in Release Builds — VirtualApp/app/build.gradle (buildTypes.release). ProGuard/R8 minification is disabled (minifyEnabled false) in release builds. This allows reverse engineering of the app, exposing sensitive logic, API keys, and implementation details. Given this is a virtualization engine, the unobfuscated code presents a significant security risk. Fix: Enable minification by setting minifyEnabled true and configure a proper proguard-rules.pro file. Apply resource shrinking and code obfuscation for release builds.
• High · Lint Checks Disabled — VirtualApp/app/build.gradle (lintOptions). Lint error checking is disabled (abortOnError false, checkReleaseBuilds false). This suppresses security and quality warnings during build time, potentially allowing insecure code patterns to reach production undetected. Fix: Enable lint checks: set checkReleaseBuilds to true and abortOnError to true. Address any lint warnings before disabling specific checks.
• Medium · Unverified Third-Party Libraries — VirtualApp/app/libs/ (JAR and SO files). The project includes JAR files directly in the libs folder without clear dependency management or security verification: TencentLocationSDK, TencentMapSDK. These lack version pinning and integrity verification, making them vulnerable to supply chain attacks. Fix: Migrate to Maven Central or verified repositories. Use dependency management with version pinning. Verify checksums and signatures of all third-party libraries. Remove unused libraries.
• Medium · Native Libraries Without Security Verification — VirtualApp/app/libs/armeabi/, armeabi-v7a/, x86/ (libtencentloc.so). Multiple native libraries (.so files) for different architectures are included without documented version control, security audits, or integrity verification. These compiled binaries are difficult to audit and represent a significant attack surface. Fix: Document the source and version of all native libraries. Implement integrity checking at runtime. Verify signatures of native binaries. Consider using only necessary architectures.
• Medium · Deprecated HTTP Libraries — undefined. While specific HTTP libraries aren't listed, the outdated support libraries suggest the app may be using deprecated or insecure networking APIs without modern TLS Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.