Reverse Engineering Google’s New VM-Based Integrity System: PairIP
📌 What is PairIP?
PairIP is Google’s next-gen integrity verification mechanism, replacing SafetyNet Attestation API. It relies on a native library (libpairipcore.so) that loads encrypted bytecode from the APK’s assets and executes it via a virtual machine, completely separated from the main app lifecycle.
🔁 Comparison with SafetyNet
- SafetyNet: Uses remote attestation via DroidGuard VM and cloud-side validation.
- PairIP: Works locally through native code, offering more control to app developers and stronger obfuscation.
🔍 VM Architecture Breakdown
- APK loads
libpairipcore.so - Native code decrypts bytecode from assets
- Method
executeVM()runs obfuscated logic in a custom VM loop - Each instruction is hashed and verified internally
💥 Security & Anti-Reversing Features
- Dynamic decryption of VM code on load
- Anti-debugging using ptrace, tracer PID checks
- Obfuscated control flow & stripped symbols
- Native checksums (e.g., FNV-1) for file validation
🛠️ Reverse Engineering Tactics
To analyze PairIP-protected apps, reverse engineers typically apply these techniques:
- Hook
RegisterNativesto dump method pointers - Use Frida to intercept
executeVMand dump decrypted memory - Emulate custom instruction sets in QEMU or Unicorn Engine
- Map bytecode instruction behavior to reconstruct VM logic
📚 Conclusion
PairIP significantly raises the difficulty bar for attackers attempting to patch or tamper with Android apps. Its runtime VM logic, encrypted payload, and native validation make static analysis nearly impossible without memory-level reverse engineering.
However, with the right tooling and patience, analysis is still possible.