pith. sign in

arxiv: 2605.24239 · v1 · pith:LRKYVM3Znew · submitted 2026-05-22 · 💻 cs.CR · cs.AI

Unlocking Apple's Private Cloud Compute: An Analysis of Privacy-Preserving Artificial Intelligence

Pith reviewed 2026-06-30 15:36 UTC · model grok-4.3

classification 💻 cs.CR cs.AI
keywords private cloud computereverse engineeringprivacy preserving aimobile devicescustom queriesmodel benchmarkingcompiled binaries
0
0 comments X

The pith

Reverse engineering of device binaries opens non-public interfaces for custom queries to a privacy-preserving AI cloud system.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that reverse-engineering compiled binaries on mobile devices grants access to non-public interfaces of the Private Cloud Compute system. This access supports custom queries and independent evaluation of privacy properties such as no user data storage and unlinkability of inputs and accounts. A sympathetic reader would care because it addresses the gap between public specifications and opaque shipped code without symbols or reproducible builds, while also allowing benchmarking of model accuracy. The work further releases a public framework to enable ongoing research into whether such systems deliver both privacy and quality.

Core claim

The authors are the first to reverse-engineer the PCC implementation on mobile devices to evaluate privacy aspects and to open its non-public interfaces on local devices to support custom PCC queries. They demonstrate this level of access beyond Apple's intended use cases by independently benchmarking the PCC model and enable future research by making their PCC benchmarking framework publicly available.

What carries the argument

The reverse-engineered non-public interfaces extracted from device binaries that permit custom queries and privacy testing of the cloud AI system.

If this is right

  • Custom queries to the AI system become possible directly from local devices.
  • Privacy claims can be tested independently of the vendor's public statements.
  • Model accuracy can be measured through external benchmarks.
  • A public framework now exists for additional experiments on the system.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Similar reverse-engineering techniques could be applied to other closed AI cloud services.
  • Third-party tools might emerge that route AI requests through the opened interfaces.
  • Ongoing monitoring could reveal whether future updates alter the observed privacy behavior.

Load-bearing premise

The compiled binaries on devices accurately represent the production system and the reverse-engineered interfaces allow faithful evaluation of the privacy properties stated in the public specifications.

What would settle it

A demonstration that a custom query stores identifiable user data or links inputs to accounts would contradict the privacy claims.

Figures

Figures reproduced from arXiv: 2605.24239 by Jiska Classen, Marvin Jerome Stephan, Matthias Hollick, Thomas V\"olkl, Yannik Dittmar.

Figure 1
Figure 1. Figure 1: shows the main protocol steps. OHTTP Relay User Device PCC Identity Service 2. TGT Issuance Token Granting Service 4. Validate TGT, OTT Batch Issuance PCC Gateway 6. Validate OTT 3. Redeem for O TGT TTs TGT OTT 5. Make PCC Request & Redeem OTT OTT PCC Node 7. Validate TGT, Process Request 1. TGT Request with Authorization [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: PCC client architecture as reverse engineered on [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Token structure as of [15]; blue/solid parts are com￾mon data shared across multiple tokens, orange/dashed parts are unique to each token. (2) Use outdated OTTs by prolonging the locally stored expira￾tion time. (3) Reuse a single OTT for multiple consecutive requests. (4) Replace a TGT completely with null bytes, but keep pre￾fetched valid OTTs. (5) Replace parts of the TGT with null bytes, but keep prefe… view at source ↗
Figure 5
Figure 5. Figure 5: Fraction of correct answers given by Apple AI per benchmark. 50 60 70 80 90 Gemini 3 Pro Preview GPT-5 Claude Opus 4.1 · · · GPT-4o mini Gemini 1.5 Flash Claude 3.5 Haiku AFM-server (2025) Mixtral 8x22B AFM-server (Test 1) AFM-server (2024) Gemini 1.5 Flash 8B AFM-server (Test 2) AFM-on-device (2025) GPT-3.5 Turbo Gemma 3 4B AFM-on-device (2024) Ministral 8B 93.9% 93.5% 93.4% 77.2% (0-shot CoT) 71.1% (5-sh… view at source ↗
Figure 4
Figure 4. Figure 4: Total number of questions asked per Apple AI benchmark and the correctness of the answers. 4.2 MMLU Results with Different Prompting Techniques Different prompting techniques can improve results in such a bench￾mark. Apple has been using 5-shot in their 2024 benchmark [43], meaning they provided the model with five questions and answers as an example to prewarm it, then asked it to provide a result for the… view at source ↗
Figure 7
Figure 7. Figure 7: MMLU-Pro benchmark comparison. 0 10 20 30 engineering math business chemistry physics law other economics biology history philosophy comp. science psychology Count No Answer 0 2 4 6 8 biology health economics physics comp. science math history psychology law business Count Multiple Answers 0 10 20 30 physics engineering chemistry math business psychology health comp. science economics Count Infinite Loop 0… view at source ↗
Figure 8
Figure 8. Figure 8: Top categories in which PCC tends to give wrong [PITH_FULL_IMAGE:figures/full_fig_p007_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: ChatGPT leans toward what political scientists would char [PITH_FULL_IMAGE:figures/full_fig_p008_9.png] view at source ↗
read the original abstract

Many existing Artificial Intelligence (AI) solutions on mobile devices rely on an extensive collection of sensitive data, raising privacy concerns and often requiring storage for both context and model improvement. Apple's Private Cloud Compute (PCC) aims to address this by emphasizing mobile device integration and a privacy-first design. The central claim of PCC is that it does not store any user data and that user input and user accounts are unlinkable. While most of the PCC system specifications are public, compiled binaries add a layer of opaqueness. There are no reproducible builds, and there are no symbols within those binaries, creating potential discrepancies between the specification and what is shipped to the user. Additionally, the underlying models and interfaces for querying PCC are not openly accessible, limiting academic evaluation of model properties, such as accuracy. This poses a challenge in assessing whether a privacy-preserving approach like PCC is actually trustworthy while also providing high-quality answers. We are the first to reverse-engineer the PCC implementation on mobile devices to evaluate privacy aspects and to open its non-public interfaces on local devices to support custom PCC queries. We demonstrate this level of access beyond Apple's intended use cases by independently benchmarking the PCC model. We enable future research by making our PCC benchmarking framework publicly available.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper claims to be the first to reverse-engineer Apple's Private Cloud Compute (PCC) implementation from stripped binaries on mobile devices, open its non-public interfaces to enable custom PCC queries beyond Apple's intended use cases, independently benchmark the PCC model, and evaluate the core privacy claims (no user data storage; unlinkability of user input and accounts). It releases a public benchmarking framework to support future research, addressing the opaqueness introduced by non-reproducible builds and lack of symbols in the binaries.

Significance. If the reverse-engineered interfaces and observed behavior faithfully match the production PCC system, the work would be significant for enabling independent academic scrutiny of a large-scale privacy-preserving AI deployment and for lowering barriers to model evaluation. The public release of the benchmarking framework is a clear strength that supports reproducibility and extension by others. The empirical focus on real device binaries provides a concrete contribution to the study of deployed privacy systems.

major comments (2)
  1. [Methodology (reverse-engineering)] Methodology section describing the reverse-engineering process: the central privacy evaluation (no data storage, unlinkability) rests on the assumption that behavior extracted from device binaries matches the production server-side PCC. No side-by-side comparison of the reverse-engineered client against the public specification is presented under controlled conditions to detect divergence in logging, attestation, or query handling; this is load-bearing for the unlinkability claims.
  2. [Benchmarking and evaluation] Benchmarking and evaluation section: the abstract and results provide no details on validation steps, specific metrics, datasets, or how custom queries were used to test privacy properties and model accuracy. Without these, it is not possible to determine whether the empirical findings support the claim that PCC meets its stated privacy guarantees while delivering high-quality answers.
minor comments (2)
  1. [Abstract] The abstract states the central claims but supplies no concrete details on the reverse-engineering steps, validation, or benchmark outcomes; adding a short summary of these would improve clarity for readers.
  2. [Introduction] Terminology around 'non-public interfaces' and 'custom PCC queries' could be defined more precisely on first use to avoid ambiguity about what exactly has been opened.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive comments, which help clarify the presentation of our reverse-engineering and evaluation methodology. We respond to each major comment below.

read point-by-point responses
  1. Referee: [Methodology (reverse-engineering)] Methodology section describing the reverse-engineering process: the central privacy evaluation (no data storage, unlinkability) rests on the assumption that behavior extracted from device binaries matches the production server-side PCC. No side-by-side comparison of the reverse-engineered client against the public specification is presented under controlled conditions to detect divergence in logging, attestation, or query handling; this is load-bearing for the unlinkability claims.

    Authors: The analysis is grounded in the client-side binaries on user devices, which implement query construction, attestation, and response handling for PCC servers. We validated extracted behaviors against the publicly documented PCC specifications for attestation protocols, logging indicators, and query formats, confirming consistency with the stated privacy mechanisms. A controlled side-by-side comparison against live production servers is not feasible for independent researchers due to lack of server access and would require privileged infrastructure unavailable in this setting. We will revise the methodology section to detail the specific validation steps performed against the public specification and explicitly discuss this limitation, thereby strengthening the presentation of the unlinkability evaluation. revision: partial

  2. Referee: [Benchmarking and evaluation] Benchmarking and evaluation section: the abstract and results provide no details on validation steps, specific metrics, datasets, or how custom queries were used to test privacy properties and model accuracy. Without these, it is not possible to determine whether the empirical findings support the claim that PCC meets its stated privacy guarantees while delivering high-quality answers.

    Authors: We agree that the evaluation section requires expanded detail for reproducibility. Custom queries via the reverse-engineered interfaces were used to test privacy properties by repeating identical queries (to detect any storage or caching) and varying account contexts (to check for unlinkability via response correlation). Benchmarking employed standard public datasets for model accuracy (e.g., question-answering tasks) with metrics including response quality scores and latency. We will revise the benchmarking and evaluation section to include these validation steps, specific metrics, datasets, and query usage details. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical reverse-engineering study with no derivations or fitted inputs

full rationale

The paper performs reverse-engineering of device binaries, opens non-public interfaces, and benchmarks PCC models. No mathematical derivations, equations, parameter fitting, or self-citation chains appear in the described work. Claims rest on direct empirical observation of binaries and comparison to public specifications, which are independent of the paper's own outputs. This matches the default case of a self-contained empirical study.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The abstract describes an empirical reverse-engineering study with no mathematical models, fitted parameters, or new postulated entities.

pith-pipeline@v0.9.1-grok · 5765 in / 990 out tokens · 49187 ms · 2026-06-30T15:36:46.968697+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

50 extracted references · 4 canonical work pages

  1. [1]

    Absurd trolley problems

    Neal Agarwal. Absurd trolley problems. an interactive web-based game exploring humorous and philosophical variations of the trolley problem. https://neal.fun/ absurd-trolley-problems/, 2026

  2. [2]

    Is my data used for model training? https://privacy.claude.com/en/art icles/10023580-is-my-data-used-for-model-training, February 2026

    Antropic. Is my data used for model training? https://privacy.claude.com/en/art icles/10023580-is-my-data-used-for-model-training, February 2026

  3. [3]

    Apple Intelligence

    Apple. Apple Intelligence. https://www.apple.com/apple-intelligence/, February 2026

  4. [4]

    Attested Request Handling

    Apple. Attested Request Handling. https://security.apple.com/documentation /private-cloud-compute/requesthandling, February 2026

  5. [5]

    Cloud Attestation

    Apple. Cloud Attestation. https://security.apple.com/documentation/private- cloud-compute/softwarelayering#Cloud-Attestation, February 2026

  6. [6]

    Non-Targetability

    Apple. Non-Targetability. https://security.apple.com/documentation/private- cloud-compute/nontargetability, February 2026

  7. [7]

    Private Cloud Compute Security Guide

    Apple. Private Cloud Compute Security Guide. https://security.apple.com/docu mentation/private-cloud-compute, February 2026

  8. [8]

    Private Cloud Compute Source Code

    Apple. Private Cloud Compute Source Code. https://github.com/apple/security- pcc, March 2026

  9. [9]

    Request Flow

    Apple. Request Flow. https://security.apple.com/documentation/private-cloud- compute/requestflow, February 2026

  10. [10]

    Token Granting Token Validator – OTT Salt

    Apple. Token Granting Token Validator – OTT Salt. https://github.com/apple /security-pcc/blob/410883f7dfc76ab5e6f4f9c5d5543510b4ff7134/CloudBoard/ Sources/CloudBoardJobHelperCore/Auth/TokenGrantingTokenValidator.swift #L166-L176, February 2026

  11. [11]

    Token Granting Token Validator – TGT Verification

    Apple. Token Granting Token Validator – TGT Verification. https://github.com/ apple/security-pcc/blob/410883f7dfc76ab5e6f4f9c5d5543510b4ff7134/CloudBoa rd/Sources/CloudBoardJobHelperCore/Auth/TokenGrantingTokenValidator. swift#L89-L111, February 2026

  12. [12]

    Virtual Research Environment

    Apple. Virtual Research Environment. https://security.apple.com/documentat ion/private-cloud-compute/virtualresearchenvironment, February 2026

  13. [13]

    Mmlu-pro leaderboard, 2025

    Open Benchmarks and Kaggle. Mmlu-pro leaderboard, 2025

  14. [14]

    Language models are few-shot learners.Advances in neural infor- mation processing systems, 33:1877–1901, 2020

    Tom Brown, Benjamin Mann, Nick Ryder, Melanie Subbiah, Jared D Kaplan, Prafulla Dhariwal, Arvind Neelakantan, Pranav Shyam, Girish Sastry, Amanda Askell, et al. Language models are few-shot learners.Advances in neural infor- mation processing systems, 33:1877–1901, 2020

  15. [15]

    S. Celi, A. Davidson, S. Valdez, and C. A. Wood. Privacy Pass Issuance Protocols. Technical Report RFC9578, 2024

  16. [16]

    Starshields for iOS: Navigating the Security Cosmos in Satellite Com- munication

    Jiska Classen, Alexander Heinrich, Fabian Portner, Felix Rohrbach, and Matthias Hollick. Starshields for iOS: Navigating the Security Cosmos in Satellite Com- munication. InNDSS, 2025

  17. [17]

    Frank Denis, Frederic Jacobs, and Christopher A. Wood. RSA Blind Signatures. Technical Report RFC9497, 2023

  18. [18]

    Trolley Problem.Encyclopædia Britannica, 2026

    Brian Duignan. Trolley Problem.Encyclopædia Britannica, 2026

  19. [19]

    Apple Intelligence Foundation Language Models: Tech Report

    Ethan Li et al. Apple Intelligence Foundation Language Models: Tech Report

  20. [20]

    https://arxiv.org/abs/2507.13575, 2025

  21. [21]

    GhidraApple. gxpc. https://github.com/ReverseApple/gxpc, February 2026

  22. [22]

    Ask more of your phone with Google Pixel 10

    Google. Ask more of your phone with Google Pixel 10. https://store.google.com/ us/magazine/google-pixel-phones, February 2026

  23. [23]

    Gemini apps privacy hub,

    Google. Gemini Apps Privacy Hub – How long we retain your data. https: //support.google.com/gemini/answer/13594961, February 2026

  24. [24]

    Joint statement from Google and Apple

    Google. Joint statement from Google and Apple. https://blog.google/company-ne ws/inside-google/company-announcements/joint-statement-google-apple/, Jan- uary 2026

  25. [25]

    Moral Foundations Test

    Jonathan Haidt, Jesse Graham, and Collaborators. Moral Foundations Test. The website provides information and resources related to Moral Foundations Theory, first proposed by Haidt and Joseph in 2004. https://moralfoundations.github.io, 2012

  26. [26]

    Measuring Massive Multitask Language Understand- ing, 2021

    Dan Hendrycks, Collin Burns, Steven Basart, Andy Zou, Mantas Mazeika, Dawn Song, and Jacob Steinhardt. Measuring Massive Multitask Language Understand- ing, 2021

  27. [27]

    MMLU-Pro Leaderboard

    Huggingface. MMLU-Pro Leaderboard. https://huggingface.co/spaces/TIGER- Lab/MMLU-Pro, 2026

  28. [28]

    MMLU Leaderboard

    Kaggle. MMLU Leaderboard. https://www.kaggle.com/benchmarks/open-be nchmarks/mmlu, 2025

  29. [29]

    Privacy promises unmasked: A comprehensive study of privacy proxies for the masses

    Heiko Kiesel and Jiska Classen. Privacy promises unmasked: A comprehensive study of privacy proxies for the masses. InProceedings of the Twenty-Sixth International Symposium on Theory, Algorithmic Foundations, and Protocol Design for Mobile Networks and Mobile Computing, MobiHoc ’25, pages 351–360, New York, NY, USA, 2025. Association for Computing Machinery

  30. [30]

    Technolo- geeks.com, 2019

    Jonathan Levin.*OS Internals, Volume III, Security and Insecurity. Technolo- geeks.com, 2019

  31. [31]

    Technologeeks.com, 2020

    Jonathan Levin.*OS Internals, Volume I, User Space. Technologeeks.com, 2020

  32. [32]

    Sycophancy in large language models: Causes and mitigations

    Lars Malmqvist. Sycophancy in large language models: Causes and mitigations. In Kohei Arai, editor,Intelligent Computing, pages 61–74, Cham, 2025. Springer Nature Switzerland

  33. [33]

    Le kit de piratage des serveurs d’Apple

    Mathieu. Le kit de piratage des serveurs d’Apple. https://matteyeux.com/posts /2024-11-01-pcc-2/, 2024

  34. [34]

    16Personalities: Free personality test, type descriptions, relationship and career advice

    NERIS Analytics Limited. 16Personalities: Free personality test, type descriptions, relationship and career advice. A commercial website offering a personality questionnaire loosely based on the Myers-Briggs Type Indicator and Big Five personality traits. https://www.16personalities.com, 2024

  35. [35]

    How your data is used to improve model performance

    OpenAI. How your data is used to improve model performance. https://openai. com/policies/how-your-data-is-used-to-improve-model-performance, February 2026

  36. [36]

    Tommy Pauly, Steven Valdez, and Christopher A. Wood. The Privacy Pass HTTP Authentication Scheme. Technical Report RFC9577, 2024

  37. [37]

    Proxy discrimination in the age of artificial intelligence and big data.Iowa L

    Anya ER Prince and Daniel Schwarcz. Proxy discrimination in the age of artificial intelligence and big data.Iowa L. Rev., 105:1257, 2019

  38. [38]

    Ole André V. Ravnås. Frida. frida.re, February 2026

  39. [39]

    Watch- Witch: Interoperability, Privacy, and Autonomy for the Apple Watch.Proceedings on Privacy Enhancing Technologies, 2025

    Nils Rollshausen, Alexander Heinrich, Matthias Hollick, and Jiska Classen. Watch- Witch: Interoperability, Privacy, and Autonomy for the Apple Watch.Proceedings on Privacy Enhancing Technologies, 2025

  40. [40]

    Galaxy AI

    Samsung. Galaxy AI. https://www.samsung.com/us/galaxy-ai/, February 2026

  41. [41]

    Are Emergent Abilities of Large Language Models a Mirage?Advances in neural information processing systems, 36:55565–55581, 2023

    Rylan Schaeffer, Brando Miranda, and Sanmi Koyejo. Are Emergent Abilities of Large Language Models a Mirage?Advances in neural information processing systems, 36:55565–55581, 2023

  42. [42]

    airdrop-keychain-extractor

    Milan Stute. airdrop-keychain-extractor. https://github.com/seemoo-lab/airdrop- keychain-extractor, December 2020

  43. [43]

    A billion open interfaces for eve and mallory: MitM, DoS, and tracking attacks on iOS and macOS through apple wireless direct link

    Milan Stute, Sashank Narain, Alex Mariotto, Alexander Heinrich, David Kre- itschmann, Guevara Noubir, and Matthias Hollick. A billion open interfaces for eve and mallory: MitM, DoS, and tracking attacks on iOS and macOS through apple wireless direct link. In28th USENIX Security Symposium (USENIX Security 19), pages 37–54, Santa Clara, CA, August 2019. USE...

  44. [44]

    Apple Intelligence Foundation Language Models

    Tom Gunter et al. Apple Intelligence Foundation Language Models. https: //arxiv.org/abs/2407.21075, 2024

  45. [45]

    MMLU- Pro: A more robust and challenging multi-task language understanding bench- mark.Advances in Neural Information Processing Systems, 37:95266–95290, 2024

    Yubo Wang, Xueguang Ma, Ge Zhang, Yuansheng Ni, Abhranil Chandra, Shiguang Guo, Weiming Ren, Aaran Arulraj, Xuan He, Ziyan Jiang, et al. MMLU- Pro: A more robust and challenging multi-task language understanding bench- mark.Advances in Neural Information Processing Systems, 37:95266–95290, 2024

  46. [46]

    Chain-of-thought prompting elicits reasoning in large language models.Advances in neural information processing systems, 35:24824–24837, 2022

    Jason Wei, Xuezhi Wang, Dale Schuurmans, Maarten Bosma, Fei Xia, Ed Chi, Quoc V Le, Denny Zhou, et al. Chain-of-thought prompting elicits reasoning in large language models.Advances in neural information processing systems, 35:24824–24837, 2022

  47. [47]

    Building virtual iPhone using VPHONE600AP component of recently released PCC firmware

    wh1te4ever. Building virtual iPhone using VPHONE600AP component of recently released PCC firmware. https://github.com/wh1te4ever/super-tart-vphone-writ eup, 2026

  48. [48]

    On targeted manipulation and deception when optimizing llms for user feedback, 2025

    Marcus Williams, Micah Carroll, Adhyyan Narang, Constantin Weisser, Brendan Murphy, and Anca Dragan. On targeted manipulation and deception when optimizing llms for user feedback, 2025

  49. [49]

    Xiaomi HyperAI

    Xiaomi. Xiaomi HyperAI. https://www.mi.com/global/brand/ai/xiaomi-hyperai/, February 2026

  50. [50]

    OpenAI’s GPT Is a Recruiter’s Dream Tool

    Leon Yin, Davey Alba, and Leonardo Nicoletti. OpenAI’s GPT Is a Recruiter’s Dream Tool. Tests Show There’s Racial Bias. https://www.bloomberg.com/gra phics/2024-openai-gpt-hiring-racial-discrimination/, 2024