pith. sign in

arxiv: 2607.00362 · v1 · pith:Y5XGOJPOnew · submitted 2026-07-01 · 💻 cs.CR · cs.AI· cs.LG

SoK: Attack and Defense Landscape of Mobile On-device AI Systems

Pith reviewed 2026-07-02 11:43 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.LG
keywords mobile on-device AIsecurityattacksdefensesSoKsystematization of knowledgeon-device inference
0
0 comments X

The pith

This SoK creates the first systematic framework for attacks and defenses in mobile on-device AI systems.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Mobile on-device AI runs models locally on phones and tablets instead of sending data to the cloud, which brings privacy and speed benefits but also new risks from storing models on the device. The paper surveys existing research to organize these risks into security pillars, an attack landscape, and a defense landscape. It identifies gaps where current work falls short and points to future directions. A reader would care because the framework gives developers and researchers a shared map for securing these systems rather than treating threats case by case.

Core claim

The paper presents the first comprehensive systematization of knowledge on MoAI security by covering the security pillars, attack landscape, and defense landscape of MoAI systems while establishing the first systematic framework for understanding these landscapes and identifying unresolved research gaps.

What carries the argument

The systematic framework that categorizes MoAI security into pillars, attack landscape, and defense landscape.

Load-bearing premise

The published work surveyed is complete and representative enough to support a full categorization into pillars, attacks, and defenses without major omissions.

What would settle it

A substantial body of MoAI security research that cannot be placed into the proposed categories or a clear major omission that the survey missed.

Figures

Figures reproduced from arXiv: 2607.00362 by Kwok-Yan Lam, Xingliang Yuan, Xin Zheng, Yujin Huang.

Figure 1
Figure 1. Figure 1: Overview of the evolution, system paradigm, and [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Overview of a MOAI system. continuity from user-governed acquisition to model con￾sumption. A failure in either of these can make the system treat adversarial, unintended, or altered data as legitimate input, leading to unsafe behavior. Preserving this integrity requires treating it as an end-to-end security property from user-governed acquisition to model-input handoff, so that data compromised at acquisi… view at source ↗
Figure 3
Figure 3. Figure 3: Cross-pillar security analysis of attacks, defenses, and open problems in M [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
read the original abstract

Mobile on-device AI (MoAI) systems that integrate locally deployed AI models with conventional mobile software components are emerging as a key paradigm for delivering intelligent functionality directly on end-user devices. By moving inference from remote cloud services to the local mobile environment, such systems enable privacy-preserving, low-latency, and offline-capable AI functionality, yet introduce new security risks arising from the local storage of AI models. This paper presents the first comprehensive systematization of knowledge on MoAI security, covering security pillars, attack landscape, and defense landscape of MoAI systems. We further identify unresolved gaps in current attack and defense research and point to promising directions for future research in this emerging area. Our work establishes the first systematic framework for understanding the attack and defense landscapes of MoAI systems, serving as a foundation for building secure MoAI systems and advancing research in this critical domain. Companion resources are available at https://github.com/Jinxhy/Awesome-MoAI-Security.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 0 minor

Summary. The paper claims to present the first comprehensive systematization of knowledge (SoK) on Mobile on-device AI (MoAI) security. It covers security pillars, the attack landscape, and the defense landscape of MoAI systems, identifies unresolved gaps in current attack and defense research, and establishes the first systematic framework for understanding these landscapes. Companion resources are available via a GitHub repository.

Significance. If the survey methodology is sound and the literature coverage complete, this would be a significant contribution as the first SoK in an emerging area. It would provide a useful framework and gap analysis to guide future work on secure MoAI systems. The public GitHub repository is a clear strength that supports community use and reproducibility of the surveyed resources.

major comments (1)
  1. [Abstract] Abstract: The central claim of presenting the 'first comprehensive' SoK depends on the surveyed body of work being representative. The abstract provides no explicit methodology for paper selection, search strategy, databases, keywords, time bounds, or inclusion/exclusion criteria. This detail is load-bearing for the comprehensiveness assertion; without it, the resulting categorization into pillars/attacks/defenses cannot be verified as complete rather than partial.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive feedback on our SoK manuscript. We address the single major comment below and agree that a revision is warranted.

read point-by-point responses
  1. Referee: [Abstract] Abstract: The central claim of presenting the 'first comprehensive' SoK depends on the surveyed body of work being representative. The abstract provides no explicit methodology for paper selection, search strategy, databases, keywords, time bounds, or inclusion/exclusion criteria. This detail is load-bearing for the comprehensiveness assertion; without it, the resulting categorization into pillars/attacks/defenses cannot be verified as complete rather than partial.

    Authors: We agree that the abstract does not currently include explicit details on the survey methodology, which is necessary to support the claim of comprehensiveness. The full manuscript contains a dedicated systematization methodology section that specifies the search strategy (systematic queries across Google Scholar, IEEE Xplore, ACM Digital Library, and arXiv), keywords (combinations of 'mobile on-device AI', 'on-device inference security', 'model extraction', 'adversarial attack', etc.), time bounds (primarily 2017–2024 with key earlier foundational works), and inclusion/exclusion criteria (peer-reviewed papers and preprints focused on attacks or defenses for locally deployed mobile AI models, excluding purely cloud-based or non-AI mobile security work). To address the referee's point, we will revise the abstract to concisely summarize this methodology so that the central claim can be properly evaluated. revision: yes

Circularity Check

0 steps flagged

No circularity: external literature survey with no internal derivations

full rationale

This is a systematization of knowledge (SoK) paper whose claims rest entirely on categorization of externally cited prior work rather than any internal equations, fitted parameters, or self-referential definitions. No derivation chain exists that could reduce a 'prediction' or 'result' to its own inputs by construction. The 'first comprehensive' framing depends on the external assumption of survey completeness, but this is not a circular reduction of the kind enumerated (self-definitional, fitted-input prediction, self-citation load-bearing, etc.). The work is self-contained against external benchmarks in the surveyed literature.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain assumption that published MoAI security literature can be exhaustively partitioned into the three pillars chosen by the authors; no free parameters or invented entities are introduced.

axioms (1)
  • domain assumption Existing publications on mobile on-device AI security collectively cover the relevant attack and defense space in a manner that permits exhaustive categorization.
    Invoked by the abstract's assertion of comprehensive coverage and the claim to be the first such SoK.

pith-pipeline@v0.9.1-grok · 5704 in / 1129 out tokens · 21010 ms · 2026-07-02T11:43:07.919107+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

68 extracted references · 5 canonical work pages · 1 internal anchor

  1. [1]

    https://developer.apple.com/documentation/avfoundation/avc am-building-a-camera-app, 2026

    Avcam. https://developer.apple.com/documentation/avfoundation/avc am-building-a-camera-app, 2026

  2. [2]

    developer.android.com/media/camera/camerax, 2026

    Camerax. developer.android.com/media/camera/camerax, 2026

  3. [3]

    developer.apple.com/machine-learning/core-ml/, 2026

    Coreml. developer.apple.com/machine-learning/core-ml/, 2026

  4. [4]

    https://executorch.ai/, 2026

    Executorch. https://executorch.ai/, 2026

  5. [5]

    https://developers.google.com/edge/litert-lm/mode ls/gemma-4, 2026

    Google gemma 4. https://developers.google.com/edge/litert-lm/mode ls/gemma-4, 2026

  6. [6]

    https://developers.google.com/edge/litert/next/tenso r-sdk, 2026

    Google tensor. https://developers.google.com/edge/litert/next/tenso r-sdk, 2026

  7. [7]

    https://ai.google.dev/edge/litert, 2026

    Litert. https://ai.google.dev/edge/litert, 2026

  8. [8]

    https://developer.apple.com/documentation/coreml/m lfeaturevalue, 2026

    Mlfeaturevalue. https://developer.apple.com/documentation/coreml/m lfeaturevalue, 2026

  9. [9]

    https://apple.fandom.com/wiki/Neural Engine, 2026

    Neural engine. https://apple.fandom.com/wiki/Neural Engine, 2026

  10. [10]

    https://developers.googleblog.com/on-device-genai -in-chrome-chromebook-plus-and-pixel-watch-with-litert-lm/, 2026

    On-device genai. https://developers.googleblog.com/on-device-genai -in-chrome-chromebook-plus-and-pixel-watch-with-litert-lm/, 2026

  11. [11]

    https://developers.google.com/edge/lit ert/conversion/tensorflow/build/ondevice training, 2026

    On-device training with litert. https://developers.google.com/edge/lit ert/conversion/tensorflow/build/ondevice training, 2026

  12. [12]

    https://onnx.ai/, 2026

    Open neural network exchange. https://onnx.ai/, 2026

  13. [13]

    www.qualcomm.com/processors/hexagon, 2026

    Qualcomm hexagon. www.qualcomm.com/processors/hexagon, 2026

  14. [14]

    https://ai.google.dev/edge/api/tflite/java/org/tensorflow/ lite/support/image/TensorImage, 2026

    Tensorimage. https://ai.google.dev/edge/api/tflite/java/org/tensorflow/ lite/support/image/TensorImage, 2026

  15. [15]

    Offline model guard: secure and private ml on mobile devices

    Sebastian P Bayerl, Tommaso Frassetto, Patrick Jauernig, Korbinian Riedhammer, Ahmad-Reza Sadeghi, Thomas Schneider, Emmanuel Stapf, and Christian Weinert. Offline model guard: secure and private ml on mobile devices. InProceedings of the 23rd Conference on Design, Automation and Test in Europe, pages 460–465, 2020

  16. [16]

    Efficient compositional multi-tasking for on-device large language models

    Ondrej Bohdal, Mete Ozay, Jijoong Moon, Kyenghun Lee, Hyeonmok Ko, and Umberto Michieli. Efficient compositional multi-tasking for on-device large language models. InProceedings of the 2025 Conference on Empirical Methods in Natural Language Processing, pages 28129–28153, 2025

  17. [17]

    Sanctuary: Arming trustzone with user-space enclaves

    Ferdinand Brasser, David Gens, Patrick Jauernig, Ahmad-Reza Sadeghi, and Emmanuel Stapf. Sanctuary: Arming trustzone with user-space enclaves. InNDSS, volume 100, page 102, 2019

  18. [18]

    Improving end-to-end neural diarization using conversational summary representations

    Samuel J Broughton and Lahiru Samarakoon. Improving end-to-end neural diarization using conversational summary representations. In Proc. Interspeech 2023, pages 3157–3161, 2023

  19. [19]

    Cheating your apps: Black-box adversarial attacks on deep learning apps.Journal of Software: Evolution and Process, 36(4):e2528, 2024

    Hongchen Cao, Shuai Li, Yuming Zhou, Ming Fan, Xuejiao Zhao, and Yutian Tang. Cheating your apps: Black-box adversarial attacks on deep learning apps.Journal of Software: Evolution and Process, 36(4):e2528, 2024

  20. [20]

    Guardiann: Fast and secure on- device inference in trustzone using embedded sram and cryptographic hardware

    Jinwoo Choi, Jaeyeon Kim, Chaemin Lim, Suhyun Lee, Jinho Lee, Dokyung Song, and Youngsok Kim. Guardiann: Fast and secure on- device inference in trustzone using embedded sram and cryptographic hardware. InProceedings of the 23rd ACM/IFIP International Mid- dleware Conference, pages 15–28, 2022

  21. [21]

    Understanding real-world threats to deep learning models in android apps

    Zizhuang Deng, Kai Chen, Guozhu Meng, Xiaodong Zhang, Ke Xu, and Yao Cheng. Understanding real-world threats to deep learning models in android apps. InProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pages 785– 799, 2022

  22. [22]

    Hybridtee: Secure mobile dnn execution using hybrid trusted execution environment

    Akshay Gangal, Mengmei Ye, and Sheng Wei. Hybridtee: Secure mobile dnn execution using hybrid trusted execution environment. In2020 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), pages 1–6. IEEE, 2020

  23. [23]

    Secure and efficient mobile dnn using trusted execution environments

    Bin Hu, Yan Wang, Jerry Cheng, Tianming Zhao, Yucheng Xie, Xiaonan Guo, and Yingying Chen. Secure and efficient mobile dnn using trusted execution environments. InProceedings of the 2023 ACM Asia Conference on Computer and Communications Security, pages 274–285, 2023

  24. [24]

    A first look at on-device models in ios apps.ACM Transactions on Software Engineering and Methodology, 33(1):1–30, 2023

    Han Hu, Yujin Huang, Qiuyuan Chen, Terry Yue Zhuo, and Chunyang Chen. A first look at on-device models in ios apps.ACM Transactions on Software Engineering and Methodology, 33(1):1–30, 2023

  25. [25]

    Mmguard: Automatically protecting on-device deep learning models in android apps

    Jiayi Hua, Yuanchun Li, and Haoyu Wang. Mmguard: Automatically protecting on-device deep learning models in android apps. In2021 IEEE Security and Privacy Workshops (SPW), pages 71–77. IEEE, 2021

  26. [26]

    Malmodel: Hiding malicious payload in mo- bile deep learning models with black-box backdoor attack.Automated Software Engineering, 33(1):28, 2026

    Jiayi Hua, Kailong Wang, Meizhen Wang, Guangdong Bai, Xiapu Luo, and Haoyu Wang. Malmodel: Hiding malicious payload in mo- bile deep learning models with black-box backdoor attack.Automated Software Engineering, 33(1):28, 2026

  27. [27]

    Smart app attack: hacking deep learning models in android apps.IEEE Transactions on Information Forensics and Security, 17:1827–1840, 2022

    Yujin Huang and Chunyang Chen. Smart app attack: hacking deep learning models in android apps.IEEE Transactions on Information Forensics and Security, 17:1827–1840, 2022

  28. [28]

    Robustness of on- device models: Adversarial attack to deep learning models on android apps

    Yujin Huang, Han Hu, and Chunyang Chen. Robustness of on- device models: Adversarial attack to deep learning models on android apps. In2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP), pages 101–110. IEEE, 2021

  29. [29]

    Typhon unleashed: Practical adversarial weight attacks against on-device deep learning models.IEEE Transactions on Dependable and Secure Computing, 2026

    Yujin Huang, Xingliang Yuan, Chunyang Chen, and Seong Oun Hwang. Typhon unleashed: Practical adversarial weight attacks against on-device deep learning models.IEEE Transactions on Dependable and Secure Computing, 2026

  30. [30]

    Themis: Towards practical intellectual property protection for post-deployment on-device deep learning models

    Yujin Huang, Zhi Zhang, Qingchuan Zhao, Xingliang Yuan, and Chunyang Chen. Themis: Towards practical intellectual property protection for post-deployment on-device deep learning models. In 34th USENIX security symposium (USENIX Security 25), 2025

  31. [31]

    Tinyml security: Explor- ing vulnerabilities in resource-constrained machine learning systems

    Jacob Huckelberry, Yuke Zhang, Allison Sansone, James Mickens, Peter A Beerel, and Vijay Janapa Reddi. Tinyml security: Explor- ing vulnerabilities in resource-constrained machine learning systems. arXiv preprint arXiv:2411.07114, 2024

  32. [32]

    Confidential execution of deep learning inference at the untrusted edge with arm trustzone

    Md Shihabul Islam, Mahmoud Zamani, Chung Hwan Kim, Latifur Khan, and Kevin W Hamlen. Confidential execution of deep learning inference at the untrusted edge with arm trustzone. InProceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy, pages 153–164, 2023

  33. [33]

    Ding Li, Ziqi Zhang, Mengyu Yao, Yifeng Cai, Yao Guo, and Xi- angqun Chen. Teeslice: Protecting sensitive neural network models in trusted execution environments when attackers have pre-trained mod- els.ACM Transactions on Software Engineering and Methodology, 34(6):1–49, 2025

  34. [34]

    Redlc: Learning-driven reverse engi- neering for deep learning compilers

    Minghui Li, Yang Li, Hao Han, Xiaopeng Ke, Tongyu Wang, Fengyuan Xu, and Liming Fang. Redlc: Learning-driven reverse engi- neering for deep learning compilers. In2024 IEEE 35th International Symposium on Software Reliability Engineering (ISSRE), pages 204–

  35. [35]

    Efficient layout- guided image inpainting for mobile use

    Wenbo Li, Yi Wei, Yilin Shen, and Hongxia Jin. Efficient layout- guided image inpainting for mobile use. InProceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision, pages 8450–8459, 2024

  36. [36]

    Deeppayload: Black-box backdoor attack on deep learning models through neural payload injection

    Yuanchun Li, Jiayi Hua, Haoyu Wang, Chunyang Chen, and Yunxin Liu. Deeppayload: Black-box backdoor attack on deep learning models through neural payload injection. In2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), pages 263–274. IEEE, 2021

  37. [37]

    Model extraction attack against on-device deep learning with power side channel

    Jialin Liu and Han Wang. Model extraction attack against on-device deep learning with power side channel. In2024 25th International Symposium on Quality Electronic Design (ISQED), pages 1–5. IEEE, 2024

  38. [38]

    Secdeep: Secure and performant on-device deep learning inference framework for mobile and iot devices

    Renju Liu, Luis Garcia, Zaoxing Liu, Botong Ou, and Mani Sri- vastava. Secdeep: Secure and performant on-device deep learning inference framework for mobile and iot devices. InProceedings of the International Conference on Internet-of-Things Design and Implementation, pages 67–79, 2021

  39. [39]

    Deepcache: Revisiting cache side-channel attacks in deep neural networks executables

    Zhibo Liu, Yuanyuan Yuan, Yanzuo Chen, Sihang Hu, Tianxiang Li, and Shuai Wang. Deepcache: Revisiting cache side-channel attacks in deep neural networks executables. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, pages 4495–4508, 2024

  40. [40]

    Mir- rornet: A tee-friendly framework for secure on-device dnn inference

    Ziyu Liu, Yukui Luo, Shijin Duan, Tong Zhou, and Xiaolin Xu. Mir- rornet: A tee-friendly framework for secure on-device dnn inference. In2023 IEEE/ACM International Conference on Computer Aided Design (ICCAD), pages 1–9. IEEE, 2023

  41. [41]

    Quantization backdoors to deep learning commercial frame- works.IEEE Transactions on Dependable and Secure Computing, 21(3):1155–1172, 2023

    Hua Ma, Huming Qiu, Yansong Gao, Zhi Zhang, Alsharif Abuadbba, Minhui Xue, Anmin Fu, Jiliang Zhang, Said F Al-Sarawi, and Derek Abbott. Quantization backdoors to deep learning commercial frame- works.IEEE Transactions on Dependable and Secure Computing, 21(3):1155–1172, 2023

  42. [42]

    Darknetz: towards model privacy at the edge using trusted execution environments

    Fan Mo, Ali Shahin Shamsabadi, Kleomenis Katevas, Soteris Demetriou, Ilias Leontiadis, Andrea Cavallaro, and Hamed Haddadi. Darknetz: towards model privacy at the edge using trusted execution environments. InProceedings of the 18th International Conference on Mobile Systems, Applications, and Services, pages 161–174, 2020

  43. [43]

    A novel obfuscation method based on majority logic for preventing unauthorized access to binary deep neural networks

    Alireza Mohseni, Mohammad Hossein Moaiyeri, and Moham- mad Javad Adel. A novel obfuscation method based on majority logic for preventing unauthorized access to binary deep neural networks. Scientific Reports, 15(1):24416, 2025

  44. [44]

    Asgard: Protecting on-device deep neural networks with virtualization-based trusted execution environments

    Myungsuk Moon, Minhee Kim, Joonkyo Jung, and Dokyung Song. Asgard: Protecting on-device deep neural networks with virtualization-based trusted execution environments. InProceedings 2025 Network and Distributed System Security Symposium, 2025

  45. [45]

    In33rd USENIX Security Symposium (USENIX Security 24), pages 5233–5250, 2024

    Tushar Nayan, Qiming Guo, Mohammed Al Duniawi, Marcus Botacin, Selcuk Uluagac, and Ruimin Sun.{SoK}: All you need to know about{On-Device}{ML}model extraction-the gap between research and practice. In33rd USENIX Security Symposium (USENIX Security 24), pages 5233–5250, 2024

  46. [46]

    Demistify: Identifying on- device machine learning models stealing and reuse vulnerabilities in mobile apps

    Pengcheng Ren, Chaoshun Zuo, Xiaofeng Liu, Wenrui Diao, Qingchuan Zhao, and Shanqing Guo. Demistify: Identifying on- device machine learning models stealing and reuse vulnerabilities in mobile apps. InProceedings of the 46th IEEE/ACM International Conference on Software Engineering, pages 1–13, 2024

  47. [47]

    Beyond the model: Data pre-processing attack to deep learning models in android apps

    Ye Sang, Yujin Huang, Shuo Huang, and Helei Cui. Beyond the model: Data pre-processing attack to deep learning models in android apps. InProceedings of the 2023 Secure and Trustworthy Deep Learning Systems Workshop, pages 1–9, 2023

  48. [48]

    Leap: Trustzone based developer-friendly tee for intelligent mobile apps.IEEE Transactions on Mobile Computing, 22(12):7138–7155, 2022

    Lizhi Sun, Shuocheng Wang, Hao Wu, Yuhang Gong, Fengyuan Xu, Yunxin Liu, Hao Han, and Sheng Zhong. Leap: Trustzone based developer-friendly tee for intelligent mobile apps.IEEE Transactions on Mobile Computing, 22(12):7138–7155, 2022

  49. [49]

    Tensorshield: Safeguarding on-device inference by shielding critical dnn tensors with tee

    Tong Sun, Bowen Jiang, Hailong Lin, Borui Li, Yixiao Teng, Yi Gao, and Wei Dong. Tensorshield: Safeguarding on-device inference by shielding critical dnn tensors with tee. InProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, pages 1008–1022, 2025

  50. [50]

    Tsqp: Safeguarding real-time inference for quantization neural networks on edge devices

    Yu Sun, Gaojian Xiong, Jianhua Liu, Zheng Liu, and Jian Cui. Tsqp: Safeguarding real-time inference for quantization neural networks on edge devices. In2025 IEEE Symposium on Security and Privacy (SP), pages 2114–2132. IEEE, 2025

  51. [51]

    Shadownet: A secure and efficient on-device model inference system for convolutional neural networks

    Zhichuang Sun, Ruimin Sun, Changming Liu, Amrita Roy Chowd- hury, Long Lu, and Somesh Jha. Shadownet: A secure and efficient on-device model inference system for convolutional neural networks. In2023 IEEE Symposium on Security and Privacy (SP), pages 1596–

  52. [52]

    Mind your weight (s): A large-scale study on insufficient machine learning model protection in mobile apps

    Zhichuang Sun, Ruimin Sun, Long Lu, and Alan Mislove. Mind your weight (s): A large-scale study on insufficient machine learning model protection in mobile apps. In30th USENIX security symposium (USENIX security 21), pages 1955–1972, 2021

  53. [53]

    Game of arrows: On the ({In-) Security}of weight obfuscation for{On-Device}{TEE- Shielded}{LLM}partition algorithms

    Pengli Wang, Bingyou Dong, Yifeng Cai, Zheng Zhang, Junlin Liu, Huanran Xue, Ye Wu, Yao Zhang, and Ziqi Zhang. Game of arrows: On the ({In-) Security}of weight obfuscation for{On-Device}{TEE- Shielded}{LLM}partition algorithms. In34th USENIX Security Symposium (USENIX Security 25), pages 279–298, 2025

  54. [54]

    Tz-llm: Protecting on-device large language models with arm trustzone

    Xunjie Wang, Jiacheng Shi, Zihan Zhao, Yang Yu, Zhichao Hua, and Jinyu Gu. Tz-llm: Protecting on-device large language models with arm trustzone. InProceedings of the 21st European Conference on Computer Systems, pages 657–674, 2026

  55. [55]

    Energy- latency attacks to on-device neural networks via sponge poisoning

    Zijian Wang, Shuo Huang, Yujin Huang, and Helei Cui. Energy- latency attacks to on-device neural networks via sponge poisoning. InProceedings of the 2023 Secure and Trustworthy Deep Learning Systems Workshop, pages 1–11, 2023

  56. [56]

    Stealthy backdoor attack to real-world models in android apps.arXiv preprint arXiv:2501.01263, 2025

    Jiali Wei, Ming Fan, Xicheng Zhang, Wenjing Jiao, Haijun Wang, and Ting Liu. Stealthy backdoor attack to real-world models in android apps.arXiv preprint arXiv:2501.01263, 2025

  57. [57]

    Sok: towards security and safety of edge ai.arXiv preprint arXiv:2410.05349, 2024

    Tatjana Wingarz, Anne Lauscher, Janick Edinger, Dominik Kaaser, Stefan Schulte, and Mathias Fischer. Sok: towards security and safety of edge ai.arXiv preprint arXiv:2410.05349, 2024

  58. [58]

    Tim: Enabling large-scale white- box testing on in-app deep learning models.IEEE Transactions on Information Forensics and Security, 19:8188–8203, 2024

    Hao Wu, Yuhang Gong, Xiaopeng Ke, Hanzhong Liang, Fengyuan Xu, Yunxin Liu, and Sheng Zhong. Tim: Enabling large-scale white- box testing on in-app deep learning models.IEEE Transactions on Information Forensics and Security, 19:8188–8203, 2024

  59. [59]

    FlexServe: A Fast and Secure LLM Serving System for Mobile Devices with Flexible Resource Isolation

    Yinpeng Wu, Yitong Chen, Lixiang Wang, Jinyu Gu, Zhichao Hua, and Yubin Xia. Flexserve: A fast and secure llm serving system for mobile devices with flexible resource isolation.arXiv preprint arXiv:2603.09046, 2026

  60. [60]

    A first look at deep learning apps on smartphones

    Mengwei Xu, Jiawei Liu, Yuanqiang Liu, Felix Xiaozhu Lin, Yunxin Liu, and Xuanzhe Liu. A first look at deep learning apps on smartphones. InThe World Wide Web Conference, pages 2125–2136, 2019

  61. [61]

    Groupcover: A secure, efficient and scalable inference framework for on-device model protection based on tees

    Zheng Zhang, Na Wang, Ziqi Zhang, Yao Zhang, Tianyi Zhang, Jianwei Liu, and Ye Wu. Groupcover: A secure, efficient and scalable inference framework for on-device model protection based on tees. InForty-first international conference on machine learning, 2024

  62. [62]

    No privacy left outside: On the (in-) security of tee-shielded dnn partition for on-device ml

    Ziqi Zhang, Chen Gong, Yifeng Cai, Yuanyuan Yuan, Bingyan Liu, Ding Li, Yao Guo, and Xiangqun Chen. No privacy left outside: On the (in-) security of tee-shielded dnn partition for on-device ml. In 2024 IEEE Symposium on Security and Privacy (SP), pages 3327–

  63. [63]

    Miragenet: A secure, efficient, and scalable on-device model protection in heterogeneous tee and gpu system.arXiv preprint arXiv:2601.13826, 2026

    Huadi Zheng, Li Cheng, and Yan Ding. Miragenet: A secure, efficient, and scalable on-device model protection in heterogeneous tee and gpu system.arXiv preprint arXiv:2601.13826, 2026

  64. [64]

    Dynamo: Protecting mobile dl models through coupling obfuscated dl operators

    Mingyi Zhou, Xiang Gao, Xiao Chen, Chunyang Chen, John Grundy, and Li Li. Dynamo: Protecting mobile dl models through coupling obfuscated dl operators. InProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering, pages 204–215, 2024

  65. [65]

    Model-less is the best model: Generating pure code implementations to replace on-device dl models

    Mingyi Zhou, Xiang Gao, Pei Liu, John Grundy, Chunyang Chen, Xiao Chen, and Li Li. Model-less is the best model: Generating pure code implementations to replace on-device dl models. InProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 174–185, 2024

  66. [66]

    Modelobfuscator: Obfuscating model information to protect deployed ml-based systems

    Mingyi Zhou, Xiang Gao, Jing Wu, John Grundy, Xiao Chen, Chunyang Chen, and Li Li. Modelobfuscator: Obfuscating model information to protect deployed ml-based systems. InProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 1005–1017, 2023

  67. [67]

    Investigating white-box attacks for on-device models

    Mingyi Zhou, Xiang Gao, Jing Wu, Kui Liu, Hailong Sun, and Li Li. Investigating white-box attacks for on-device models. In Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, pages 1–12, 2024

  68. [68]

    Nnsplitter: an active defense solution for dnn model via automated weight obfuscation

    Tong Zhou, Yukui Luo, Shaolei Ren, and Xiaolin Xu. Nnsplitter: an active defense solution for dnn model via automated weight obfuscation. InInternational Conference on Machine Learning, pages 42614–42624. PMLR, 2023