SYSTEM_LOG // 2026-02-19

Anatomy of a Model Extraction Attack

A hacker's perspective: The exact tools and steps used to steal proprietary AI models from Android apps.

Know Your Enemy

To defend your application, you must understand how it is attacked. This is not theoretical; this is the day-to-day workflow of software pirates and competitive intelligence firms.

Here is the standard playbook for extracting an AI model from a defenseless Android app.

The Toolkit

Attackers don't need expensive software. The standard toolkit is free and open-source:

  • APKTool: For decompiling resources and manifests.
  • JADX-GUI: For reading decompiled Java/Kotlin code.
  • Netron: For visualizing neural networks.
  • Unzip / 7-Zip: For basic archive handling.

Phase 1: Reconnaissance

The attacker downloads your APK. If you used an App Bundle (AAB), they use a tool like SAI (Split APKs Installer) or standard websites that host raw APKs.

They open the APK in JADX. They search for keywords:

  • .tflite
  • .ort (ONNX Runtime)
  • Interpreter
  • assets

Within minutes, they find the line of code that loads the model:

// What the attacker sees in JADX
String modelPath = "models/face_detector_v2.tflite";
MappedByteBuffer tfliteModel = FileUtil.loadMappedFile(context, modelPath);

Phase 2: Extraction

Now they know exactly where it is.

  1. Rename app.apk -> app.zip.
  2. Extract.
  3. Navigate to assets/models/face_detector_v2.tflite.

Time elapsed: < 5 minutes.

Phase 3: Analysis

They don't just "have" the file; they can understand it. They drag the .tflite file into Netron.

Netron displays the entire graph:

  • Input content (e.g., float32[1, 224, 224, 3])
  • Layer architecture (Conv2D -> BatchNorm -> ReLU)
  • Output labels (often found in an accompanying .txt file in the same folder)

Phase 4: Repurposing

The attacker can now:

  1. Clone: Build a copycat app with your exact accuracy but lower price.
  2. Adversarial Attack: Analyze your weights to find "fooling images" that break your classification.
  3. Resell: Sell the pre-trained model on black-hat marketplaces.

The TensorSeal Defense

When an attacker tries this on a TensorSeal-protected app:

  1. JADX: They see TensorSeal.load("encrypted_asset"). No file path.
  2. Unzip: They find assets/encrypted_asset.lock. It looks like random noise.
  3. Netron: Opening the .lock file fails with "Invalid Format."

The attack stops at Phase 2. The cost to proceed jumps from $0 to thousands of dollars in specialized reverse-engineering hours.

Make them work for it.

END OF TRANSMISSION // TENSORSEAL_SEC_OPS