SYSTEM_LOG // 2026-02-16

Why ProGuard and R8 Won't Save Your AI Model

Obfuscation isn't encryption. Discover why standard Android security tools leave your .tflite files completely exposed.

The Obfuscation Myth

If you're an Android developer, you likely rely on ProGuard or R8 to shrink and obfuscate your code. You meticulously configure your proguard-rules.pro to make sure your class names are unreadable and your logic is hard to reverse-engineer.

You probably think this protects your intellectual property.

You are wrong.

Code vs. Assets

ProGuard and R8 operate on Java bytecode (and Kotlin). They rename classes, fields, and methods. They optimize instruction sequences. They are fantastic tools for protecting your source code.

However, your AI model is not source code. It is an asset.

When you build your APK, your .tflite model usually lives in one of two places:

  1. src/main/assets/
  2. src/main/res/raw/

ProGuard does not touch these directories.

The "Unzip" Vulnerability

An APK is simply a ZIP archive. Any user can rename app.apk to app.zip and extract it.

When they do, they will see a folder structure like this:

/assets
  ├── fonts/
  ├── images/
  └── model.tflite  <-- YOUR $50k INTELLECTUAL PROPERTY

It is byte-for-byte identical to the file on your development machine. No encryption. No obfuscation. Just a raw file, ready to be loaded into Netron or dropped into a competitor's app.

"But I hid it in a custom format!"

Some developers try to get clever. They change the extension to .png or append some junk bytes to the header.

This is security through obscurity, and it fails against even a junior reverse engineer.

  1. File Signatures: A simple binwalk scan reveals the TFLite magic bytes (TFL3) immediately, regardless of the file extension.
  2. Strings Analysis: Running strings classes.dex often reveals the exact filename or loading logic.

The Solution: Encryption + In-Memory Loading

To truly protect your model, you must ensure it never exists in a readable state on the disk.

This requires a three-step architecture:

  1. Encryption at Rest: The model file in the APK must be encrypted (e.g., AES-256).
  2. JNI Decryption: The decryption logic should live in a compiled C++ library, not in easily-decompiled Java.
  3. In-Memory Inference: The decrypted bytes must be fed directly to the TensorFlow Lite interpreter's memory mapping, bypassing the file system entirely.

This is exactly what TensorSeal automates. We provide the encrypted container and the hardened JNI bridge, so you can ship with confidence.

Stop trusting ProGuard with files it was never meant to protect.

END OF TRANSMISSION // TENSORSEAL_SEC_OPS