Unlocking AI: Extracting Models from Mobile Apps
This blog post was automatically generated (and translated). It is based on the following original, which I selected for publication on this blog:
You wouldn’t download an AI – by Altay Akkus – Altay’s Blog.
Unlocking AI: Extracting Models from Mobile Apps
Artificial intelligence is increasingly integrated into mobile applications, offering a range of features from image filters to real-time object detection. This integration brings AI closer to the user, running models directly on devices. But what happens when curiosity piques and the desire to understand these models arises?
Take, for instance, Microsoft's Seeing AI app, designed as a "talking camera for the blind." This tool assists visually impaired users by describing objects, documents, and currency. Its currency detection feature, supporting numerous currencies and bills, is particularly useful.
The Anatomy of an Android App
Android apps are packaged as APK files, which contain all the necessary components for the app to function. These include the application binary, resources like fonts and images, and crucially, AI models. Given their nature as files, AI models are often stored alongside these assets.
To examine an APK's contents, tools like apktool can decompile it, unpacking its structure into a folder for closer inspection. Within these folders, files such as "currency" and "currency-labels.txt" might be found, hinting at the presence of an AI model.
The Challenge of Encryption
However, these files are often encrypted, presenting a challenge. Developers employ various methods to protect their models, making direct access difficult. While reverse-engineering decryption methods is possible, it can be time-consuming.
Circumventing Encryption: A Practical Approach
Ultimately, the encrypted model must be loaded into a Neural Inference Engine like TensorFlow Lite. By observing the app's processes at runtime, it becomes possible to intercept the model as it's being loaded into the engine. Tools like Frida, a dynamic instrumentation toolkit, enable the monitoring and modification of an app's behavior. With Frida, one can trace function calls and even overwrite methods.
By tracing calls to org.tensorflow.lite.NativeInterpreterWrapper, the moment the app calls .createModelWithBuffer(java.nio.ByteBuffer, long) can be observed. This java.nio.ByteBuffer likely contains the unencrypted *.tflite model.
Extracting and Verifying the Model
Using Frida, a script can be implemented to dump the model to disk. The extracted file can then be verified using tools like Netron, a neural network visualization tool. If Netron can read the file, it confirms the successful extraction of the TensorFlow Lite model, complete with weights and biases.
Implications and Ethical Considerations
This technique can be applied to other apps that utilize TensorFlow Lite, potentially allowing for the extraction of various AI models. Adobe Scan, for example, could be vulnerable to this type of extraction.
It's crucial to remember that AI models are typically considered intellectual property. Utilizing or modifying extracted models without explicit permission from the owner is a legal risk. As AI becomes more integrated into our daily lives, the accessibility and security of these models will undoubtedly be a subject of ongoing discussion. Is this development beneficial for innovation and understanding, or does it pose a significant risk to intellectual property and security? This question remains open for consideration.