9

I searched to understand if there is a technique to keep a trained tensorflow model (.pb file) safe in an Android app but didn't find anything useful. I am releasing an app containing a tensorflow model which I built on a training set. When I release the app, anyone can access the model and use it for his own app. I wonder if there is a way to protect a tensorflow model that I put in the asset folder of my Android application?

This is the way that I load my model in Android:

TensorFlowInferenceInterface tf = new TensorFlowInferenceInterface();    
tf.initializeTensorFlow(context.getAssets(), "file:///android_asset/model.pb");

I was thinking to embed the model encrypted in the app and decrypt it during runtime, but if someone debugs the app, it can get the password and decrypt it. Moreover, there is just one implementation of initializeTensorFlow method in the TensorFlowInferenceInterface class that just accepts (AssetManager assetManager, String model). It is possible to write one that accepts the encrypted one, but it needs some modification of Tensorflow C++ library. I wonder if there is a more reliable solution. Any suggestion, please?

TryToBeNice
  • 323
  • 3
  • 14
  • 1
    I was too searching for this, even though you can encypt if but the key would still be vulnerable if somebody decideds to debig the app. I am too releasing my app and have no idea about it yet!! – mohit gupta Apr 24 '17 at 12:07
  • 1
    How do you decrypt and load the model during runtime? Can you send a link to your app? Thanks – TryToBeNice Apr 26 '17 at 12:43
  • 1
    As of now there is no readymade solution for this, closest you can get is https://github.com/tensorflow/tensorflow/blob/master/tensorflow/tools/graph_transforms/README.md#obfuscate_names – mohit gupta Apr 27 '17 at 08:24
  • Very nice point! Thanks! – TryToBeNice May 11 '17 at 09:46
  • 1
    This is of course a form of DRM (Digital Rights Management), and suffers from the usual flaw. You either give your customers your model, or you don't. You can't do both at the same time. If you don't want to give out the model, deploy it as a cloud service and use a thin app on the mobile. – MSalters Jul 26 '17 at 14:35
  • I give the model to the users, but don't give the name and order of features. Features are retrieved on the first run from the cloud and are saved locally encrypted. Although it can be cracked as well, I think it is the best solution to avoid transmitting data every time the app runs. – TryToBeNice Aug 30 '17 at 09:15

1 Answers1

6

As mentioned in the comments, there is no real safe way to keep your model safe when you run it locally. That being said, you can hide your model and make things a tad more difficult than having a .pb around.

Apart from name obfuscation provided by freeze_graph, a good solution is to compile to model to a binary using XLA AOT compilation using tfcompile. It generates a binary library containing your model as well as a header file to use it. Somebody who want to peek at your network would then have to go through compiled code, which is a higher bar to clear than reading a .pb file for most people.

P-Gn
  • 23,115
  • 9
  • 87
  • 104