[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-84554-en":3,"doc-seo-84554-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},84554,34359740700684,"Finn","https://ap-avatar.wpscdn.com/avatar/1f400023980c374ae676?_k=1777273430885731487",8,"Research & Report","SoK Attack and Defense Landscape of Mobile On-device AI Systems","Mobile on-device AI (MOAI) systems run locally deployed AI models within standard mobile software, enabling privacy-preserving, low-latency, and offline-capable intelligent features. Moving inference from remote cloud services to the device improves user experience yet expands the threat surface because models and related artifacts must be stored on end-user hardware. This work systematizes MOAI security by defining security pillars, mapping the attack landscape and defense landscape, highlighting research gaps, and proposing directions to guide future secure MOAI design.","SoK: Attack and Defense Landscape of Mobile On-device AI Systems  \nYujin Huang∗ , Xin Zheng†, Xingliang Yuan∗ , Kwok-Yan Lam§  \n∗ The University of Melbourne, †RMIT University, § Nanyang Technological University  \n{jinx.huang, [xingliang.yuan](xingliang.yuan}@unimelb.edu.au)[}](xingliang.yuan}@unimelb.edu.au)[@unimelb.edu.au](xingliang.yuan}@unimelb.edu.au), [xin.zheng2@rmit.edu.au](xin.zheng2@rmit.edu.au),‡[kwokyan.lam@ntu.edu.sg](kwokyan.lam@ntu.edu.sg)  \narXiv :2607 .00362v 1 [ cs .CR] 1 Jul 2026  \nAbstract—Mobile on-device AI (MOAI) systems that integrate locally deployed AI models with conventional mobile software components are emerging as a key paradigm for delivering intelligent functionality directly on end-user devices. By moving inference from remote cloud services to the local mobile environment, such systems enable privacy-preserving, lowlatency, and offline-capable AI functionality, yet introduce new security risks arising from the local storage of AI models. This paper presents the first comprehensive systematization of knowledge on MOAI security, covering security pillars, attack landscape, and defense landscape of MOAI systems. We further identify unresolved gaps in current attack and defense research and point to promising directions for future research in this emerging area. Our work establishes the first systematic framework for understanding the attack and defense landscapes of MOAI systems, serving as a foundation for building secure MOAI systems and advancing research in this critical domain. Companion resources are available at [https://github.com/Jinxhy/Awesome-MoAI-Security](https://github.com/Jinxhy/Awesome-MoAI-Security).  \n1. Introduction  \nMobile on-device AI (MOAI) systems are emerging asa mainstream paradigm for delivering intelligent services directly on end-user smartphones. Modern mobile apps increasingly rely on this paradigm to support AI-powered features such as image inpainting [35], extractive question answering [16], and speaker diarization [18] without continuous cloud connectivity. As shown in Figure 1a, this trend has been accelerated by the availability of dedicated AI hardware in latest mobile devices, such as Google Tensor [6], Apple Neural Engine [9], and Qualcomm Hexagon [13] . More recently, Google’s Gemma 4 family [5], particularly its E2B and E4B variants for mobile deployment, illustrates this shift as increasingly capable generative and reasoning models now target practical local deployment on end-user devices. Compared to offloading AI from mobile devices to the cloud in Figure 1b, MOAI offers several distinct advantages. These include improved privacy as sensitive data is processed locally on end-user devices, lower inference latency since there is no need to transmit data to remote servers, and continued functionality in scenarios where network connectivity is unavailable [28], [52], [60] .  \nDespite the manifold benefits, MOAI system inevitably stores models on end-user devices, which introduces new security threats. As shown in Figure 1c, an attacker can fully  \nParameter Scale (Log Scale)  \n\n|  |  |  |  | Gemini\u003Cbr>1.8B (Pixe | Nano\u003Cbr>l 8 Pro)  |  |  |  |  |\n| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |\n|  |  |  |  |  |  |  |  |  |  |\n|  |  |  |  |  |  |  |  |  |  |\n|  |  |  |  |  |  |  |  |  |  |\n\n10B (1,0000 M)  \n1B (1,000 M)  \n100M  \n10M  \n1M  \nMobileNetV2  \n 3.4M  \nPhi-3 Mini  \n3.8B  \nGemma 4 E2B  \n2B  \nGemma 4 E4B  \n4B  \n2018 2019 2020 2021 2022 2023 2024 2025 2026  \nRelease Year  \n(a) Evolution of mobile on-device AI systems.  \n(b) Comparison between cloud-based vs. MOAI paradigms.  \n(c) Attack surface and defense phase in MOAI system.  \nFigure 1: Overview of the evolution, system paradigm, and security scope of MOAI systems.  \nextract on-device models and inference-related information through techniques such as reverse engineering or device memory dumping. This exposes multiple attack surfaces and facilitates a wide range of representative atta","cbCaiujEnKVN47nI","https://ap.wps.com/l/cbCaiujEnKVN47nI","pdf",2767604,1,15,"English","en",105,"# Introduction\n## Mobile on-device AI advantages\n## Security risks and attack surfaces\n## Related work and research gap\n## Paper contributions and approach","[{\"question\":\"What makes mobile on-device AI (MOAI) different from cloud-based inference?\",\"answer\":\"MOAI runs inference locally on the end-user device, which improves privacy, reduces latency by avoiding data transfer, and supports offline operation when connectivity is unavailable.\"},{\"question\":\"Why do MOAI systems introduce new security threats?\",\"answer\":\"Because MOAI must store AI models and inference-related information on the device, attackers can extract or manipulate these artifacts through methods such as reverse engineering or device memory dumping.\"},{\"question\":\"What security aspects does the paper systematize for MOAI systems?\",\"answer\":\"The paper organizes knowledge on MOAI security by deriving core security pillars, systematizing the attack landscape via threat-model analysis, and mapping defense mechanisms across deployment phases.\"}]",1784196678,38,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"sok-attack-and-defense-landscape-of-mobile-on-device-ai-systems","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/sok-attack-and-defense-landscape-of-mobile-on-device-ai-systems/84554/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"What makes mobile on-device AI (MOAI) different from cloud-based inference?","Question",{"text":75,"@type":76},"MOAI runs inference locally on the end-user device, which improves privacy, reduces latency by avoiding data transfer, and supports offline operation when connectivity is unavailable.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"Why do MOAI systems introduce new security threats?",{"text":80,"@type":76},"Because MOAI must store AI models and inference-related information on the device, attackers can extract or manipulate these artifacts through methods such as reverse engineering or device memory dumping.",{"name":82,"@type":73,"acceptedAnswer":83},"What security aspects does the paper systematize for MOAI systems?",{"text":84,"@type":76},"The paper organizes knowledge on MOAI security by deriving core security pillars, systematizing the attack landscape via threat-model analysis, and mapping defense mechanisms across deployment phases.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,115,120,123,128,131,135],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":111,"doc_module":4,"doc_module_name":45,"category_name":112,"show_sort_weight":113,"slug":114},6,"Technology",50,"technology",{"id":116,"doc_module":4,"doc_module_name":45,"category_name":117,"show_sort_weight":118,"slug":119},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":121,"slug":122},30,"research-report",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":125,"show_sort_weight":126,"slug":127},9,"Religion & Spirituality",20,"religion-spirituality",{"id":126,"doc_module":4,"doc_module_name":45,"category_name":129,"show_sort_weight":126,"slug":130},"World Cup","world-cup",{"id":132,"doc_module":4,"doc_module_name":45,"category_name":133,"show_sort_weight":132,"slug":134},10,"Lifestyle","lifestyle",{"id":136,"doc_module":4,"doc_module_name":45,"category_name":137,"show_sort_weight":106,"slug":138},19,"General","general"]