The app is signed and official. The model inside it isn't.
Scenario · Tampered On-Device Model
“An attacker reverse-engineers a mobile app and replaces its bundled model with a tampered version that misleads users or exfiltrates data.”
Researchers demonstrated this at scale with DeepPayload (ICSE 2021): they pulled apart real Android apps, injected a malicious “neural payload” into the on-device model, and repackaged the app. Examining machine-learning apps from Google Play, they found 54 real apps vulnerable — including popular, security-critical ones.
Why it matters: the model ships inside the app, on the user's device, where the attacker has full access to the file. No server to breach — just edit the model and re-sign the package. The backdoor triggers on conditions the attacker chooses.
Why Edge = Hardest
Once a model lives on a device you don't control, you've lost the home-field advantage. This is exactly why OWASP's edge mitigations (encryption + integrity checks + vendor attestation) exist — you'll see them on slide 27.