Unlocking Apple's Private Cloud Compute: An Analysis of Privacy-Preserving Artificial Intelligence
Pith reviewed 2026-06-30 15:36 UTC · model grok-4.3
The pith
Reverse engineering of device binaries opens non-public interfaces for custom queries to a privacy-preserving AI cloud system.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The authors are the first to reverse-engineer the PCC implementation on mobile devices to evaluate privacy aspects and to open its non-public interfaces on local devices to support custom PCC queries. They demonstrate this level of access beyond Apple's intended use cases by independently benchmarking the PCC model and enable future research by making their PCC benchmarking framework publicly available.
What carries the argument
The reverse-engineered non-public interfaces extracted from device binaries that permit custom queries and privacy testing of the cloud AI system.
If this is right
- Custom queries to the AI system become possible directly from local devices.
- Privacy claims can be tested independently of the vendor's public statements.
- Model accuracy can be measured through external benchmarks.
- A public framework now exists for additional experiments on the system.
Where Pith is reading between the lines
- Similar reverse-engineering techniques could be applied to other closed AI cloud services.
- Third-party tools might emerge that route AI requests through the opened interfaces.
- Ongoing monitoring could reveal whether future updates alter the observed privacy behavior.
Load-bearing premise
The compiled binaries on devices accurately represent the production system and the reverse-engineered interfaces allow faithful evaluation of the privacy properties stated in the public specifications.
What would settle it
A demonstration that a custom query stores identifiable user data or links inputs to accounts would contradict the privacy claims.
Figures
read the original abstract
Many existing Artificial Intelligence (AI) solutions on mobile devices rely on an extensive collection of sensitive data, raising privacy concerns and often requiring storage for both context and model improvement. Apple's Private Cloud Compute (PCC) aims to address this by emphasizing mobile device integration and a privacy-first design. The central claim of PCC is that it does not store any user data and that user input and user accounts are unlinkable. While most of the PCC system specifications are public, compiled binaries add a layer of opaqueness. There are no reproducible builds, and there are no symbols within those binaries, creating potential discrepancies between the specification and what is shipped to the user. Additionally, the underlying models and interfaces for querying PCC are not openly accessible, limiting academic evaluation of model properties, such as accuracy. This poses a challenge in assessing whether a privacy-preserving approach like PCC is actually trustworthy while also providing high-quality answers. We are the first to reverse-engineer the PCC implementation on mobile devices to evaluate privacy aspects and to open its non-public interfaces on local devices to support custom PCC queries. We demonstrate this level of access beyond Apple's intended use cases by independently benchmarking the PCC model. We enable future research by making our PCC benchmarking framework publicly available.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper claims to be the first to reverse-engineer Apple's Private Cloud Compute (PCC) implementation from stripped binaries on mobile devices, open its non-public interfaces to enable custom PCC queries beyond Apple's intended use cases, independently benchmark the PCC model, and evaluate the core privacy claims (no user data storage; unlinkability of user input and accounts). It releases a public benchmarking framework to support future research, addressing the opaqueness introduced by non-reproducible builds and lack of symbols in the binaries.
Significance. If the reverse-engineered interfaces and observed behavior faithfully match the production PCC system, the work would be significant for enabling independent academic scrutiny of a large-scale privacy-preserving AI deployment and for lowering barriers to model evaluation. The public release of the benchmarking framework is a clear strength that supports reproducibility and extension by others. The empirical focus on real device binaries provides a concrete contribution to the study of deployed privacy systems.
major comments (2)
- [Methodology (reverse-engineering)] Methodology section describing the reverse-engineering process: the central privacy evaluation (no data storage, unlinkability) rests on the assumption that behavior extracted from device binaries matches the production server-side PCC. No side-by-side comparison of the reverse-engineered client against the public specification is presented under controlled conditions to detect divergence in logging, attestation, or query handling; this is load-bearing for the unlinkability claims.
- [Benchmarking and evaluation] Benchmarking and evaluation section: the abstract and results provide no details on validation steps, specific metrics, datasets, or how custom queries were used to test privacy properties and model accuracy. Without these, it is not possible to determine whether the empirical findings support the claim that PCC meets its stated privacy guarantees while delivering high-quality answers.
minor comments (2)
- [Abstract] The abstract states the central claims but supplies no concrete details on the reverse-engineering steps, validation, or benchmark outcomes; adding a short summary of these would improve clarity for readers.
- [Introduction] Terminology around 'non-public interfaces' and 'custom PCC queries' could be defined more precisely on first use to avoid ambiguity about what exactly has been opened.
Simulated Author's Rebuttal
We thank the referee for their constructive comments, which help clarify the presentation of our reverse-engineering and evaluation methodology. We respond to each major comment below.
read point-by-point responses
-
Referee: [Methodology (reverse-engineering)] Methodology section describing the reverse-engineering process: the central privacy evaluation (no data storage, unlinkability) rests on the assumption that behavior extracted from device binaries matches the production server-side PCC. No side-by-side comparison of the reverse-engineered client against the public specification is presented under controlled conditions to detect divergence in logging, attestation, or query handling; this is load-bearing for the unlinkability claims.
Authors: The analysis is grounded in the client-side binaries on user devices, which implement query construction, attestation, and response handling for PCC servers. We validated extracted behaviors against the publicly documented PCC specifications for attestation protocols, logging indicators, and query formats, confirming consistency with the stated privacy mechanisms. A controlled side-by-side comparison against live production servers is not feasible for independent researchers due to lack of server access and would require privileged infrastructure unavailable in this setting. We will revise the methodology section to detail the specific validation steps performed against the public specification and explicitly discuss this limitation, thereby strengthening the presentation of the unlinkability evaluation. revision: partial
-
Referee: [Benchmarking and evaluation] Benchmarking and evaluation section: the abstract and results provide no details on validation steps, specific metrics, datasets, or how custom queries were used to test privacy properties and model accuracy. Without these, it is not possible to determine whether the empirical findings support the claim that PCC meets its stated privacy guarantees while delivering high-quality answers.
Authors: We agree that the evaluation section requires expanded detail for reproducibility. Custom queries via the reverse-engineered interfaces were used to test privacy properties by repeating identical queries (to detect any storage or caching) and varying account contexts (to check for unlinkability via response correlation). Benchmarking employed standard public datasets for model accuracy (e.g., question-answering tasks) with metrics including response quality scores and latency. We will revise the benchmarking and evaluation section to include these validation steps, specific metrics, datasets, and query usage details. revision: yes
Circularity Check
No circularity: empirical reverse-engineering study with no derivations or fitted inputs
full rationale
The paper performs reverse-engineering of device binaries, opens non-public interfaces, and benchmarks PCC models. No mathematical derivations, equations, parameter fitting, or self-citation chains appear in the described work. Claims rest on direct empirical observation of binaries and comparison to public specifications, which are independent of the paper's own outputs. This matches the default case of a self-contained empirical study.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Absurd trolley problems
Neal Agarwal. Absurd trolley problems. an interactive web-based game exploring humorous and philosophical variations of the trolley problem. https://neal.fun/ absurd-trolley-problems/, 2026
2026
-
[2]
Antropic. Is my data used for model training? https://privacy.claude.com/en/art icles/10023580-is-my-data-used-for-model-training, February 2026
-
[3]
Apple Intelligence
Apple. Apple Intelligence. https://www.apple.com/apple-intelligence/, February 2026
2026
-
[4]
Attested Request Handling
Apple. Attested Request Handling. https://security.apple.com/documentation /private-cloud-compute/requesthandling, February 2026
2026
-
[5]
Cloud Attestation
Apple. Cloud Attestation. https://security.apple.com/documentation/private- cloud-compute/softwarelayering#Cloud-Attestation, February 2026
2026
-
[6]
Non-Targetability
Apple. Non-Targetability. https://security.apple.com/documentation/private- cloud-compute/nontargetability, February 2026
2026
-
[7]
Private Cloud Compute Security Guide
Apple. Private Cloud Compute Security Guide. https://security.apple.com/docu mentation/private-cloud-compute, February 2026
2026
-
[8]
Private Cloud Compute Source Code
Apple. Private Cloud Compute Source Code. https://github.com/apple/security- pcc, March 2026
2026
-
[9]
Request Flow
Apple. Request Flow. https://security.apple.com/documentation/private-cloud- compute/requestflow, February 2026
2026
-
[10]
Token Granting Token Validator – OTT Salt
Apple. Token Granting Token Validator – OTT Salt. https://github.com/apple /security-pcc/blob/410883f7dfc76ab5e6f4f9c5d5543510b4ff7134/CloudBoard/ Sources/CloudBoardJobHelperCore/Auth/TokenGrantingTokenValidator.swift #L166-L176, February 2026
2026
-
[11]
Token Granting Token Validator – TGT Verification
Apple. Token Granting Token Validator – TGT Verification. https://github.com/ apple/security-pcc/blob/410883f7dfc76ab5e6f4f9c5d5543510b4ff7134/CloudBoa rd/Sources/CloudBoardJobHelperCore/Auth/TokenGrantingTokenValidator. swift#L89-L111, February 2026
2026
-
[12]
Virtual Research Environment
Apple. Virtual Research Environment. https://security.apple.com/documentat ion/private-cloud-compute/virtualresearchenvironment, February 2026
2026
-
[13]
Mmlu-pro leaderboard, 2025
Open Benchmarks and Kaggle. Mmlu-pro leaderboard, 2025
2025
-
[14]
Language models are few-shot learners.Advances in neural infor- mation processing systems, 33:1877–1901, 2020
Tom Brown, Benjamin Mann, Nick Ryder, Melanie Subbiah, Jared D Kaplan, Prafulla Dhariwal, Arvind Neelakantan, Pranav Shyam, Girish Sastry, Amanda Askell, et al. Language models are few-shot learners.Advances in neural infor- mation processing systems, 33:1877–1901, 2020
1901
-
[15]
S. Celi, A. Davidson, S. Valdez, and C. A. Wood. Privacy Pass Issuance Protocols. Technical Report RFC9578, 2024
2024
-
[16]
Starshields for iOS: Navigating the Security Cosmos in Satellite Com- munication
Jiska Classen, Alexander Heinrich, Fabian Portner, Felix Rohrbach, and Matthias Hollick. Starshields for iOS: Navigating the Security Cosmos in Satellite Com- munication. InNDSS, 2025
2025
-
[17]
Frank Denis, Frederic Jacobs, and Christopher A. Wood. RSA Blind Signatures. Technical Report RFC9497, 2023
2023
-
[18]
Trolley Problem.Encyclopædia Britannica, 2026
Brian Duignan. Trolley Problem.Encyclopædia Britannica, 2026
2026
-
[19]
Apple Intelligence Foundation Language Models: Tech Report
Ethan Li et al. Apple Intelligence Foundation Language Models: Tech Report
- [20]
-
[21]
GhidraApple. gxpc. https://github.com/ReverseApple/gxpc, February 2026
2026
-
[22]
Ask more of your phone with Google Pixel 10
Google. Ask more of your phone with Google Pixel 10. https://store.google.com/ us/magazine/google-pixel-phones, February 2026
2026
-
[23]
Google. Gemini Apps Privacy Hub – How long we retain your data. https: //support.google.com/gemini/answer/13594961, February 2026
-
[24]
Joint statement from Google and Apple
Google. Joint statement from Google and Apple. https://blog.google/company-ne ws/inside-google/company-announcements/joint-statement-google-apple/, Jan- uary 2026
2026
-
[25]
Moral Foundations Test
Jonathan Haidt, Jesse Graham, and Collaborators. Moral Foundations Test. The website provides information and resources related to Moral Foundations Theory, first proposed by Haidt and Joseph in 2004. https://moralfoundations.github.io, 2012
2004
-
[26]
Measuring Massive Multitask Language Understand- ing, 2021
Dan Hendrycks, Collin Burns, Steven Basart, Andy Zou, Mantas Mazeika, Dawn Song, and Jacob Steinhardt. Measuring Massive Multitask Language Understand- ing, 2021
2021
-
[27]
MMLU-Pro Leaderboard
Huggingface. MMLU-Pro Leaderboard. https://huggingface.co/spaces/TIGER- Lab/MMLU-Pro, 2026
2026
-
[28]
MMLU Leaderboard
Kaggle. MMLU Leaderboard. https://www.kaggle.com/benchmarks/open-be nchmarks/mmlu, 2025
2025
-
[29]
Privacy promises unmasked: A comprehensive study of privacy proxies for the masses
Heiko Kiesel and Jiska Classen. Privacy promises unmasked: A comprehensive study of privacy proxies for the masses. InProceedings of the Twenty-Sixth International Symposium on Theory, Algorithmic Foundations, and Protocol Design for Mobile Networks and Mobile Computing, MobiHoc ’25, pages 351–360, New York, NY, USA, 2025. Association for Computing Machinery
2025
-
[30]
Technolo- geeks.com, 2019
Jonathan Levin.*OS Internals, Volume III, Security and Insecurity. Technolo- geeks.com, 2019
2019
-
[31]
Technologeeks.com, 2020
Jonathan Levin.*OS Internals, Volume I, User Space. Technologeeks.com, 2020
2020
-
[32]
Sycophancy in large language models: Causes and mitigations
Lars Malmqvist. Sycophancy in large language models: Causes and mitigations. In Kohei Arai, editor,Intelligent Computing, pages 61–74, Cham, 2025. Springer Nature Switzerland
2025
-
[33]
Le kit de piratage des serveurs d’Apple
Mathieu. Le kit de piratage des serveurs d’Apple. https://matteyeux.com/posts /2024-11-01-pcc-2/, 2024
2024
-
[34]
16Personalities: Free personality test, type descriptions, relationship and career advice
NERIS Analytics Limited. 16Personalities: Free personality test, type descriptions, relationship and career advice. A commercial website offering a personality questionnaire loosely based on the Myers-Briggs Type Indicator and Big Five personality traits. https://www.16personalities.com, 2024
2024
-
[35]
How your data is used to improve model performance
OpenAI. How your data is used to improve model performance. https://openai. com/policies/how-your-data-is-used-to-improve-model-performance, February 2026
2026
-
[36]
Tommy Pauly, Steven Valdez, and Christopher A. Wood. The Privacy Pass HTTP Authentication Scheme. Technical Report RFC9577, 2024
2024
-
[37]
Proxy discrimination in the age of artificial intelligence and big data.Iowa L
Anya ER Prince and Daniel Schwarcz. Proxy discrimination in the age of artificial intelligence and big data.Iowa L. Rev., 105:1257, 2019
2019
-
[38]
Ole André V. Ravnås. Frida. frida.re, February 2026
2026
-
[39]
Watch- Witch: Interoperability, Privacy, and Autonomy for the Apple Watch.Proceedings on Privacy Enhancing Technologies, 2025
Nils Rollshausen, Alexander Heinrich, Matthias Hollick, and Jiska Classen. Watch- Witch: Interoperability, Privacy, and Autonomy for the Apple Watch.Proceedings on Privacy Enhancing Technologies, 2025
2025
-
[40]
Galaxy AI
Samsung. Galaxy AI. https://www.samsung.com/us/galaxy-ai/, February 2026
2026
-
[41]
Are Emergent Abilities of Large Language Models a Mirage?Advances in neural information processing systems, 36:55565–55581, 2023
Rylan Schaeffer, Brando Miranda, and Sanmi Koyejo. Are Emergent Abilities of Large Language Models a Mirage?Advances in neural information processing systems, 36:55565–55581, 2023
2023
-
[42]
airdrop-keychain-extractor
Milan Stute. airdrop-keychain-extractor. https://github.com/seemoo-lab/airdrop- keychain-extractor, December 2020
2020
-
[43]
A billion open interfaces for eve and mallory: MitM, DoS, and tracking attacks on iOS and macOS through apple wireless direct link
Milan Stute, Sashank Narain, Alex Mariotto, Alexander Heinrich, David Kre- itschmann, Guevara Noubir, and Matthias Hollick. A billion open interfaces for eve and mallory: MitM, DoS, and tracking attacks on iOS and macOS through apple wireless direct link. In28th USENIX Security Symposium (USENIX Security 19), pages 37–54, Santa Clara, CA, August 2019. USE...
2019
-
[44]
Apple Intelligence Foundation Language Models
Tom Gunter et al. Apple Intelligence Foundation Language Models. https: //arxiv.org/abs/2407.21075, 2024
-
[45]
MMLU- Pro: A more robust and challenging multi-task language understanding bench- mark.Advances in Neural Information Processing Systems, 37:95266–95290, 2024
Yubo Wang, Xueguang Ma, Ge Zhang, Yuansheng Ni, Abhranil Chandra, Shiguang Guo, Weiming Ren, Aaran Arulraj, Xuan He, Ziyan Jiang, et al. MMLU- Pro: A more robust and challenging multi-task language understanding bench- mark.Advances in Neural Information Processing Systems, 37:95266–95290, 2024
2024
-
[46]
Chain-of-thought prompting elicits reasoning in large language models.Advances in neural information processing systems, 35:24824–24837, 2022
Jason Wei, Xuezhi Wang, Dale Schuurmans, Maarten Bosma, Fei Xia, Ed Chi, Quoc V Le, Denny Zhou, et al. Chain-of-thought prompting elicits reasoning in large language models.Advances in neural information processing systems, 35:24824–24837, 2022
2022
-
[47]
Building virtual iPhone using VPHONE600AP component of recently released PCC firmware
wh1te4ever. Building virtual iPhone using VPHONE600AP component of recently released PCC firmware. https://github.com/wh1te4ever/super-tart-vphone-writ eup, 2026
2026
-
[48]
On targeted manipulation and deception when optimizing llms for user feedback, 2025
Marcus Williams, Micah Carroll, Adhyyan Narang, Constantin Weisser, Brendan Murphy, and Anca Dragan. On targeted manipulation and deception when optimizing llms for user feedback, 2025
2025
-
[49]
Xiaomi HyperAI
Xiaomi. Xiaomi HyperAI. https://www.mi.com/global/brand/ai/xiaomi-hyperai/, February 2026
2026
-
[50]
OpenAI’s GPT Is a Recruiter’s Dream Tool
Leon Yin, Davey Alba, and Leonardo Nicoletti. OpenAI’s GPT Is a Recruiter’s Dream Tool. Tests Show There’s Racial Bias. https://www.bloomberg.com/gra phics/2024-openai-gpt-hiring-racial-discrimination/, 2024
2024
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.