Apple has spent years telling us that privacy starts on the device. For many users, that message feels reassuring. Your messages, photos, emails and app data sit in your hand, protected by Face ID, passcodes and Apple’s security layers. Now, new research gives Apple’s on-device AI a reality check.

Researchers with RSAC Research found a way to manipulate Apple Intelligence using prompt injection, adversarial prompts and Unicode tricks. In 100 tests, they reported a 76% success rate against the on-device model used by Apple Intelligence. The researchers disclosed the findings to Apple on October 15, 2025. Apple later hardened protections in iOS 26.4 and macOS 26.4, according to RSAC.

Here’s the part that should get your attention: this kind of attack may not require someone to steal your iPhone, crack your passcode or break into Apple’s servers. It could start with carefully crafted text that tricks the AI into doing something you never asked it to do. If your phone’s AI can read, summarize, rewrite or help apps take action, attackers will try to trick it into doing things you never intended.

So what can you do? Start by understanding how this attack works, why Apple patched it and which settings can lower your risk.

APPLE TAPS GOOGLE GEMINI TO POWER APPLE INTELLIGENCE

Join CyberGuy Live: Lock Down Your Phone in 30 Minutes (Saturday, June 13, 10 am ET)

• Your phone holds your email, passwords, photos, banking apps and personal data. In this free, live online class, Kurt the CyberGuy will walk you step by step through simple phone security fixes you can do in real time. You’ll learn how to improve your privacy settings, spot the latest phone scams, use trusted security tools and walk away with a simple checklist to stay protected. Register here: CyberGuyLive.com 

What researchers found in Apple Intelligence

RSAC researchers tested the on-device large language model built into Apple’s operating systems. That’s important because third-party apps can access Apple Intelligence through system tools and APIs.

Their attack used two main techniques. The first, called Neural Exec, used strange-looking prompts designed to confuse the model and push it toward a specific response. The second used Unicode’s right-to-left override feature. That feature can make text appear in a different direction, which may help hide malicious instructions from filters while still influencing the model.

NEW EMAIL SCAM USES HIDDEN CHARACTERS TO SLIP PAST FILTERS

In simple terms, the attack tried to sneak instructions past Apple’s AI safeguards. The prompts may look meaningless to you and me. Yet the model may still interpret them as commands. That is where the risk grows. Apple Intelligence can connect to apps and system features. So a manipulated response could do more than produce a strange answer. In a worst-case scenario, attackers could try to manipulate data or functions available to an Apple Intelligence-enabled app, especially if that app has access to sensitive information.

Why Apple Intelligence prompt injection matters

Prompt injection is one of the biggest security problems facing AI tools. It happens when attackers hide instructions inside text that an AI model later reads. Think about a suspicious email, a strange document or a webpage with hidden text. You may see one thing. The AI model may process something else.

That creates a new kind of risk. An attacker may not need to break into your iPhone. They may only need to get a carefully crafted message, file or app input in front of the AI model.

OPENAI ADMITS AI BROWSERS FACE UNSOLVABLE PROMPT ATTACKS

If an app asks Apple Intelligence to summarize that content, rewrite it or act on it, the hidden prompt could try to steer the response. For you, that means AI safety now depends on more than strong passwords and software updates. It also depends on how well AI tools handle hostile instructions.

How Apple Intelligence works on your iPhone

Apple Intelligence uses a hybrid design. Some tasks run directly on your iPhone, iPad or Mac. More complex requests may move through Apple’s Private Cloud Compute system.

Apple has framed that setup as a privacy-focused alternative to cloud-only AI tools. That approach makes sense. Keeping more processing on your device can reduce how much personal data leaves your phone.

However, local AI does not automatically mean risk-free AI. RSAC’s research shows that deeper system access can create a larger attack surface. The more Apple Intelligence connects with apps and system features, the more important the guardrails become.

A simple writing tool carries one level of risk. An AI tool that understands personal context and works across apps carries a higher one.

Why this Apple AI security flaw raises concerns

The concern here goes beyond strange chatbot responses. Apple Intelligence can connect directly to apps through system-level tools. That means manipulated responses could affect how an app behaves. Researchers said the model could be pushed into generating offensive or unintended responses. They also warned that attackers could potentially manipulate data and functionality available to an affected Apple Intelligence-enabled app.

THOUSANDS OF IPHONE APPS EXPOSE DATA INSIDE APPLE APP STORE

RSAC estimated that between 100,000 and 1 million users may already be using apps with potential exposure. That estimate was based on apps Apple had identified as using the on-device LLM and RSAC’s rough calculations from App Store review data. That does not mean criminals are actively using this exact attack right now. RSAC said there was no public evidence of active exploitation when the research appeared. Still, the high success rate makes the findings hard to ignore.

What Apple has done about the iPhone AI risk

RSAC shared its findings with Apple before making the research public. According to RSAC, Apple hardened the affected systems against this attack in iOS 26.4 and macOS 26.4. Apple has not publicly detailed every change. That is common with security fixes, since companies often avoid giving attackers a roadmap.

The research appears to be a proof of concept, not a known active attack against everyday users. The most important takeaway for users is simple: keep your devices updated. Security patches only help if they reach your phone. If you delay updates for weeks or months, you may miss protections that close known gaps.

DON’T IGNORE APPLE’S URGENT SECURITY UPDATE

Ways to stay safe with Apple Intelligence

You do not need to stop using Apple Intelligence, but you should treat it like any powerful phone feature: keep it updated, limit what it can access, and stay careful with unfamiliar content.

1) Update your iPhone, iPad and Mac

Start with the easiest protection. Make sure your device runs the latest software.

On iPhone: Settings > General > Software Update

On Mac: Click the Apple menu in the upper-left corner of your screen > System Settings > General > Software Update

Turn on automatic updates when possible. That helps your device receive security fixes as soon as Apple releases them.

Researchers say crafted text and Unicode tricks helped bypass Apple Intelligence safeguards in tests, raising concerns about apps that connect to the on-device AI model. (Kena Betancur/Bloomberg)

2) Review your Apple Intelligence settings

If you do not use certain Apple Intelligence features, consider turning them off or limiting them. This can reduce how often AI tools interact with your apps, messages, summaries and personal content.

On iPhone: Settings > Apple Intelligence & Siri

From there, review which features are enabled. Turn off anything you do not need. 

3) Be selective with AI-powered apps

Do not give every app access to sensitive information just because it offers an AI feature. Before installing an app, check the developer, reviews and privacy details. Also, ask yourself whether the app really needs access to your messages, files, photos or contacts. If the answer feels unclear, skip it.

DON’T GET CAUGHT IN THE ‘APPLE ID SUSPENDED’ PHISHING SCAM

4) Watch what you ask AI to summarize

Prompt injection can hide inside content that looks harmless. That could include emails, webpages, documents, notes or copied text. Be careful when asking AI to summarize unfamiliar content. A malicious file could contain hidden instructions meant for the AI rather than you.

5) Review app permissions

Take a few minutes to check which apps can access your private data.

On iPhone: Settings > Privacy & Security

Then review categories such as Photos, Contacts, Location Services, Microphone and Files. Remove access when an app no longer needs it.

6) Avoid pasting sensitive details into AI tools

Keep your most sensitive information out of AI prompts when possible. That includes Social Security numbers, banking details, tax documents, medical records and passwords. AI can help with many tasks. It should not become a dumping ground for your private life.

7) Delete apps you no longer use

Unused apps can put your data at risk. If you downloaded an app months ago and forgot about it, remove it.

On iPhone: Touch and hold the app > Remove App > Delete App > Delete

The fewer apps you keep, the fewer ways your personal data can move around. 

8) Add strong antivirus software

Strong antivirus software adds another layer of protection against malicious links, scam websites, infected downloads and phishing attacks that may try to steal your personal information. While antivirus software will not directly stop every AI prompt injection risk, it can help block threats before they reach your device or trick you into handing over sensitive data.

The best antivirus software can also warn you about suspicious emails, dangerous attachments and fake websites. That extra protection becomes more important as scammers use AI to make attacks look more convincing. Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com

9) Consider identity theft protection

Identity theft protection will not stop a prompt injection attack. Still, it can help if your personal information gets exposed or misused. A good identity theft protection service can monitor your personal data, alert you to suspicious activity and help you respond if someone tries to open accounts or use your identity. As AI tools become more integrated with apps and personal data, that extra monitoring can provide another layer of protection. See my tips and best picks on Best Identity Theft Protection at Cyberguy.com

10) Use stronger iPhone security settings

Keep Face ID or Touch ID enabled. Use a strong passcode instead of a simple four-digit code. Also, turn on Stolen Device Protection if your iPhone supports it.

On iPhone: Settings > Face ID & Passcode > Enter your passcode if prompted > Stolen Device Protection

This will not stop prompt injection by itself. However, it adds another layer if someone gets physical access to your phone.

Kurt’s key takeaways

Apple Intelligence still has a strong privacy story. Running more AI tasks on your iPhone and using Private Cloud Compute for tougher requests gives Apple a real advantage over many cloud-only AI tools. But this research is a reminder that private does not always mean untouchable. If an AI model can read prompts, summarize content and connect with apps, attackers will look for ways to bend it to their advantage. For you, the takeaway is simple. Keep your devices updated, be selective about AI-powered apps and think twice before letting AI process sensitive information. Apple can build strong walls around your data, but you still decide what you invite inside.

Keeping your iPhone updated, limiting app access and being careful with unfamiliar content can help reduce your risk as AI becomes more deeply built into your device. (Sebastian Kahnert/Picture Alliance)

Would you trust an AI assistant more because it runs on your iPhone, or does deeper access to your personal data make you more cautious? Let us know by writing to us at Cyberguy.com

Sign up for my FREE CyberGuy Report

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

• Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
• For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
• Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.

Copyright 2026 CyberGuy.com.  All rights reserved.