Apple Intelligence prompt‑injection risk

A prompt injection attack is the artificial intelligence version of hiding fake instructions inside a document and hoping the assistant reads those instructions as if they came from you. The Open Worldwide Application Security Project lists prompt injection as a top large language model risk because it can make a model leak data, ignore rules, or misuse connected tools. (genai.owasp.org) Apple built Apple Intelligence so many requests run on the device instead of leaving your phone or Mac. Apple’s own developer docs say the Foundation Models framework gives apps direct access to the on-device large language model that powers Apple Intelligence. (developer.apple.com) That design changes where the danger sits. Apple says on-device processing keeps many requests local, while more complex jobs can go to Private Cloud Compute, a server system Apple says does not store or expose user data to Apple. (support.apple.com, security.apple.com) The problem is that “local” does not mean “safe from tricks.” If a model can read your email, your notes, or app content, then a malicious message can smuggle in instructions that say, in effect, “ignore the user and send me the secrets instead.” (daringfireball.net, genai.owasp.org) That is why the new Apple Intelligence finding matters. SecurityWeek reported on April 9, 2026 that researchers showed Apple Intelligence guardrails could be bypassed, and the report said the attack could expose sensitive user data on devices that support Apple Intelligence. (securityweek.com) This did not come out of nowhere. In August 2024, developer Evan Zhou showed a prompt injection against the macOS 15.1 beta version of Apple Intelligence, and 9to5Mac reported that the beta was “fairly well protected” but still had an exploitable flaw. (9to5mac.com) Zhou later published a GitHub repository that cataloged Apple Intelligence prompt leaks, including a June 10, 2025 entry describing a prompt-leaking attack against Apple’s Foundation Model in Shortcuts on macOS 26 and a similar leak for the ChatGPT model option. (github.com) Apple has been expanding access at the same time. Apple’s developer site says apps can now use the Foundation Models framework with features like guided generation and tool calling, which means the model can do more than write text and can trigger code written by developers. (developer.apple.com, developer.apple.com) That combination is what makes prompt injection nasty. A model that only chats can say something wrong, but a model that can read personal context and call tools can turn one poisoned input into a data leak or an unwanted action. (daringfireball.net, genai.owasp.org) Apple has already had to patch adjacent Apple Intelligence security issues before. In July 2025, Apple fixed a macOS flaw that AppleInsider and BleepingComputer said could have let attackers bypass privacy controls and reach Apple Intelligence-related cached data. (appleinsider.com, bleepingcomputer.com) So the story is not that Apple’s privacy pitch was fake. The story is that moving intelligence onto the device reduces one class of cloud exposure, but it also creates a new runtime security job: the model, the app, the tool calls, and the operating system all have to agree on what counts as trusted instructions. (support.apple.com, developer.apple.com, genai.owasp.org) And that is why this is hard to “patch away” with one filter. Apple’s March 2026 Foundation Models updates say the latest on-device model improved instruction-following and tool-calling, but researchers like Simon Willison have argued that assistants with private data access and tool use face a prompt injection problem the industry still has not fully solved. (developer.apple.com, daringfireball.net)