
Hoplon InfoSec
03 Jul, 2026
Content Summary
| Item | Detail |
|---|---|
| Framework name | Trust Insights |
| Introduced in | iOS 27, announced at WWDC26 |
| Core problem it solves | Detecting when a legitimate, authenticated user is being coached through a scam |
| Primary signal | IsLikelyBeingCoachedInsight, with outputs unknown, medium, or high |
| Data processed | Interaction timing, contextual behavior, basic sensor data, all on-device |
| Data never touched | Content inside Messages, Mail, or Photos |
| Operation categories | Payment, account changes, resource use, communication, other |
| User control | Can be disabled in Settings, with a cooldown period before the change applies |
| Who needs to act | App developers, since Trust Insights only works inside apps that integrate it |
A few days ago I sat down to read through Apple's WWDC26 session on something called Trust Insights, and honestly, it took me a minute to understand why Apple engineers were so worked up about a feature that does not stop a single hacker, does not block a single virus, and does not touch a single line of malicious code. Then it clicked. Trust Insights is not built for hackers.
It is built for the moment when there is no hacker to catch, just a scared person on a phone call, typing in a number someone told them to type, clicking a button someone told them to click. That is the whole premise of iOS 27 Trust Insights, and once you get it, the rest of the framework makes a lot of sense. For years, mobile security has revolved around one core idea, confirm that the person using the device is who they say they are.
Face ID, passcodes, two factor codes, all of it exists to answer one question, is this the real account owner. But that question misses something painfully obvious. What if the real account owner is the one being manipulated. What if grandma really is the one wiring the money, because someone on the phone convinced her it is an emergency.
Face ID cannot catch that, because Face ID was never designed to read intent, only identity. Apple's own engineering team put this plainly during the WWDC26 session, delivered by Mike Armstrong, an Engineering Manager at Apple. He explained that social engineering attacks target people, not systems, and that a user who has been pressured, frightened, or deceived still performs the action authenticated and legitimately.
Multi factor authentication and biometrics do not help in this scenario, because the person acting is genuinely the account holder. Something new was needed, a signal that could tell the difference between free choice and coerced action, without reading anything private.
The numbers behind this decision are not small. According to Federal Trade Commission data for 2025, reported losses from scams that began on social media platforms reached 2.1 billion dollars, and close to 30 percent of people who reported a financial loss said the scam started on a social platform. The FBI's Internet Crime Complaint Center, known as IC3, logged more than one million complaints in its 2025 report, with total losses crossing 20 billion dollars.
Tech support scams, family emergency fraud, and authority impersonation calls have all grown more convincing, partly because AI generated voices and deepfake video make it easier for a stranger to sound exactly like someone you trust, and many of these campaigns still start with a convincing message or call that a strong email security and anti-phishing posture is meant to catch earlier in the chain. Apple's response is not a spam filter and it is not a virus scanner. It is a behavioral signal that lives quietly inside the operating system and speaks up only when something about the way a user is acting looks like coaching.
Trust Insights is a framework, introduced in iOS 27, that lets an app request a real time risk evaluation before a sensitive action goes through. Under the hood it runs mostly on device, watching things like interaction timing, contextual behavior, and basic sensor data, then produces a single result that an app can use to decide whether to add a warning, insert a short delay, or ask for extra verification.
It is worth being precise about what Trust Insights is not. It does not read the words inside a text message. It does not scan a call transcript. It does not look at a photo. Apple has been explicit that device sourced signals never include the content of Photos, Messages, or Mail. What it looks at instead is behavior around an action, the rhythm of how someone is interacting with the screen, whether the pattern resembles someone being walked through steps by another person.
The published API centers on something called IsLikelyBeingCoachedInsight, and that name is a fairly accurate description of the entire product. When a developer requests this insight, the framework returns one of three possible results. Unknown means the system has no evidence of scam risk, but Apple is very clear that this should never be read as low risk. It simply means no signal was found, not that the coast is clear.
Medium means there is some evidence of coaching risk, and depending on the type of action, the app should consider friction, additional verification, or adjusting its own internal risk scoring. High means there is significant evidence of coaching, and the user should be told about that risk before the action is allowed to continue. Behind these three words sits a machine learning model that processes everything locally.
Inputs are discarded immediately after evaluation, and only a single derived output value ever leaves the device. That value can then be combined on Apple's servers with Apple Account signals and velocity checks, things like unusual login patterns, before the framework returns its final verdict to the requesting app.
How scam detection works in apps
Apple did not build Trust Insights as one generic switch. It ties every evaluation to an operation category, because a suspicious pattern during a bank transfer means something different than a suspicious pattern during a chat message. There are five categories at launch.
| Category | What It Covers | Example Real World Action |
|---|---|---|
| Payment | Any exchange of assets, content, or money | In app purchase, peer to peer transfer, adding a new payment method |
| Account | Updates to account details or security information | Changing a password, updating recovery email, disabling two factor authentication |
| Resource Use | Requests to costly or limited infrastructure | Running an expensive AI inference job, heavy server side processing |
| Communication | Sending messages, submitting forms, signing documents | Sending a bulk message, e-signing a contract, submitting a sensitive form |
| Other | Anything that does not fit the categories above | Developer specific edge cases |
Apple has openly asked developers who keep landing in the Other bucket to submit feedback through Feedback Assistant, since that category exists partly to help Apple learn what new categories might be needed later.
This is where Trust Insights stops being a marketing slide and becomes an actual engineering decision, and it is exactly why this framework matters to appsec and product security teams, not just end users. Generating an insight requires an entitlement, declared as a capability on the app target inside Xcode. Once that is configured, a developer imports the TrustInsights framework and creates a parameter pack describing the insights being requested.
A schema value is required, while a modelVersion is optional, and specifying both a current and prior model version supports governance and validation as Apple updates its detection models over time. The evaluation itself runs through an object called InsightEvaluator, tied to an InsightContext that carries the operation category. That category is not just a label for logging, it actually changes which model logic gets applied to the evaluation.
A payment transfer and a document signature do not get judged by the same internal logic, because the behavioral patterns that matter for each are different. One detail engineers should not skip, evaluation is asynchronous, can take a few seconds, and requires network reachability. That timing constraint shapes exactly where in a flow this call belongs.
Apple's guidance, echoed by independent iOS developers who tested the beta SDK, is to call it at a review or confirmation screen, after the user has entered the details of a sensitive action but before the action is committed. Sprinkling the call across every screen in an app defeats the purpose and adds unnecessary latency for no benefit.
There is also a feedback obligation baked into the design, and it is one of the least talked about but most important parts of the whole system. Apple requires two kinds of feedback from apps that use Trust Insights. Real time consumption feedback reports how the app actually responded to a given insight. Offline feedback lets a developer report a transaction that later turned out to be fraudulent, even after the fact.
This feedback loop is what keeps the underlying model accurate over time, and Apple has said clearly that submitting offline fraud labels is not required to benefit from Trust Insights, but it strengthens the detection ecosystem for everyone using it. For testing, Trust Insights requests run in a sandbox environment during development, and Xcode scheme configuration allows a developer to override insight values and errors, which makes it possible to test unknown, medium, and high paths deliberately rather than hoping to stumble into them naturally.
| Risk Level | What It Means | Suggested App Response |
|---|---|---|
| Unknown | No coaching evidence found, not a green light | Continue existing fraud checks, do not skip standard verification |
| Medium | Some evidence of coaching behavior | Add friction, request extra verification, or raise internal risk score |
| High | Strong evidence of coaching behavior | Warn the user clearly before the action proceeds, consider a short delay |
One thing worth saying plainly, treating a high risk result as an automatic hard block is not the design Apple is pushing developers toward. Independent developers working with the beta SDK have pointed out that outright blocking based only on a trust signal is a weak default, because a coerced user is often already embarrassed, rushed, or afraid, and the goal of a good response is to create space for the person to pause and think, not to shame them or lock them out entirely. Trust Insights is meant to be one input into a broader risk decision, not a single point of failure that overrides everything else.
Apple has leaned hard on privacy language for this framework, and the technical details actually back it up rather than just repeating a slogan. Data minimization sits at the center of the design. The framework processes only what it needs, discards raw inputs immediately after each evaluation, and keeps all device sourced data on the device itself.
None of the raw behavioral signals, timing patterns, or sensor readings are ever shared with Apple or with third parties. Only that single derived risk value leaves the device, and it only leaves when an app actually requests an evaluation. Users keep control too. Trust Insights can be turned off inside iOS Settings at any time.
But Apple added a cooldown period before a disable action takes effect, and the reasoning behind it is one of the smarter parts of this whole system. In a live coaching scam, one of the first things an attacker often tells the victim to do is turn off security features or ignore warnings. The cooldown exists specifically to blunt that tactic, giving a pressured user a buffer of time before the protection actually switches off, in case they were told to disable it under duress rather than by their own free judgment.
| Approach | Where It Runs | What It Looks At | Limitation |
|---|---|---|---|
| Bank side transaction monitoring | Server side, at the financial institution | Transaction amount, frequency, destination account patterns | Blind to the human behavior that led up to the transaction |
| Carrier or OS level content filtering, like iOS 26 Messages spam filtering | On device or carrier network | Message content patterns, known spam signatures | Only catches incoming content, not outgoing coerced actions |
| iOS 27 Trust Insights | Primarily on device, across any integrated app | Interaction timing, contextual behavior, sensor data around an action | Only works inside apps that choose to integrate it |
The real shift here is architectural. Older fraud tools mostly look at content coming in or transaction data after the fact. Trust Insights looks at the behavior surrounding an outgoing, in progress action, which is a genuinely different layer of defense, and it complements rather than replaces the tools security teams already run.
If you work in appsec, DevSecOps, or you sit somewhere close to a CISO's desk, Trust Insights deserves a spot on next quarter's roadmap discussion, especially for any app that touches payments, account recovery, or document signing, and organizations without in house bandwidth to track platform changes like this one often lean on virtual CISO services to keep mobile risk decisions moving without waiting on a full hire.
Fintech and banking apps sit at the top of the priority list, since coached transfers and coached account takeovers are exactly what this framework was designed to interrupt. Any app offering peer to peer payments, buy now pay later features, or in app crypto transfers should be evaluating this early rather than after a wave of coached fraud complaints forces the issue. For teams planning an integration, a short checklist helps keep the rollout grounded.
Teams already running a mature mobile threat program will find this framework easiest to slot in, particularly organizations that already invest in mobile application security testing and have a defined process for reviewing new platform level entitlements before shipping them to production, backed by broader mobile security and threat defense coverage across their app fleet.
No security framework should be sold as a finished solution, and Trust Insights has real limits worth naming honestly. Adoption depends entirely on individual apps choosing to integrate the API, this is not a system wide protection that covers every app automatically. An app that never requests an insight gets no benefit from the framework at all.
The evaluation also depends on network reachability and can take a few seconds, which rules it out for flows that need to be instant. There is no equivalent framework on Android today, so cross platform apps will only get this protection on the Apple side. And as of the iOS 27 SDK, the API itself is still in beta, meaning naming and behavior could shift before general availability settles. None of that erases the value of the approach, it just means Trust Insights is one layer in a stack, not the whole stack.
Trust Insights did not appear out of nowhere. It sits at the end of a fairly clear progression, from Face ID confirming identity, to Lockdown Mode reducing attack surface for high risk individuals, to Stolen Device Protection slowing down thieves who already have a passcode, to iOS 26's spam filtering inside Messages catching unwanted incoming content. Trust Insights is the next logical step, moving from confirming who someone is, and filtering what comes in, toward understanding whether an outgoing action was freely chosen.
What is Apple Trust Insights.
Trust Insights is a framework introduced in iOS 27 that lets apps request a real time evaluation of whether a user might be getting coached through a social engineering scam, based on on device behavioral signals rather than message content.
Does Trust Insights read my messages, mail, or photos.
No. Apple has stated clearly that device sourced signals never include content from Photos, Messages, or Mail. It only analyzes interaction patterns, timing, context, and basic sensor data.
Can I turn off Trust Insights on my iPhone.
Yes, it can be disabled inside Settings, though Apple applies a cooldown period before the change takes effect, specifically to protect users who may have been told to disable it during an active scam.
Which iPhones support Trust Insights.
Trust Insights is tied to iOS 27, so it becomes available on devices that run iOS 27, and only inside apps that have specifically integrated the framework.
Is Trust Insights the same as fraud detection inside my banking app.
No, it is a complementary layer. Bank side fraud detection looks at transaction data after the fact, while Trust Insights evaluates behavioral signals around the action while it is still happening, and the two are meant to work together rather than replace one another.
What happens if Trust Insights flags high risk.
The requesting app decides the response, but Apple's guidance is that the user should be clearly informed of the risk before the action proceeds, with friction such as a delay or extra verification, rather than an automatic silent block.
Trust Insights will not stop every scam, and Apple has never claimed it would. What it does is close a gap that biometrics and passwords were never built to cover, the gap between a person acting and a person choosing freely. For organizations building anything that touches money, account security, or sensitive documents, this is worth treating as a real engineering conversation this year, not a footnote in a WWDC recap.
Teams that want a broader look at how manipulation tactics get tracked and profiled at scale can pair this kind of on device signal with cyber threat intelligence that watches how scam campaigns evolve outside the app itself, and more breakdowns like this one live on the Hoplon InfoSec blog.
Official References
Apple Developer, WWDC26 session, Meet Trust Insights, session 379
Apple Developer Documentation, TrustInsights framework and entitlement reference
Federal Trade Commission, 2025 fraud and social media scam loss data
Federal Bureau of Investigation, Internet Crime Complaint Center, 2025 IC3 report
Was this article helpful?
React to this post and see the live totals.
Share this :