Security

Updated June 6, 2026

Messages for AI is built as a local macOS control center for AI-assisted texting. Security work focuses on local permissions, signed releases, visible send controls, and clear disclosure when Labs use model providers.

Local permission model

iMessage reads require Full Disk Access for the Messages for AI app. The app launches the local daemons that read protected data, so Claude or Codex do not need their own Full Disk Access grant to use the bridge.

Signed and notarized releases

Public releases are Developer ID signed, notarized by Apple, and distributed through GitHub Releases. Sparkle updates are signed so the app can verify downloaded updates before installing them.

Outbound control

Drafts, scheduled messages, and failed sends remain visible in the app. Users choose the send policy they want, including hold-to-send review and approval for scheduled messages.

Labs and model providers

Labs that use Claude or ChatGPT disclose provider use in the UI. Some Labs use aggregate metadata, while others may send selected excerpts to the model provider you configure. Treat generated analysis as AI-assisted output: it can be incomplete or wrong.

Product analytics

Product analytics are presented during onboarding with a visible opt-out, event-allowlisted, and routed through a privacy guard before any PostHog capture. Autocapture, session replay, screen capture, and prompt or message logging are disabled. Existing installs keep their stored analytics setting unless setup is reset.

Connecting WhatsApp

WhatsApp support connects through a local linked-device session managed by the bundled background service. See the Terms of Service for the terms that govern WhatsApp support.

Responsible disclosure

If you find a security issue, please use the project's GitHub security guidance or file an issue if the report does not contain sensitive details.