QuickLookAR shares the actual USDZ model instead of the original website URL — critical copyright and data leak issue on iOS 26
Since iOS 26, QuickLookAR (or ARQuickLookPreviewItem) no longer preserves the original web URL when sharing a model. Instead of sending the link to the hosted file, the system directly shares the actual USDZ model file with the recipient.
This is a critical regression and a severe breach of intellectual property protection, as it exposes proprietary 3D models that must never be distributed outside of the controlled web environment.
In earlier iOS versions (tested up to iOS 18), QuickLookAR correctly handled sharing — the share sheet would send the website link where the model is hosted, not the file itself. Starting with iOS 26, this behavior has changed and completely breaks the intended secure flow for AR experiences.
Our project relies on allowing users to view models in AR via QuickLook, without ever transferring the underlying 3D assets. Now, the share operation forces full file sharing, giving end users unrestricted access to the model file, which can be copied, rehosted, or reverse-engineered.
This issue critically affects production environments and prevents us from deploying our AR-based solutions.
- Implement a standard QuickLookAR preview with a USDZ file hosted on your web server (e.g., via ARQuickLookPreviewItem). 2. Open the AR view on iOS 26. 3. Tap the Share icon from QuickLookAR. 4. Send via any messenger (Telegram, WhatsApp, etc.). 5. Observe that the actual .usdz model is sent instead of the original website URL.
⸻
Expected behavior: QuickLookAR should share only the original URL (as in iOS 17–18), not the file itself. This ensures that intellectual property and licensed 3D models remain protected and controlled by the content owner.
⸻
Actual behavior: QuickLookAR shares the entire USDZ file, leaking the model content outside of the intended environment.
⸻
Impact: • Violation of copyright and confidential data policies • Loss of control over proprietary 3D assets • Breaking change for all existing web-based AR integrations • Critical blocker for AR production deployment
⸻
Environment: • iOS 26.0 and 26.1 (tested on iPhone 14, iPhone 15) • Safari + QuickLookAR integration • Works correctly on iOS 17 / iOS 18
⸻
Notes: This regression appears to have been introduced in the latest iOS 26 system handling of QuickLookAR sharing. Please escalate this issue to the ARKit / QuickLook engineering team as it directly affects compliance, IP protection, and usability of AR features across production applications.
Additional Notes / Verification:
Please test this behavior yourself using the CheckAR test model on my website: https://admixreality.com/ios26/
• If the login page appears, click “Check AR” and then “View in Your Space”.
• On iOS 18 and earlier, sharing correctly sends the website URL.
• On iOS 26, sharing sends the actual USDZ model file.
This clearly demonstrates the regression and the security/IP issue.
Thanks for the clarification. I’ve updated your bug (FB20753534) with these details.
Beyond that, there’s no much I can do for you. The correct path for this is Feedback Assistant, and you’re already on that path. I can confirm that your bug is being looked at by the right folks, and they’ll need to make a call as to how to address it.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
