Three simple steps to secure your devices, based on the stories below.

• Update your Apple Devices. The updates this month were full of important security fixes.
• Verify identities in online interactions. Be especially suspicious where investment advice or cryptocurrency are involved.
• Avoid public Wi-Fi, even if you use a VPN! Instead, use your phone’s hotspot.

For a complete list of our top security recommendations, view our course: Privacy & Security for Apple Enthusiasts in 2024 , all included in your iPhone Life Insider subscription.

Apple Patches a Flight of Serious Security Vulnerabilities across iPhone, iPad, and Mac

It’s normal for operating system updates to patch a few security flaws, but iOS 17.5 and its family of .5 updates bring with them a number of fixes for some unusually serious security and privacy vulnerabilities. Among them are two different bugs, one in Find My and one in Maps, that could leak sensitive location information including your current location to a malicious app installed on your iPhone or iPad. 17.5 also fixes a way attackers could cause your iPhone or iPad to crash and another way they might cause apps to crash. Besides being annoying, forcing a crash like this can sometimes be useful to hackers who need to get your device into a weird state in order to break through its defenses.

Another curious bug fixed with iOS 7.5 is a way for someone who has your iPhone to view your Notes from the Lock Screen, without unlocking the device. They even found and fixed a way for malicious apps to bypass privacy settings.

Most of these bugs have been around for a while, but Apple hasn’t acknowledged that any of them have yet been used by hackers that they know about. Nevertheless, these are serious bugs that all get fixed by updating to the latest operating system, and are a good reason to update all on their own.

But that isn’t the end of the security story with iOS 17.5. These updates didn’t just fix bugs, they also introduced a new one: Some users were alarmed to discover old photos they had long ago deleted reappearing on their iPhones after updating. Apple quickly rolled out another update, iOS 17.5.1, to address this bug and banish the revenant images back to the abyss. Apple offered a terse explanation: “This update… addresses a rare issue where photos that experienced database corruption could reappear in the Photos library even if they were deleted.”

The Bottom Line: I’d recommend updating to iOS 17.5.1 as quickly as possible, and the same goes for your Mac, iPad, and Apple Watch.

VPNs Are Not Foolproof on Suspicious Wi-Fi

A team of researchers at Leviathan Security has outlined a method whereby an attacker with a device on a local network could capture all the internet traffic to and from a specific target device on the same network, even if that device is employing a VPN. The method requires that the attacker operate on the same physical local area network, such as shared or public Wi-Fi, but does not necessarily require admin privileges. Labeled TunnelVision, the method affects every VPN software and provider, effectively bypassing the encrypted channel of the VPN and routing the unencrypted network traffic through the attacker’s computer without alerting the user that their VPN has been compromised. While some mitigations can be implemented on Linux, for Mac and Windows devices there are limited mitigation options.

This attack requires that an attacker sharing access to a local network chooses to victimize a specific computer. In other words, it can’t be deployed at scale to compromise the activity of everyone on the free Wi-Fi network at Chicago O'Hare International Airport. But, it can be used by a coffee shop or hotel employee to snoop on all the internet activity of a specific patron even if that patron is using a VPN.

The Bottom Line: We have historically recommended that you avoid public Wi-Fi (even with a VPN) and instead use your iPhone’s hot-spot. That advice is still good and will protect you here as well: you don’t need a VPN on your hotspot and TunnelVision does not apply. We have also said before that if you must use public Wi-Fi then you should use a VPN while doing so, but TunnelVision is one method whereby an attacker could snoop on your internet connection under those conditions. Even so, I tend to think our advice still holds—locks are still a good idea even though lockpicks exist. If you’re using a VPN on public Wi-Fi, an attacker would need to know about TunnelVision and also target your device to bypass the VPN. So it is still better to have the VPN turned on than not if you’re going to be on public Wi-Fi. But, it’s even better to not use public Wi-Fi at all, that way you’ll never need the VPN.

Apple, Google & Microsoft All in Hot Water over Generative AI Features

Generative AI only hit the mainstream in 2023, and it’s so fresh a technology that we haven’t established safe norms or patterns for its use. There is perhaps no finer illustration of this point than the big three tech companies all landing themselves in controversy in the past month alone over specific proposed implementations of generative AI. In my opinion, the difference between their three ideas serves to demonstrate an enormous gap between the cultures and values of the three companies. We don’t usually report on Android or Windows problems, but the contrast is remarkable.

Google’s Proposed New AI Feature for Android: How Would You Like Us to Listen In on All Your Calls (and Warn You If They Are Scams)?

Google is jumping on the AI bandwagon by incorporating a generative AI model called Gemini into its latest version of Android, reports Arstechnica. At Google I/O, the company’s annual developer conference, it demonstrated how Gemini will be able to listen in on your phone calls and alert you to potential scams. In the demo, the caller began telling the user that there were fraudulent charges on their account and that they needed to move the money to a new account. Gemini immediately popped up with a warning that the caller was likely trying to scam the user. This sounds like a helpful feature in theory, and Google claims the processing is all done on-device without contacting their servers, but even operations done on the device could potentially be intercepted by malware, so listening in on every call seems like an egregious and unnecessary privacy risk from a company whose entire business model depends on harvesting user’s activity patterns.

The Bottom Line: If you’re already using an iPhone, this isn’t something you need to worry about since this is an Android feature. However, if I were an Android user, I would definitely be disabling Gemini.

Microsoft’s New AI Feature for Windows: How about We Take Pictures of Everything You Do on Your Device All the Time Forever

Microsoft is bringing a new, AI-powered feature to Windows 11 called Recall, available now on any Windows 11 device with the Copilot+ PC features. Recall is designed to allow you to “retrace your steps” to content that you previously interacted with on your PC. For example, you could use the Windows search bar to search for “brown bag” and the search engine would surface the web page you’d visited last week to look at leather purses, even though the words “brown” and “bag” do not appear anywhere on the page. The problem? Cybersecurity researcher Kevin Beaumont explains: Recall works by taking a snapshot of your screen every five seconds, having generative AI summarize the screenshot, and then saving the shot and the summary to local memory. This includes screenshots of sensitive content like banking account information, passwords, social security numbers, and all other private information you encounter on your device both on the web and off. No sensitive information is redacted or excluded from Recall screenshots, so if any screenshots contain sensitive data, it would be no different than storing passwords in a plain text file. While these screenshots are stored and analyzed on the device, they are still accessible to anyone using the computer, and likely to malware running on that device as well. It is functionally equivalent to having spyware installed on every Windows 11 Copilot+ computer by the manufacturer.

The Bottom Line: If you have a Copilot+ PC running Windows 11, I’d recommend disabling Recall right away. You can do that by going into your computer’s Privacy & Security settings, selecting Recall & Snapshots, and turning off the toggle for Save Snapshots. And while you’re at it, click Delete All to remove any snapshots that are already on your device. Personally, Rhett and I will both be staying on Windows 10 until at least October 14, 2025 when Microsoft has announced they will stop providing security updates.

Apple’s Rumored New AI Feature for Safari: User-Controlled Ad Blocking

Okay now Apple’s turn. With the next operating system updates, due out in September, rumor has it that Apple will make blocking ads in Safari easier than ever. The next version of Safari will include a feature called “Web Eraser,” which will reportedly allow users to completely remove any part of a web page, including ads, reports Apple Insider. When using Web Eraser, any changes you make will persist across browsing sessions, so you only have to erase ads on a website once and they’ll stay erased when you reload the page. Some British newspaper groups, such as the News Media Association, have raised concerns about this new feature and how it might affect the financial viability of the journalism industry. Many journalism websites rely on ad revenue, and integrating this functionality natively into Safari means ad blocking will be quick and easy, which means a loss of revenue for sites that rely on ads.

The Bottom Line: Malicious advertising is a scourge on the internet, and ad blocking can be an important piece of staying private and secure. Safari’s new Web Eraser tool seems like a convenient way to block intrusive ads, but that also means that every time you visit a site where you used Web Eraser to remove ads, that site will continually miss out on ad revenue. Subscription models might offset the loss in advertising revenue, but that would lead to more paywalls. The debate is nuanced, and as a small publisher it’s likely to affect iPhone Life one way or another.

Compared with the complaints levied against Google and Microsoft, whose proposed features make egregious breaches of privacy in the name of providing a service nobody asked for, Apple’s idea actually addresses a problem that we have and does so with a clear consciousness of the sensibilities and needs of their users.

Pig Butchering Crypto-Scams Continue, Stealing Billions

Romance “pig butchering” crypto scams based out of Myanmar, Laos, and Thailand now account for roughly 64 billion dollars in theft per year, estimates the United States Institute for Peace. The scams originate from massive prison-like call centers that function on slave labor, with the United Nations estimating about 230,000 people in a condition of bondage where they cannot leave and are made to scam innocent victims across China, Europe, and the USA or else suffer abuse or even death. We have covered the styles and mechanics of Pig Butchering scams in previous editions, but in brief, they may take the form of an online friendship or romance which can continue for months or even years. Eventually the scammer will mention that they have been making good money on cryptocurrency and offer to help you invest to also make money. Should you take their advice and invest, they will take your money, and encourage you to invest more and more, which they will also take.

The Bottom Line: Protecting yourself and your loved ones from these prolific and horrific scams boils down to never acting on investment advice from any online contact, especially where cryptocurrency is involved. You can double check that a new online acquaintance is a real person, not a scammer with a false identity, by insisting on a video call.

Apple and Google Team Up to Fight Nonconsensual Use of Bluetooth Trackers

Apple and Google are putting aside their differences to help prevent the abuse of tracking devices like AirTags. AirTags are incredibly useful for keeping track of things that you often lose, but there have always been concerns about how the technology could be used for nefarious purposes, such as stalking. iPhones are capable of detecting when an unrecognized AirTag is traveling along nearby, and your phone will alert you so you can check to see if somebody planted a bug, however this has only worked with AirTags, and there are many non-Apple Bluetooth tracker tags on the market. Now, with the partnership between Google and Apple ironing out the technical details, these same alerts will also warn of Bluetooth trackers traveling nearby, and Android devices will likewise be able to warn about AirTags.

The Bottom Line: Whether you use an iPhone or an Android, your device will alert you if it detects any type of Bluetooth tracker moving with you. These features are out now, available with with iOS 17.5 and on Android 6.0+ devices,

FCC Fines 4 Major Cell Carriers for Illegally Selling Location Data

T&T, Sprint, T-Mobile, and Verizon have together been fined more than $200 million by the US Federal Communications Commission for selling real-time user location data to third parties without consent, reports Krebs On Security. All four carriers sold the real time location data of their customers to “information aggregators” who then resold it to advertisers and others, such as one company called Securus Technologies which sold the data to law enforcement, and LocationSmart, whose free demo software available online could be used to locate nearly any cell phone in america in real time. The FCC found that all four companies had failed to acquire the user consent that the law requires.

The Bottom Line: All four companies have wound down their user location sharing agreements. However, they are likely to look for new ways to monetize that data, so be on the lookout for updated consent requests from your cell carrier.

New Report from Apple Details App Store Defense Efforts

Apple claims to have prevented over $7 billion in fraudulent interactions on their App Store, given the boot to 374 million user accounts engaged in misleading or fraudulent interactions on the App Store, such as posting fake reviews. The same report, reposted May 14, reiterates that Apple’s team of app reviewers personally examines every app before it reaches consumers, but bad actors do sneak malicious apps onto the App Store by waiting to add the malicious functionality until the app has already been accepted.

The Bottom Line: Details like these are interesting, but it’s important to bear in mind that malicious apps do make it onto the App Store, that reviews on the App Store are often left by bots, and that giving the boot to a lot of bot accounts is just business as usual.

DuckDuckGo Privacy Pro: Is It Worth It?

In last month’s newsletter, we mentioned that DuckDuckGo had introduced a service similar to Mozilla Monitor. Rhett gave DuckDuckGo Privacy Pro a spin to see if it would be worth it. After signing up, DuckDuckGo scanned 53 data broker sites and found 13 records which they stated they would remove and that it would take 2–3 weeks. For comparison, Cullen tried out Mozilla Monitor last month, which found data on 86 sites and began removing records within the first month. After Rhett’s first month of using Privacy Pro, the page says that his records removal is still in progress. Rhett manually checked a few data broker sites and found that some of his records have been removed, but not all of them.

It’s also worth mentioning that Privacy Pro includes a VPN as part of its subscription, which was nice to have. However, if all you’re looking for is a VPN, there are countless competitors out there for half the cost of DuckDuckGo’s premium subscription.

The Bottom Line: While it’s great that Privacy Pro is available as a more affordable option, Mozilla Monitor seems to find more records and remove them more consistently.

How to Set an Alphanumeric Passcode for Your iPhone

The passcode on your iPhone’s lock screen doesn’t just lock it’s screen, it’s also the basis of the encryption used to secure your iPhone’s file system, so even Apple can’t read the files on your iPhone unless they know the code. That’s why a longer passcode is usually better, but the best passcode is the one you can remember. Did you know you can set different lengths of passcode? You can even set a password including letters and symbols. I don’t necessarily recommend this, because you have to type it in pretty often, and a long password could get very tedious, but if you’d like to set it up, there is a way.

Open the Settings app, and tap Face ID & Passcode. There, enter your current passcode. Then scroll down and tap on Change Passcode. You'll be once again prompted to enter your current passcode, just to make sure. Now select Passcode Options below that and tap on Custom Alphanumeric Code. Now, you can enter your new passcode using a combination of letters and numbers; you can use up to 34 characters. When you're finished, tap Next. You may need to enter it again to confirm the passcode change.

There is far too much security and privacy news to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by Sarah Kingsburry.