• 🗒️✅ Your Security Checklist
• 🏆🎖️ Test Your Security Skills
• 📰 Your Weekly Security Update
• 🤨 This Should Be on Your Radar 📡
• 🙈 Security Fail of the Week 👎
• 🍎📱 Security Updates from Apple 🍎

If you take nothing else from this newsletter, do these three things to protect yourself:

1. When signing up for a new website or app, sometimes you can sign in using your Apple Account and hide your email to stay private.
2. Before you download an app, always check the App Privacy section to see what type of data the app might collect.
3. You can run an App Privacy Report to see what your apps and websites are up to in the background.

In case you missed it, be sure to check out our free class on cybersecurity for Apple enthusiasts.

What should you do in the following scenario?

You’re about to visit some friends at a venue in a part of town where pickpockets often operate. Which of the following would not help protect you if your phone is stolen? 🤔

1. Activate Stolen Device Protection in Settings > Privacy & Security > Stolen Device Protection
2. Set a passphrase as your iPhone’s passcode > Settings > Face ID & Passcode
3. Run a Safety Check in Settings > Privacy & Security > Safety Check
4. Log out of your cloud storage apps, such as Dropbox, or any password manager

Scroll to the bottom to see how you did!

Genetic testing company 23andMe has announced that it is headed for bankruptcy. The company, which supplies genetic testing to consumers, has amassed samples from some 15 million people. This database is likely its most valuable asset, and will almost certainly be sold off to unknown parties as part of the bankruptcy process.

The Bottom Line: If you have used 23andMe, and don’t want your genetic information to end up in the hands of the highest bidder, then you should head over to 23andMe and invoke your rights under California’s privacy laws to have your data removed. Here’s a guide on how to do that.

Apple Passwords App Bug May Have Enabled Phishing, Now Fixed

A bug in Apple’s Passwords app was discovered by the security researchers at Mysk. They found that when a new password was saved in the app, the app would query the domain to get a copy of its icon, and those queries were not done using encrypted HTTPS, but instead over unencrypted HTTP. After further investigation, they found that the Passwords app was also opening password reset pages using the older insecure HTTP connection. That amounts to a fairly serious mistake, since it means that a malicious network operator, such as someone who has control over airport Wi-Fi, might intercept the password reset page and replace it with a phishing page.

For some reason, Apple patched this bug in January with iOS 18.3, but waited two months to announce that it had done so, and also refused to pay a bug bounty to Mysk.

The Bottom Line: Keep your devices up to date. Researchers are constantly looking for flaws like this, and so are scammers.

Mac Users Beware of New Phishing Strategy

There is a new phishing campaign targeting Mac users. The strategy works by showing you a legitimate-looking web page (like the Apple Store). Then, a pop-up will warn you that your Mac has been compromised and prompt you to enter your Apple Account email and password.

The Bottom Line: If you come across any pop-ups like the ones described above, do not enter your email or password. Close the window, and make sure the URL you entered is correct.

Your Data May Be Compromised by a Stalkerware’s Security Failure

Stalkerware is the name for a category of apps engineered to allow a third party to monitor everything on a victim’s phone, and sometimes to control or interfere with the phone. They’re often marketed as parental controls, to allow parents to keep track of their children, but they can just as easily be used by domestic abusers who have access to their victim’s phone. One stalkerware vendor, called SpyX, recently got hacked and its database of private information leaked. That database included the emails of a lot of SpyX customers, but also many of their victims. The data from this breach has been shared with the archive at haveibeenpwned.com so you can check that website to see if you are affected.

The Bottom Line: Usually spyware on iOS works by adding an extra device to the victim’s Apple account. Once added, that fake device can download copies of the victim iPhone’s iCloud device backups. iCloud device backups contain copies of text messages, emails, app activity, and more. You can check to see what devices have access to your Apple ID (and thus, could download your iPhone backups) by going to Settings > Apple Account. Scroll to the bottom of the page and you’ll see a list of devices. To remove a device, tap on it and select Remove from Account.

Cybersecurity Experts Warn DOGE Is Creating Unnecessary Risk

Time magazine has a piece out on the alarms raised by the security and privacy industry regarding the Department of Government Efficiency's efforts to cut waste. These alarms have generated a large amount of press coverage, but I found the Time Magazine article to be a sober summary.

Check the Safety of Your Accounts, a Guide from Tech Crunch

Ever wondered how to check if your primary accounts have been compromised? Check out Lorenzo Franceschi-Bicchierai’s guide over at Tech Crunch. It will walk you through each of the most important accounts you’re likely to be using, including Apple, Google, and Meta, as well as WhatsApp, Signal, and other messaging services, and how to make sure it’s locked down tight.

Lawsuit Forces Meta to Stop Tracking One Single User, but It’s Still Tracking You

Back in 2022, Tanya O’Carroll filed a lawsuit against Meta, objecting to the way the company was using her data to show her targeted ads. This week, a settlement was reached, and Meta will no longer track her or show her personalized ads. While this is a great win for O’Carroll herself, a settlement means that Meta has not accepted liability and is free to continue tracking all other users. O’Carroll’s case could help set a precedent, but we won’t know for sure until it’s tested in court.

Know Your Rights: What Can US Border Agents Do with Your iPhone?

The Verge has published an excellent overview of how to lock down your iPhone when planning to cross a US border, and why you might, or might not, want to. They offer some advice that is applicable any time you’re approaching a situation where your iPhone is at increased risk of being confiscated or stolen.

The Bottom Line: Be aware of what material is accessible through your iPhone—which accounts it can access, and what is stored on it locally. When preparing to travel, consider taking steps to reduce what is stored on your iPhone, and what accounts the phone can access. Use a strong password and disable biometric locks.

Officials Accidentally Text War Plans to a Reporter

Atlantic Editor-in-Chief Jeffery Goldberg found himself accidentally added to a group chat in the Signal app between the US Vice President, National Security Advisor, and other high-level officials discussing plans to bomb the country of Yemen. He thought it was a prank at first, but it was real. Though initially Goldberg’s story didn’t include all the military details, with the military operation concluded, the Atlantic has published a second piece with the full exchange.

We recommend the Signal app as the best secure messaging app for consumers, but it is not designed to be used for classified military communications and has not been approved for that purpose. Signal is designed to make it easy to invite anyone whose phone number you know into a chat, with no further vetting. By contrast, government systems for classified intelligence have redundancies to prevent unauthorized people from ever being added to a channel. But more importantly, your personal iPhone that has all your personal contacts and messages in it, is not, and can never be, secured for classified communications. For that purpose, a dedicated device is necessary, one that is tightly controlled.

The Bottom Line: Signal is not a substitute for governmental communications systems. Also, when setting up potentially sensitive group chats, or when you are added to one, make sure to double-check the members list. Finally, Signal secures your messages in transit, but if you send a message to a device that’s compromised, then the message will be compromised too. A Signal chat is only as secure as its least secure member.

Everything you need to know about Apple’s latest software updates.

• The most recent iOS and iPadOS is 18.3.2
• The most recent macOS is 15.3.2
• The most recent tvOS is 18.3. (1st and 2nd gen) 18.3.1 (Apple TV 4k 3rd gen)
• The most recent watchOS is 11.3.1
• The most recent visionOS is 2.3.2

The correct answer is C. Run a Safety Check in Settings > Privacy & Security > Safety Check.

Safety Check will not improve your security if your iPhone is stolen. Instead, it will help you identify what you have shared on your iPhone, and who you have shared it with. Safety Check is excellent for when your relationships of trust have recently changed, such as after a breakup.

There is far too much security and privacy news to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by Sarah Kingsbury.

In case you missed it, be sure to check out our free class on cybersecurity for Apple enthusiasts.

Interested in keeping your iPhone secure? Check out:

• How to Secure Messages on Your iPhone & iPad
• Answered: Can iPhones Get Viruses?

If you enjoyed this newsletter, you’ll love all the security content available on iPhone Life Insider!

This premium subscription includes:

• The complete iPhone Life Privacy & Security Course for Apple Enthusiasts and other free online courses taught by expert instructors
• In-depth guides on everything from security to iPhone photography to other Apple devices
• Daily, bite-sized video tips on topics ranging from iCloud security to password management
• A digital subscription to iPhone Life Magazine, where you’ll find articles covering the best security gear, apps, and in-depth how-tos
• The monthly premium iPhone Life Security Newsletter covering everything you need to know to keep your digital life secure
• Access to the ad-free version of the iPhone Life Podcast and exclusive bonus content
• Expert help with all your most pressing Apple Watch questions in our private Ask an Expert Facebook Group

Join the Insider community today and save 30 percent!