Starting a workout is easy on the Apple Watch. All you need to do is open the Workout app and choose the type of workout you’d like to do. But did you know there’s an even faster way? You can start workouts with just your voice. Here’s how.
iPhoneLife Logo
Privacy & Security  
January 2024 Edition

Editor's Note

Hi Insiders, Cullen here.

This month we’re adding two new features to our security and privacy newsletter: first, I want to make sure you’re up to date on the best practices for security and privacy, so we’ll be listing three recommendations each month right at the top of this newsletter. Second, we’re adding a statement of values that will appear at the bottom of every edition that explains how we pick which news to cover and why.

We have a lot of news and a few updates from Apple to catch up on from over the holidays. Let’s dive right in.

As always, let us know what you think at security@iphonelife.com.

Cheers!

Cullen Thomas's picture
Cullen Thomas,
Senior Instructor at iPhone Life

In This Newsletter:

  • Top 3 Security Skills of the Month: Each month we'll share three things to practice, based on the stories below.
  • Security Updates from Apple: What we know about Apple's security patches and updates.
  • Common Hacks, Scams, & Trouble: A selection of illustrative threats from the last month.
  • Latest from Around the Web: General privacy & security news for Apple enthusiasts.
  • Security Tip of the Month: One thing you can do in three minutes or less to improve your security.
 
Top 3 Security Skills of the Month

We're highlighting these three skills because they're basic cyber self-defense for regular people, but they also would have prevented some of the stories you'll read about below.

  • Use strong multi-factor authentication wherever possible. Passkeys or FIDO certified hardware keys are the best, app-based one-time codes are next best, then email or text message-based one-time codes. Any multi-factor system is better than none.
  • Use a privacy-focused web browser such as Safari or Firefox.
  • Verify the identity of senders. This includes checking the source address of any incoming email or message, as well as checking the validity of connections made on social media and dating apps by insisting on a video call.

For more of our top security recommendations, see our course on privacy & security for Apple enthusiasts.

 
Security Updates From Apple

iOS 17.2, MacOS 14.2 etc…

In mid-December, Apple released the much-anticipated Journal app as part of an update to its suite of operating systems for iPhone, iPad, Mac, and Watch. The new app is designed to provide a private and secure place for daily journaling, protected by Apple’s security promise (you can lock it with your Face ID or Touch ID!), but full of the features you’d expect such as daily prompts.

The updates also include security bug-fixes, including a patch for the Flipper Zero Bluetooth attack we previously reported.

iOS 17.2.1, MacOS 14.2.1 etc…

Just a week later, Apple rolled out a quick update with no explanation at all. They said it contained “important bug fixes” and is “recommended for all users.” This kind of rollout might imply a particularly dangerous security risk that they don’t want to advertise, but it’s just as likely that it’s fixing something that was broken in 17.2.

iOS 17.3, MacOS 14.3 Brings Stolen Device Protection

Released on January 22, iOS 17.3 brings a much-anticipated security feature called Stolen Device Protection. Back in February of 2023, the Wall Street Journal published an investigation revealing a trend of thieves stealing iPhones only after videoing the owner entering their passcode. This let the thief access the locked iPhone’s encrypted storage, including any passwords stored in iCloud, which in turn supplied illicit access to the owner’s entire digital life. To combat this, Apple has developed a new tool called Stolen Device Protection. When activated, your iPhone tracks where you spend most of your time and automatically locks several sensitive functions, like the ability to change your device passcode or Apple ID password, when away from those locations. The idea is if a thief steals your iPhone, then they will be in a new and unfamiliar location when they try to change your Apple ID password and access all your iCloud passwords, and they will not be able to fool biometrics. Thus, the rightful owner of an iPhone can still change the passcode using Face ID or Touch ID even if they’re not at home.

iOS 17.3 also includes a fix for a bug in Safari that permitted attackers to target many iPhone, iPad, and Mac models. Apple says this bug may have been in use by hackers and scammers already.

The Bottom Line: Grab iOS 17.3 at your earliest convenience. I can’t think of any downside to activating Stolen Device Protection, especially if you frequent public environments where a potential thief might be in a position to watch you enter your passcode. It’s not a perfect defense, but it’s something.

 
Common Scams, Hacks & Trouble

One Basic Measure Would Have Stopped Major Social Media Takeovers

In January, a major cybersecurity firm called Mandiant lost control over their X account (formerly Twitter), proving that this sort of thing can happen to anybody. Further proof was then supplied by the US Securities & Exchange Commission (SEC), Wall Street’s top regulator, who also lost control over their X account just a few days later. This is unusual for major security companies and government agencies but it’s become increasingly common on X. The miscreants who took control of Mandiant’s account tried to post a fake cryptocurrency deal that would have drained the victim's wallets. The rogues who took control of the SEC account used it to post fake news about bitcoin that caused the value of bitcoin to spike.

How this happened is worth knowing, since it illustrates the importance of our security practice of the month point number 1 (at top of this newsletter).

In the case of Mandiant, thieves probably guessed the password or else purchased it on the dark web. Normally, thieves should not be able to log in with a password alone, because they should then have to enter a code, usually delivered in a text message. However, back in early 2023, X decided to disable text message-based code delivery for free accounts. When they disabled that feature, they did not require users to switch to a different multi-factor method, such as app-generated codes, physical keys, or passkeys. Instead, they just turned it off, and if the user did not set up a new method on their own, then their account was simply not protected by multi-factor authentication anymore. Mandiant’s posts suggest that they had set up multi-factor authentication, possibly with text message codes, but, like millions of other users, didn’t set up a new method after X paywalled the feature. Because the thieves didn’t need a second factor, they were able to get in with just the password.

In the case of the SEC, they blamed their account takeover on a technique called SIM swapping. This works by thieves convincing a cell phone carrier company that they are the owner of the phone number associated with an account, and then have the number transferred to a new device they control. This lets them gain access to any accounts that can be reset from that phone number, but it also lets them intercept any verification codes sent to that number. So in the case of the SEC, text message based verification codes couldn’t protect them, but as it happens they also had two-factor authentication turned off altogether. Cue the sad trombone.

The Bottom Line: If you’re still using X (Twitter), you should log in and navigate to your settings page, look for security settings, and make sure that you have a multi-factor authentication method enabled. In general, always use multi-factor authentication wherever possible. Text message-based codes are the weakest form of multi-factor authentication—codes generated by your password manager app are better, and hardware keys are even better than that—but even text message codes are better than nothing: they would have protected Mandiant.

Changing Your Password Won’t Stop a New Google Account Attack

A bug has been discovered in Google’s authentication systems that lets a bad actor who has access to a Google account keep their access even after the password has been changed. Google hasn’t patched this bug yet, but it has proliferated on criminal markets.

The Bottom Line: If you use Gmail or other Google services and you find yourself needing to change your password, perhaps because you clicked a suspicious link, you will also need to log out everywhere. Changing your password and then logging out everywhere should defeat this bug and evict an attacker. Unfortunately, logging out everywhere is not a one-click process. You can do it at https://myaccount.google.com/security, but there are several steps. Once you’ve changed your password, go back to that same page and navigate to Your Connections to third-party apps and services > see all connections > click on each app and log out of it. Then finally go back to the security page again and under Your devices > Manage all devices, log out of any remaining sessions on all your devices. Then you can log back in again safely.

New Facebook Feature Called Link Tracking Remembers Every Site You Visit in the Facebook Browser

The Facebook app on iOS and iPadOS has its own built-in web browser. By default, when you tap on a link in Facebook the web page opens in Facebook’s own browser, rather than Safari or your browser of choice. Now, Facebook has quietly rolled out a new feature in their apps called Link Tracking, which remembers every link you open, and every link you visit in their browser, to help build a profile of your interests. The feature only applies in the Facebook app, not on the Facebook.com website.

The Bottom Line: You can disable link tracking in the Facebook app, but it’s on by default. However, a more secure way to use Facebook is to avoid the app altogether, and instead open Facebook.com in a privacy-focused browser such as Safari or Firefox (see security practice of the month point number 2 at the top of this newsletter).

 
Latest from Around the Web

AirDrop Encryption Broken, Chinese Censors Make Arrests

The Chinese government has arrested several individuals they accuse of sharing “inappropriate” material via AirDrop. For the past two years the anonymity provided by AirDrop, Apple’s local and peer-to-peer file sharing protocol, has made it a useful method for people in China, particularly Hong Kong, to dodge censorship. Government censors can watch internet traffic, but AirDrop doesn’t require an internet connection, so it could be used to proliferate memes and pamphlets critical of the Chinese government or leadership. Some memes and pamphlets were distributed by AirDrop randomly in crowded public places, such as train stations.

In November of 2022, under pressure from the Chinese state, Apple limited AirDrop functionality in China so that allowing your device to receive files from unknown senders could only be turned on for 10 minutes at a time. Now a Chinese forensics contracting firm named Wangshen Dongjian has created a tool capable of reaching into an iPhone’s memory to decrypt the logs recording the senders of past AirDrop transfers. If they have an iPhone that has received illicit material by AirDrop, then they can identify the phone number and email address of the sender. They’ve used this to identify and arrest several individuals.

Security researchers in Germany had already found the vulnerability in AirDrop back in 2019. They notified Apple and even supplied a potential fix in 2021, reports CNN. Evidently, Apple did not act on the tip.

The Bottom Line: We hope that Apple is finally working to update their AirDrop methods to either harden the encryption or, better yet, not retain past sender data to begin with. Until they succeed, visitors to China may wish to turn AirDrop off on their devices, just to avoid any accidental misunderstandings.

From my reading of the reports, it looks like Wangshen Dongjian’s tools require physical access to a “victim” phone to figure out who sent the offending files, so the exploit doesn’t seem valuable to scammers or hackers, only to government censors. But if they can crack the encryption on the logs, then they may be able to extract other information as well.

Apple Expected to Open European App Store with Sideloading

iPhones can only install apps from Apple’s own App Store. However, due to regulatory pressure from the European Union, Apple is reportedly poised to split their App Store into a European version and another for everyone else. The European version will allow users to add apps from other sources besides the App Store. Critics of Apple’s current system say that more sources of apps will lead to innovation and provide greater choice for iPhone users, while proponents say the limited selection available through Apple’s App Store is easier to police and more secure.

The Bottom Line: If you are based in Europe, then you may soon see an update to your iPhone to allow third party app stores. I would recommend avoiding any third-party app store for privacy and security reasons.

Myanmar Rebel Militias Report Progress on Stopping Pig Butchering and Human Trafficking Operations

Pig butchering remains a particularly nasty form of scam for all the reasons we reported last November. Scammers spend months or years using a fake persona to build a relationship of trust and affection with their victims, only to use that relationship to con the victim into investing in a false cryptocurrency app. Once the victim has invested everything they possibly can in the fake cryptocurrency opportunity, the scammer then empties the accounts and disappears.

While these scams continue, some progress has been made recently in closing the centers where the scammers operate en masse. Many of these centers, which employ human trafficking victims in forced bondage to do the scamming, are based in southern Myanmar, a region where rebel factions are at war with the government. Chinese state agents have made contact with some of these rebel groups, pressuring the to make closing the call centers a priority. So now rebel groups have begun claiming successes in missions to find and close scam centers, including seizing control of the city of Laukkaing, where many are based.

The Bottom Line: It remains unclear whether these actions have reduced the risk of pig butchering scams. When developing friendships or relationships on the internet, always insist on a video call to verify the identity and authenticity of the other person. This is our security practice of the month point number 3: verify the sender.

Pig butchering scammers are almost always based out of places where they are difficult to prosecute, so there is little legal recourse for victims. If you think that you or someone you know might be a victim, stop investing right away and try to get the money back. Many of the fake cryptocurrency opportunities offered by pig butchers will allow you to withdraw your money. They want you to think the investment is working, so as long as you’re still well below what they think is your maximum potential investment, they’ll keep permitting you to make withdrawals. The FBI has asked victims to make a report.

 
Security Tip of the Month

How to Enable Stolen Device Protection

If you frequent public places or transportation, then you may wish to enable this brand new feature. It will make it harder for someone who watches you enter your passcode, then steals your iPhone to use the passcode to lock you out of your Apple ID and password vault. To turn it on, open Settings, then tap Face ID & Passcode (or Touch ID & Passcode). You’ll be asked to authenticate with your device code. Once you’ve done that, scroll down to find Stolen Device Protection and tap the blue link to Turn On Protection. Note the link there to see how it works, which is useful to know: once active, it does two things

  • When your iPhone is not in a place you usually visit, it locks some sensitive actions with your biometric instead of your passcode, since your biometric can’t be stolen as easily.
  • When your iPhone is not in a place you usually visit, some very sensitive actions like changing your Apple ID password will also require you to wait an hour and then authenticate with your biometric a second time.

It’s a clever workaround, and I hope it has an impact on deterring iPhone theft! As before, if your iPhone is lost or stolen, sign in to icloud.com with your Apple ID and use Find My to mark it as lost. This will lock the device. You can even remotely wipe the device, if you must.

 
Mission Statement

The iPhone Life Privacy & Security Newsletter focuses on practical security advice for everyday Apple enthusiasts. We look for scams, hacks, trouble, and news to illustrate the kinds of problems everyday people may encounter in their private lives, and the self defense we can practice to keep our devices, accounts, and lives secure. This newsletter is written by me, Cullen Thomas, and edited by Donna Schill.

 
Follow iPhone Life

iPhoneLife Logo
Copyright © 2025 Mango Life Media LLC. All Rights Reserved.
Mac, iPad, iPhone, Apple TV, Apple Watch, AirPods, macOS, iPadOS, iOS, watchOS, and Apple are all trademarks of Apple, Inc.
You have opted in to receive this email from iPhone Life magazine: Insider Daily Email
To stop receiving these emails, you may:
Mango Life Media LLC | 402 North B Street | Fairfield, IA 52556