Security is the main focus of Apple’s just released operating system updates. A new edition of the Powerbeats Pro earbuds is out that may be better than Apple’s AirPods Pro. Apple now permits moving digital purchases between Apple Accounts. And there’s more talk about getting Apple to provide a global back door to encrypted iCloud data.
If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.
Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.
Get Apple security news delivered straight to your inbox, for free. Intego’s twice-monthly newsletter will keep you informed about Apple-related privacy and security, along with tips and tricks for getting the most out of your Mac or iPhone. Subscribe for free—no strings attached.
Voice Over 00:00
This is the Intego Mac podcast—the voice of Mac security—for Thursday, February 13, 2025. This week’s Intego Mac Podcast security headlines include: Security is the main focus of Apple’s just released operating system updates–Check your software update settings. A new edition of the Powerbeats Pro earbuds is out that may be better than Apple’s AirPods Pro. Wishing helps: Apple now permits moving digital purchases between Apple IDs. And there’s more talk about getting Apple to provide a global back door to encrypted iCloud data. Now here are the hosts of the Intego Mac podcast. Veteran Mac journalist Kirk McElhearn and Intego’s chief security analyst, Josh Long.
Kirk McElhearn 00:50
Good morning, Josh. How are you today?
Josh Long 00:52
I’m doing well. How are you, Kirk?
Kirk McElhearn 00:54
I’m a little bit disappointed. I was expecting we’d be able to talk about a new iPhone today.
Josh Long 00:58
Yeah, there were some rumors that we might be getting the new iPhone SE fourth generation sometime this week, maybe as soon as Monday. But it didn’t happen. I’m still seeing rumors that it might be dropping earlier than usual. We usually get it kind of in the like March or April time frame. But a lot of people are saying, including Mark German, that it’s coming in February, so maybe it’ll be later this week or next week.
Kirk McElhearn 01:22
Well, I believe it’s more or less sold out at Apple Stores. I’m just looking right now on the Apple store in the UK, and it’s listed online, so they apparently still have stock the third gen. You’re talking about the third gen? Yes, sorry, the previous generation that’s going to be replaced. This is actually going to be an interesting phone because it’s getting rid of Touch ID, so it’s going to have face ID, it’s going to have USB C, it’s going to be 6.1 inches. So this is bigger than the early se phones, and it’s going to have an 18 chip, which is pretty fast for what’s going to be a cheap phone. Now, I believe it’s going to be more expensive than in previous years, but this is a good phone for people who don’t want to spend a lot for an iPhone, having an 18 chip means it’ll be able to run Apple intelligence. This is a pretty good deal for someone who wants a cheap phone, a cheap Apple phone.
Josh Long 02:11
And one of the big drawbacks to as compared to getting, let’s say, an iPhone 16 or a 16 Pro or Pro Max, is that the SE reportedly is going to still have just one camera on it, and so the camera is more similar to kind of what you’re expecting from a traditional iPhone SE, right? It’s not designed to be for the photographers. It’s just something that you can have in your pocket, but it’s not really great, and you’re not gonna be able to do like spatial video and things like that, if it just has one camera lens. So you know, if you really are into photography, you definitely don’t want to be getting an SE unless you also carry around a nice camera with you.
Kirk McElhearn 02:55
Spatial video. Josh, someone’s gonna buy an iPhone SE to shoot spatial video for his Apple Vision Pro, yeah.
Josh Long 03:01
I think if you’re a big enough spender that you have Apple Vision Pro, you’re probably also not the same person who’s buying an iPhone SE, so yeah.
Kirk McElhearn 03:11
But as a phone for teenagers at half the cost of an iPhone 16 Pro, it’s pretty good deal. So we have a lot of news about Apple today, actually, and we have an Apple security update that came out, which is a really surprising one, when you think about it.
Josh Long 03:26
There were a series of updates that came out this week. On Monday, Apple released iOS and iPad OS 18 point 3.1 which fixes one vulnerability. Apple specifically says that the impact is a physical attack may disable USB Restricted Mode on a locked device. By the way, they label this as an accessibility bug, which is kind of interesting. And they say Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals. They credit bill marzac of the Citizen Lab for reporting this vulnerability, so extremely sophisticated attack that may disable USB Restricted Mode. That sounds like what they’re talking about is something kind of like gray shifts gray key device that they sell to law enforcement agencies. The wording is interesting here. First of all, they mentioned it’s accessibility. So that kind of makes me think that maybe there’s some flaw that is in very specific cases. If you have an accessibility feature enabled, then someone might be able to plug in a USB hacking tool into your device, into your iPhone or iPad, and break into it, but maybe only if you have this particular accessibility feature enabled. It’s not really clear. We don’t have a lot of extra details about it, but it’s nice to know that Apple is patching these types of vulnerabilities.
Kirk McElhearn 04:57
Okay, there were other updates. Weren’t there? Not just. This one accessibility vulnerability.
Josh Long 05:01
Yeah, so Apple released patches for Sequoia, Sonoma, Ventura, watchOS 11 and visionOS two, all of which the company generically says if you go to check for updates, that they provide important security fixes and are recommended for all users. But then if you go to Apple’s security releases page, they say that none of those updates contain any CVE entries and no Common Vulnerabilities and Exposures numbers, which means that they don’t include that USB Restricted Mode fix. And so basically, they’re kind of saying we don’t have any vulnerabilities that we fixed, even though the other page or the other place that you looked said that we have vulnerabilities that we fixed, and there’s really no other release notes, like Apple doesn’t say at all what the heck is even included in any of these updates. So I guess install these updates because maybe they patch some bugs of some kind. Who knows?
Kirk McElhearn 05:58
Well, if they say that, it’s recommended for all users to apply the updates, which they say every time. I mean, our logic is just apply all the updates, because you never know, right?
Josh Long 06:08
Yeah, it’s just kind of funny, because usually they give some details, and this time, and there’s really no details, so it’s just just assume that they’re probably fixing some bugs, I guess.
Kirk McElhearn 06:18
Okay, Apple didn’t release a new iPhone this week, but they did release a new product, and I want to quote from the product page, after relentless testing and refinements, the next generation, not going to mention the product name, yet is ready for action, and it’s the most advanced product we’ve ever developed. I’m sorry, the vision Pro is probably the most advanced product we ever developed. The iPhone is but the power beats Pro. Two ear buds, well, earbuds, headphones, so these are the ones that have the clips that go around your ears. Back in the early days of I guess it was Walkman, the first headphones slash earbuds I got that didn’t go over the top of my head. Had those clips, and they were pretty cool. They were more comfortable than the headphone, and you couldn’t wear a hat with the headphones that goes over your head and all that. So it listened to what it contains. It has the ultimate secure fit, and it says, in search of the perfect fit, we conducted over 1500 hours of rigorous testing with nearly 1000 athletes. It has heart rate monitoring sensors that can link to both iPhones and Android and different apps. It has active, noise canceling, transparency mode, adaptive EQ, up to 45 hours of battery life in a wireless charging case. Again, I like this kind of earphone, but I don’t like go skiing or play rugby, listening to music and all that. And that’s the point of having the clips, is that if you’re doing something really active, they’ll stay on. But the most advanced product we’ve ever developed, I think they’re kind of exaggerating.
Josh Long 07:44
The design of these is kind of interesting. So they fit inside your ear, and then they’ve got a little bar that goes, kind of wraps around your ear to hold it in place. It’s not what you would expect to see from Apple in something like air pods. But because this is a different brand, you know, beats is, is sort of apples, whatever. I don’t know they’re cool. Hip brand that’s even cooler and hipper than AirPod is, I don’t really like the look of that, that wrap around your ear thing, but I have seen some reviews already of this, and everyone seems to agree that this is a pretty nice headphone. Well,
Kirk McElhearn 08:22
if you want something that holds firmly onto your ears, and it’s not a bar that goes behind your ear, it’s a super white nickel titanium alloy that is renowned in material design for its exceptional shape, memory and flexibility.
Josh Long 08:34
Oh, forgive me, I have misspoke then.
Kirk McElhearn 08:38
Anyway, these are $250 these are the second version of this headphone, Apple had a previous version. I think we’re around the same price, and there’s a small market for this type of headphone. And you know, if you are physically active and you keep losing your AirPods, then go for these news and Apple services. We have two stories about Apple services. For the first time ever, Apple is allowing people to move digital purchases from one Apple account to another. I was going to say Apple ID, but Apple changed that term last year to Apple account. People have been asking for this for as long as there have been Apple IDs, and what they really wanted previously was to merge to Apple IDs, right? So let’s say you set up one Apple account for to use iCloud, another one for your purchases. You decided one is a lot easier to use. You could never do it, and now you can. And that’s really interesting. I kind of wonder why Apple finally gave in to this. Apple has always refused anything like this. Worth noting that this is not available to use in the European Union, United Kingdom or India. I don’t know why. I’ll link to the support document on the Apple website, but this is really interesting, and it kind of suggests that Apple is going to allow people to do more with Apple accounts. I think it was last year that they allowed you to change the email address on your Apple account for the first time. It just kind of makes sense. That Apple make this easier. As as Apple services revenue goes up, they don’t want to put any hurdles in the way of people spending more money.
Josh Long 10:07
That’s a good point. I’ve seen other people say, Oh, hey, look, Apple finally lets us merge Apple IDs. But also not really. It’s still not really what we’ve been asking for. But hey, it’s least a step in the right direction.
Kirk McElhearn 10:19
Okay, last week, we talked about Apple Care Plus contracts, and they’re no longer available in store to buy on an annual or two year basis, but they’re still available online. But Apple made another change. They’ve gotten rid of the cheaper version of Apple Care, so there’s always been two versions of Apple Care, and the one that I’ve always bought was the basic one, which is Apple Care Plus, but then there’s Apple Care Plus, with theft and loss, that costs a bit more. I used to always buy the Apple Care Plus normal because I’m not worried about theft and loss. I’ve got insurance from my home. I’ve got insurance for my business. All my products are covered with that sort of thing. Now I’m going to have to pay more for my Apple Care for something I don’t need. And I find that annoys me, and it the theft and loss coverage is up to two claims every two months. And come on, you’re going to buy an iPhone and lose it twice a year and get it back through the insurance, which is 1399 a month. If you do lose your iPhone often, or if it risks getting stolen, I would certainly recommend you get it, but Apple Care is useful for other things, particularly for quick replacements if anything happens, whether it’s your fault breaking the screen, or whether it’s a hardware defect in a device. I know you never buy Apple Care, right Josh?
Josh Long 11:34
Yeah. I don’t really have I’ve never really had a need for it, like if I do need to get something repaired, I’ll pay for it, because I it’s so like, I can’t even remember the last time that I had to get something repaired on an Apple device that I owned, like my iPhone or something.
Kirk McElhearn 11:52
You know, I was talking with someone about this recently. I always buy Apple Care for my work devices, because if my iMac has a problem, I need it replaced quickly, right? But the last time I had an Apple device that needed a hardware repair is at least five years ago, and I’m thinking, how much have I paid over those five years that I wouldn’t have, that I might have to pay for some eventual repair. But if you remember the last iMac I had, I kept for what was it three and a half years? I’m keeping this iMac for definitely five years. I know I said that for the previous but I think when I next buy a Mac, I might not buy Apple Care. I’ll probably still buy it for a phone, because even though I have never broken an iPhone screen, it would be the one that I get without Apple Care that would break.
Josh Long 12:35
The most recent time that I can recall when I’ve ever had to bring in my own personally owned Apple device to the Apple store for a repair. Was at least seven years ago. I had an iPhone that the battery started to expand. So of course, I had to bring that in, because that’s a pretty serious problem.
Kirk McElhearn 12:54
But you have an Apple Store not too far from you, right?
Josh Long 12:58
Right? Of course, yeah, (I don’t) yeah. I took it to the Apple Store for sure.
Kirk McElhearn 13:02
Yeah, okay, we’re gonna take a break. When we come back, we’ll talk about some malware stories and some AI and some other news.
Voice Over 13:10
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Download the free trial of Mac Premium Bundle X9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the special discount link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.
Kirk McElhearn 14:21
So a story leaked last week, and I say week, because this wasn’t announced by Apple or anyone else that the UK Government has been pressuring Apple to build a back door into encrypted iCloud storage. Now I’m going to link in the show notes to a document that shows which types of data are encrypted with iCloud, because not everything is and what the UK government is looking at here is what’s called advanced data protection for iCloud backups, which is something you have to turn on, and it’s not ideal for everyone. So this is end to end encryption that no one can get access to. Apple can actually get access. Access to some of your data, which is encrypted and stored in the cloud, but this is the highest level of protection, the kind of thing that Josh turns on along with lockdown mode. But what’s interesting about the UK demand is that they want Apple to create a global back door, because they want British security officials to be able to access iCloud data of people anywhere in the world, not just British citizens, but people that they might think are a threat to the UK. Now, of course, the problem with this is, once you create a back door, someone will find it.
Josh Long 15:31
And that’s always been the argument that companies like Apple have made. Is, first of all, this is a slippery slope, for one thing, and that once you open a can of worms, well, good luck, right? Like you can’t undo that change if you insert a back door that’s always going to be there, it’s always going to be available to anybody, including the bad guys, including if they find an easy way to exploit this at any time that they want to. So that’s pretty problematic. It’s certainly not good for for people’s privacy, and it’s a little bit awkward, I would say, to have one country say, Well, you must do this globally for the entire world. What if other countries don’t really like that idea? Or, what if citizens of other countries don’t like that idea? You know, they shouldn’t be beholden to some change that the UK Government, or any other government forced upon Apple to remove security protections from their devices. It feels very wrong.
Kirk McElhearn 16:33
So what seems likely is that Apple would just stop offering advanced data protection in the UK, and there are many countries where they do not offer it. You know, not all of these privacy features in Apple’s operating systems are available in every country around the world, and this would penalize people in the UK who own Apple devices, even if they go into other countries, they wouldn’t be able to turn this on. And this is problematic. Apple is not allowed to say anything about this, and this information leaked. I wonder if it leaked from someplace, from Cupertino, by the way, but we may never know about this unless Apple decides to stop offering this feature. So I think Apple needs a warrant Canary for this.
Josh Long 17:09
Yeah, we’ve talked about warrant canaries before. This is the idea that a company can put some block of text somewhere on their website that says, We do not do this. And then if at some point they’re forced by a government authority to do that thing, then they just remove that little line of text from their website. And now people who know to look for that will be able to identify that. Ah, I see. So they have made a change. They’re not allowed to say that they made the change. But now that that text is missing, we know that they must have.
Kirk McElhearn 17:43
Okay. So we’ve been talking about DeepSeek a few times recently, and we have a couple of stories here about DeepSeek, iOS app, sending data unencrypted to bytedance controlled servers. Now bytedance is the company that owns TikTok. DeepSeek is a different company, but it could be the kind of thing like Facebook sends your data from all the websites to Facebook, or maybe they’ve just rented servers from bytedance. At the same time, Texas, the state of Texas and United States, they have banned DeepSeek, red note and lemonade and stock trading apps called moo, moo, Tiger brokers and web Bull. I never heard of most of these other than DeepSeek and red note and DeepSeek is now prohibited in New York government devices. So DeepSeek is getting the trifecta here, or the perfect or whatever it really is turning out to be. It’s the next TikTok, right? It’s going to be banned. It’s going to be banned everywhere in the United States. Even though you can download the DeepSeek model, because it’s open source. You can even install it on a Mac for now.
Josh Long 18:42
This is something where the app is getting banned from government devices in Texas and New York and some other places as well. But that’s a different thing from being banned from a country or a region or whatever in those kind of cases, like sort of what happened with TikTok. It was a universal ban, meaning it’s no longer allowed in the country, meaning that if anyone’s distributing it, there’s going to be massive fines and so forth. This is something that we’ve actually seen before, this kind of thing where an app is banned from government devices.
Kirk McElhearn 19:16
That’s actually how it started with TikTok. There were state and local governments had banned it first, and then countries, and then, you know, the National ban in the United States. So I think we’re heading toward the same thing. Worth noting that DeepSeek is banned on government devices in South Korea, Australia and Taiwan. Not surprising that it’s Taiwan and South Korea who are neighbors of China.
Josh Long 19:35
By the way, I’ve recommended this before. I think we’ve talked about this on the show. I don’t recommend using the DeepSeek app. If you really want to use DeepSeek as a model, there’s a couple of options. You can either run it through perplexity, which has its servers hosted in the US, so you’re not sending any data to China, but you’re still able to use the DeepSeek AI model. Or you can really even host it locally, if you want to. There’s a little bit. More work involved in that, but it is possible to run it on your Mac.
Kirk McElhearn 20:03
Okay, we got some news from Google, and this is interesting because I have a Google phone, and when I fired it up yesterday, I got a notification talking about the fact that Google blocked 2.3 6 million risky Android apps from the Play Store in 2024 we’re going to link to an article on bleeping computer. Do you block 2.3 million risky Android apps, okay, how many are still left on the store? How many were just added to the Google Play Store today?
Josh Long 20:28
Exactly. This is one of those headlines that is meant to sound really good, right? But it doesn’t actually say anything at all. That number could be a billion risky apps, but if there are 17 billion risky apps that are currently in the Google Play Store, then that doesn’t do you any good. So that’s the thing, is, they’re not telling you the important bit, which is how many actually slipped through the cracks and actually got into the store. This is one of those headlines that’s like, it’s meant to be a feel good story and make you feel really positive about what a great job Google must be doing, but it doesn’t actually say anything. And as we know, as we’ve talked about before, my friend Bob, who doesn’t give his last name, has a website where he tracks a whole bunch of hundreds of apps in both the iOS App Store as well as the Google Play Store that are scam apps. They’re illegitimate apps. Sometimes they’re they’re mimicking legitimate financial organizations, or they do a number of other things to to scam people. And these are still getting into the stores, both Apple and Google stores. That’s really great that they’re blocking almost 2.4 million risky apps, but doesn’t say what they’re missing.
Kirk McElhearn 21:43
A quick Google tells me that there are about 2.1 million apps in the Google Play Store and about 263,000 games. So that means they blocked as many apps as there are in the store. I mean, can you imagine 2 million apps? 2 million plus apps? What can they be doing? I mean, how can there be 2 million apps? Most of them are totally useless or are scam apps. It looks like from from one side I’m looking at here, half a million of these have fewer than 100 downloads. So you know, this isn’t to say that you can’t make your own app for you and your friends, right? And it’s probably pretty easy to do that. If you want to make your own messaging app just as or a game or a dumb thing like that. That’s fine. In fact, I think wish Apple would allow people to do that in the iOS App Store, but still, if they’ve blocked as many apps as there are in the store, I mean, how many other apps are there in the store that are malicious? So can’t trust all of this stuff. You mentioned a story that I found really interesting about and this is another one from bleeping computer, about the brave browser that lets you inject custom JavaScript to tweak websites. And I’m thinking, Okay, why would I want to do that? Maybe I want to put a dark theme on a website or a light theme on a website that’s dark that I can’t read. But then I’m thinking, gee, couldn’t hackers use this to, like, give you links that include JavaScript or try to convince you to add JavaScript to certain websites. This doesn’t seem to be very secure.
Josh Long 23:07
Well, and I like that you think that way, Kirk, because that’s you’re thinking like an attacker, and that’s a good way to avoid falling into some of these traps. I will say that the feature actually, to me, sounds kind of cool, if you’re the kind of person who likes to do this kind of tweaking, custom tweaking of websites. I’ve actually done similar things with some browser extensions. They do mention in this article there’s a couple of really popular extensions that have been around for decades, called tamper monkey and grease monkey that allow you to make custom modifications to a website, and so brave is saying we’re going to just include the functionality to do that built into the browser. They do hide it behind a developer flag. So you have to enable developer mode in order to use this. Gee, that’s really difficult. Well, it’s a one click thing. You have to go into the settings. You toggle on developer mode, and then you can create these scriptlets. These are custom filters or custom code that you can add. They do give a big red warning that says, Don’t paste code here that you don’t understand or haven’t reviewed yourself. But there’s also another sentence that’s kind of long, so it might be a too long didn’t read situation for some people. So I could envision a scenario where somebody has a website and they say, Oh, here’s a cool hack for Bank of America to make it run even faster, right? And just copy and paste this into a script in your brave browser. And people might go, oh, yeah, that site always runs kind of slow. For me. That sounds like a good, good idea. So it’s those kind of scenarios. It would have to be a situation where you’d have to go through some hoops, right in order to get somebody to actually put malicious code into their own browser. I suppose there’s a positive. Ability that maybe malware could inject these scriptlets into your local brave browser, but then you already have malware on your device anyway. And of course, they can do things like keystroke logging and all the other stuff. So at that point, you know, if they’re injecting code into your browser, that’s not too much different from anything else they could already be doing as malware on your device.
Kirk McElhearn 25:22
What I’m thinking is the sort of call center scammers that call someone and say, you need to do this because I’m your bank, and they’re going to tell you that you have to download this browser and it’s legitimate, and they give you the website for brave, and you see it looks like a legitimate browser, and you doubt. I mean, there’s a lot of steps to convince someone, and then by text message, they give you the code to paste in, and it’s a lot of steps, but the way some people get scammed, I mean, this is just, I don’t know, we don’t need this kind of thing. This isn’t making anyone’s life any better, unless you’re a hacker. And there should be some limitation to the ability to do this kind of thing, because also, if you have physical access to someone else’s computer, you can enter JavaScript on a website and the user won’t even know about it. Okay? Last Story, Microsoft Patch Tuesday, February 2025 they fixed 8000 zero days and 4 million flaws and a gazillion vulnerabilities. And I’m exaggerating just a little bit. You know that when we look at it like this, it’s a monthly thing, like Apple had one zero day and Microsoft has four. But it’s not like a league table of who has more zero days, or is it?
Josh Long 26:27
No, actually, that’s a really good point. So whenever you see headlines about the number of flaws that are being patched, you could interpret them in a couple of different ways you could, and both of them are wrong, by the way, if you either think, you know, oh, Microsoft patch more vulnerabilities, therefore Microsoft is more secure because they patch more vulnerabilities, or you could also look at it as Microsoft is less secure than Apple because they have more flaws to begin with. And neither one of those is really correct because we don’t know how many flaws remain unpatched, right? We don’t know how secure the code was to begin with, and well anyway, the important thing to know is yesterday, as we’re recording this on Wednesday, yesterday was Microsoft’s monthly Patch Tuesday. There were somewhere between 55 and 63 vulnerabilities that they patched, depending on whose count you’re looking at, and either two or four zero days. So if you know somebody who uses any Microsoft software, make sure to tell them to install updates.
Kirk McElhearn 27:29
Interestingly, there are no updates in the Mac App Store for Microsoft Office apps. I checked just before we started recording. So maybe there were no vulnerabilities for those apps, right? Because Patch Tuesday is for Windows, all of Microsoft operating systems, all their apps, etc. All right, that’s enough for this week. Next week, we will probably have a new iPhone SE to talk about until next week. Josh, stay secure.
Josh Long 27:47
All right, stay secure.
Voice Over 27:51
Thanks for listening to the Intego Mac podcast. The voice of Mac security with your hosts, Kirk McElhearn and Josh Long. To get every weekly episode be sure to follow us in Apple podcasts or subscribe in your favorite podcast app, and if you can leave a rating, a like or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.
