Apple Security and Privacy in 2023: The Year in Review
Posted on
by
Kirk McElhearn
The year 2023 was a busy one for Apple security, with more malware, more vulnerabilities, and more attempts to bypass the protections built into macOS, iOS, and iPadOS. In addition, third-party software used on Apple platforms was the subject of vulnerabilities and breaches, making it essential to stay up to date with security updates to both Apple’s operating systems and other software.
In 2023, a number of zero-day vulnerabilities led Apple to issue emergency security updates, including the company’s first “Rapid Security Response” updates, while new features were introduced to help ensure privacy and security in macOS, iOS, and iPadOS.
Here are some highlights of major Apple news and several security and privacy issues that affected Apple users in 2023.
(See also our article covering the notable Mac and iPhone malware of 2023, and what to expect in 2024.)
January
The LastPass data breach
One of the first security issues of the year was the revelation of a massive data breach of the LastPass password manager. The service was hacked in August 2022, and as the months went by, the company changed from denying the breach to suggesting that it wasn’t serious. But customer data was indeed accessed, and some vaults—the encrypted files containing passwords—were found to use weak encryption and be vulnerable to potential attacks.
This complicated situation, and the company’s obfuscation of key facts, led us to recommend that users no longer trust LastPass, and switch to other trusted password managers instead. We discussed the LastPass breach in depth on episode 273 of the Intego Mac Podcast.
Apple’s Safari browser turns 20
Also in January, Apple celebrated the 20th anniversary of its Safari web browser. Since the web browser is the platform for much interaction with the internet, Apple has continuously added features to ensure the security and privacy of Safari. There’s a lot of competition, but Safari is a great choice for users of Apple devices. See below for more on new privacy and security features in Safari in this year’s operating systems. As the number-two most popular browser in the world, Safari is a major target for cybercriminals.
Apple security updates (and the lack thereof for Apple Watch Series 3)
Apple issued dozens of security updates for its operating systems and software during 2023, and in January, even released minimal patches for ten-year-old iPhones and iPads running iOS 12. However, the company neglected to patch security vulnerabilities that affected the Apple Watch Series 3, putting users of this device at risk. The company had sold new units in the main section of its store as late as September 2022, and would continue to sell refurbished units until March 2023; see the March section below for more on this.
Apple adds support for hardware security keys
In January 2023, Apple added a feature to its operating systems allowing users to protect their Apple ID accounts with hardware security keys, which can work via USB, Bluetooth, or NFC. This prevents hackers from changing the Apple ID password without this hardware key. This is a robust security feature, but it involves a bit of hoop-jumping for users, so only those whose accounts are at risk should adopt this technology.
February
Twitter makes SMS-based 2FA a paid-only feature
Twitter (now X) announced that the company was turning off two-factor authentication (2FA) via SMS text messages for all users who don’t pay for a Twitter Blue (now X Premium) account (which costs a minimum of $7/month when paying annually via the Web). While sending two-factor authentication codes via SMS is inherently insecure, it’s still a better solution than not using 2FA at all, if for whatever reason users can’t use other 2FA options.
In an article on the Intego Mac Security Blog, we explained how to set up two-factor authentication on Twitter/X using the Apple Keychain and with authenticator apps, without having to pay for X Premium.
(Later in the year, X introduced a Basic plan for $3/month that includes SMS-based 2FA without a blue “verified” badge.)
Apple launches Advanced Data Protection for iCloud
Also in February, Apple launched Advanced Data Protection for iCloud. This feature gives users the “highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.” However, there are some limitations to this feature, and it is not recommended for everyone. We discussed Advanced Data Protection in December 2022 in episode 270 of the Intego Mac Podcast.
March
Phishing e-mails leverage AI tools to appear legitimate
Phishing is one of the main threats to users, and we have long warned people about malicious emails. With the advent of AI tools like ChatGPT, one of the telltale signs of phishing emails, namely poor grammar and spelling, is now less common. In episode 282 of the Intego Mac Podcast, we discussed the threats from this new technology and also looked at scam products sold on Amazon. (See April and December below for more on new types of phishing.)
Apple finally stops selling the vulnerable Apple Watch Series 3
We mentioned above how Apple hadn’t issued security updates for the Apple Watch Series 3, which it stopped selling (new) in September 2022. But the company kept selling refurbished models of this watch until March 2023, eight months after the version of watchOS it supports received its last security update. It’s extremely dangerous to sell devices that can’t get security fixes, and it’s just as dangerous to buy devices that are near the end of their life.
Passkeys gradually increase in popularity
Passkeys are a new technology that will (supposedly) eventually replace passwords. With them, there’s no longer a need to remember secure passwords, or to create passwords that are too simple but easier to remember. Passkeys leverage biometric authentication on your devices, and can’t be phished or hacked. Support for the technology started rolling out on a number of websites and services in early 2023, and Apple also added passkey support to Apple IDs.
April
Scammers increasingly use legitimate services to send fake invoices
As mentioned above, phishing is one of the main threats to users today. A disturbing new trend in phishing has been spreading: it uses trusted online accounting software to generate fake invoices, including some for well-known services, such as Best Buy’s Geek Squad. Many of these are sent by software from Intuit, such as QuickBooks, and the company has not shown much interest in preventing them. And in June, we looked at how these scams had spread to other hosts, such as PayPal.
Google Chrome has back-to-back zero-day vulnerabilities
Google’s Chrome web browser had several zero-day vulnerabilities this year, including two in less than a week in April. But these don’t just affect Chrome: other browsers that use the Chromium engine need updates as well. If you use one of these browsers, you need to ensure that you update it regularly. These vulnerabilities also affect apps using the Electron framework, so make sure to keep these apps up to date. There were eventually eight zero-day vulnerabilities that affected Chrome and the Chromium engine throughout the year.
May
Apple releases its first-ever Rapid Security Response patches
With Apple’s new 2022 operating systems, the company has developed what it calls “rapid security response” updates. These updates are designed to address zero-day vulnerabilities that need to be patched as soon as possible, rather than waiting for more general updates to macOS, iOS, and iPadOS. In May, Apple issued their first rapid security response update, and issued other rapid security response updates later in the year (including a flubbed update in July). We discussed this on episode 290 of the Intego Mac Podcast.
Intego releases guidance on avoiding older Apple operating systems
Apple issues security fixes for the current and previous versions of their operating systems, but older OSes may not get updates, rendering them unsafe. We mentioned above how Apple sold the Apple Watch Series 3 refurbished well after the device no longer got updates. Since Apple and other retailers sell refurbished iPhone models, we looked into how long it was safe to buy old iPhones. In When does an old iPhone become unsafe to use?, we gave advice on how many years Apple generally supports iPhones with security updates. There are occasional exceptions – such as the update mentioned above in January, which patched vulnerabilities on ten-year-old devices – but these are rare. In July, we published a similar article about older Mac models highlighting which ones don’t support the current or previous versions of macOS, the only versions to regularly get security updates.
June
Apple makes its OS betas easier to obtain and install
Apple has long offered beta versions of its software to people with developer accounts, which currently cost $99 a year. In 2022, they decided to allow anyone who wants to take the risk to run beta software on their devices. It’s easy to do this, but it’s not without potential hazards, especially concerning the data on your devices. We explained how you can set your devices to install beta software, and we outlined the dangers in doing so.
Apple announces macOS Sonoma, iOS 17, and more at WWDC
At the Worldwide Developer Conference in June, Apple presented its forthcoming operating systems, which were released in the fall: iOS 17, iPadOS 17, and macOS Sonoma. As is the case every year, these contained new security and privacy features, such as enhanced private browsing in Safari and password and passkey sharing. There were also plenty of other security and privacy enhancements under the hood, such as Lockdown Mode and Safari profiles, so you can separate your work browsing from your personal browsing.
Apple previews Apple Vision Pro at WWDC
The company also introduced the world to Apple Vision Pro, a new augmented- and virtual-reality (AR/VR) headset that will debut in early 2024. Starting at $3500, it’s hard to imagine that the first-generation model will gain widespread adoption. Nevertheless, it will be interesting to see how the product evolves, assuming Apple continues to release updated models rather than scrapping it altogether.
So far, it’s unclear what the security and privacy implications of Vision Pro will be. Presumably, with the operating system being very similar to that of Apple’s others, it will be vulnerable to many of the same exploits used against iPhones, iPads, and Macs, and will likely get security updates equally as often. And, of course, users will need to stay diligent to avoid downloading any scammy or potentially harmful apps from the App Store.
July
Threads launches; quickly mimicked in App Store
In early July, Meta (owner of Facebook and Instagram) launched yet another social network. Dubbed Threads, it was meant to be a direct competitor to Twitter/X. Notably, it wasn’t yet available in the EU. We wrote about how to manage Threads security and privacy settings.
Shortly after its launch, a fake Threads app was discovered in the App Store. It was available in the EU, and offered extremely costly in-app purchases. After public outcry, Apple removed the app from the App Store.
July also saw the launch of WormGPT, a ChatGPT-like chatbot specifically designed for cybercriminals’ use. We discussed it on episode 301 of the Intego Mac Podcast.
August
Downfall, a new speculative execution flaw affecting Intel Macs, comes to light
Back in January 2018, the Spectre and Meltdown vulnerabilities were discovered; these were “speculative execution” flaws in processors that could be exploited by malicious users. In August 2023, a security researcher presented information about a similar vulnerability called Downfall. This vulnerability only affects Intel processors, while all new Macs have (non-impacted) Apple silicon chips. But older Macs are potentially vulnerable; we pointed out that some of these older Macs won’t get software mitigation for this issue, and we discussed this on episode 305 of the Intego Mac Podcast.
September
Apple App Store hosts scammy and dangerous apps
Apple has long touted the security of buying apps from its App Stores, but scammy apps on Apple’s App Store have been a recurring theme this year. Many of these are loan apps available in India and other Asian countries, but this highlights how little Apple does to weed out scam apps in its App Stores.
At the time, Intego pointed out that one must be very cautious about downloading any app, even from Apple’s employee-curated App Stores. This will become even more of an issue if Apple is forced to allow third-party app stores to sell apps for the iPhone and iPad.
Lockdown Mode now available in watchOS 10
For the first time ever, Lockdown Mode became available for the Apple Watch in September, as part of watchOS 10. Now the Apple Watch shares the same increased-security mode that macOS, iOS, and iPadOS have previously supported.
Lockdown Mode is automatically enabled for any Apple Watch that’s paired with an iPhone that has Lockdown Mode enabled.
October
Older Macs can be upgraded (unofficially) to macOS Sonoma
As we mentioned above, certain old Macs don’t get security updates. We’ve written a lot about how you can use third-party software to install Apple’s latest operating system—in this case, macOS Sonoma—on some very old Macs, to ensure that they continue to get security patches. It’s a weekend project, though it’s not that complicated, thanks to a community of users who want to keep old Macs running with the latest OS.
We last updated our article in October to explain new changes in Open Core Legacy Patcher that allow it to work with macOS Sonoma on Intel Macs from 2008 or newer.
November
Apple App Store and Google Play Store host face xAI (Grok) chat-bot apps
It’s not just Apple that hosts fake apps in their App Stores: Google and Apple were both found to host fake apps for Elon Musk’s Grok AI tool, before it was even released. A few days after these apps were discovered, Apple removed them, but Google did not. Caveat emptor.
December
Scam e-mails threaten site operators, demand Bitcoin
We discovered a new type of scam email, threatening a DMCA takedown for the unauthorized use of images on websites. The email is quite well written, and sounds real; people running websites with lots of images could get fooled. However, the giveaway is that the sender requests $500 in cryptocurrency. We did some research and found that, since you can access all transactions recorded via the blockchain (though they are anonymous), both the Bitcoin and Ethereum addresses had been reported as scams.
Apple continues to ship insecure open-source tools in macOS
Apple has been negligent about updating some of the Unix tools that are part of macOS, two of which have critical vulnerabilities that are exploited in the wild. Intego’s research has shown that this has been going on for some time, with Apple not updating common tools such as curl, LibreSSL, zlib, and nghttp2. In the past, Apple also continued to ship a vulnerable version of Python in macOS for nearly two years after it had last been patched. These open-source tools can be used by any app running on macOS, and vulnerabilities in these tools need to be patched as soon as possible.
How can I learn more?
The year 2023 was definitely a busy one for Apple security and privacy. But there’s a lot more that we haven’t covered in this article: namely, the malware that affected Macs and iPhones in 2023, and our 2024 Apple malware forecast. Check out the article for more details!
The Mac and iPhone malware of 2023—and what to expect in 2024
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
