Why Deleting An App Does Not Remove Your Data

You Deleted the App. Your Data Didn't Get the Memo.

A friend of mine deleted Tinder after getting into a serious relationship. Clean break, fresh start — or so she thought. Two years later, she logged back in out of curiosity and found her entire profile waiting for her: photos, bio, match history, even old messages. Nothing had changed. The app was gone from her phone, but she had never actually left Tinder's servers.

This is not an edge case. It happens constantly, across nearly every app you've ever used.

The Confusion Is By Design

When you delete an app, your phone removes the software — the code that runs on your device. What it does not touch is the account and all the data tied to it, which lives on the company's servers, not yours.

Think of it like checking out of a hotel. You take your suitcase and leave. But the hotel still has your credit card on file, your stay history, your room preferences, and whatever the cleaning staff found under your mattress. Leaving the building didn't erase any of that.

App companies have no financial incentive to delete your data when you uninstall. Your behavioral data, purchase history, and usage patterns are valuable assets — often more valuable than whatever you paid for the app in the first place.

What Actually Stays Behind

Here's where it gets specific. When you use an app, data gets stored in at least three places simultaneously: on your device, in the company's cloud servers, and often with third-party partners — analytics platforms, advertising networks, data brokers.

Deleting the app clears only the first category.

According to Apple's App Store Review Guidelines, apps must provide account deletion functionality — but this rule only applies to apps that require account creation. Many apps collect data without requiring a login at all, using device identifiers instead. You can't delete what you never formally created.

The third-party problem is the part most articles skip entirely. Even if the app company deletes your account perfectly, they may have already sold or shared your data with partners who have their own retention policies. Deleting your Uber account doesn't reach back and erase the location data that was already shared with their mapping and analytics vendors.

The Counterintuitive Part

Here's what almost nobody tells you: some apps retain your data longer after you delete your account than during active use.

Why? Fraud prevention and legal liability. If you dispute a charge or file a lawsuit six months after closing your account, the company needs records. Many platforms interpret "data retention for legal purposes" broadly enough to justify keeping your information for years. You opted out, but compliance kept you in.

According to Uber's Privacy Notice, the company retains certain account and transaction data for up to seven years after account deletion — primarily for tax and legal compliance reasons. Seven years. Your Uber account from 2018 may still have a ghost on their servers.

What You Can Actually Do About It

Vague advice like "read the privacy policy" is useless. Here's what actually moves the needle.

Start with a data deletion request, not just account deletion. These are two different things. Most platforms bury a separate "delete my data" or "data erasure request" form somewhere in their privacy settings or legal pages. In regions covered by GDPR (Europe) or CCPA (California), companies are legally required to honor these requests within 30 days. Even if you're outside those regions, many companies apply the same process globally — it's easier than maintaining two systems.

Go here before you uninstall:

Find the app's privacy policy page and search for "delete," "erasure," or "data request"
Look for a dedicated form, not just an account deletion button
Screenshot the confirmation and save the date — companies sometimes ignore requests, and you may need to follow up

Check what data brokers already have. Services like DeleteMe or Optery scan hundreds of data broker databases for your personal information and submit removal requests on your behalf. This doesn't undo what apps have shared, but it limits how that data circulates further.

Revoke app permissions before deleting. On both iOS and Android, go to your phone's privacy settings and manually remove location, microphone, contacts, and photo access before you uninstall. Some SDK components embedded in apps can continue reporting device-level data through other installed apps that share the same advertising ID. Revoking first breaks that chain.

According to the Electronic Frontier Foundation's Surveillance Self-Defense guide, resetting your advertising ID periodically (available in iPhone settings under Privacy & Security → Tracking, and on Android under Privacy → Ads) is one of the most effective simple steps to disrupt cross-app tracking — even without deleting anything.

When This Actually Matters

You might be thinking: so what? I'm not doing anything wrong. Why does stale data from a food delivery app matter?

It matters most when something goes wrong. Data breaches don't care whether your account is active. If Postmates gets breached three years after you deleted your account, your email, phone number, home address, and payment history are still in the pool if you never submitted a deletion request. You're exposed for an app you haven't thought about since 2021.

It also matters when you change jobs, go through a divorce, or apply for insurance. Data brokers aggregate information from apps to build profiles that can affect your credit, your premiums, and increasingly, your employment background checks. The less of that data floating around, the smaller your attack surface.

The Honest Limitation

Even if you do everything right — submit the deletion request, reset your ad ID, revoke permissions — you cannot verify compliance. You have no way to audit a company's servers and confirm your data was actually purged. Some companies process requests correctly. Others treat them as low-priority support tickets. The legal frameworks that protect you rely on self-reporting and reactive enforcement, not independent audits.

You can make it harder for your data to be exploited. You cannot make it disappear with certainty.

Sources:

Apple App Store Review Guidelines
Uber Privacy Notice
EFF Surveillance Self-Defense

How To Secure Your WhatsApp From Being Taken Over

Someone Took Over My Friend's WhatsApp. Here's What She Missed.

She didn't click a suspicious link. She didn't download a shady app. One afternoon, her WhatsApp simply stopped working — and by the time she figured out what happened, someone had already messaged her entire contact list asking for money.

The attacker didn't need her password. They just needed a six-digit code she never should have shared.

The Attack You've Probably Never Heard Of

Here's how it works. When you install WhatsApp on a new phone, the app sends a one-time verification code to your phone number via SMS. Whoever enters that code first controls the account.

Attackers exploit this by calling you pretending to be a friend, a telecom employee, or even WhatsApp support. They tell you they accidentally sent a code to your number and ask you to read it back. The moment you do, they're in.

Your account moves to their device. You get logged out. They get your entire chat history, your contact list, and — if you haven't enabled disappearing messages — months or years of private conversations.

The Fix That Actually Matters

The single most effective thing you can do takes about 45 seconds.

Go to Settings → Account → Two-Step Verification and turn it on. WhatsApp will ask you to create a six-digit PIN. This PIN is separate from the SMS verification code — it's something only you know, stored nowhere but your memory (and optionally a recovery email).

Now, even if an attacker gets your SMS code, they still can't activate your account without this PIN. It's a second lock on the door.

Most people skip this because WhatsApp doesn't push you hard enough to set it up. That's a design failure on their part, not a user mistake. But right now, after reading this sentence, you should go set it up.

What Registration Lock Won't Save You From

Here's the counterintuitive part that almost every guide ignores: your WhatsApp account and your WhatsApp backup are two separate attack surfaces.

Locking your account with two-step verification protects you from someone hijacking your number. But if your chat backup lives in Google Drive or iCloud — which it does by default — an attacker who gets into your cloud account gets everything anyway.

According to WhatsApp's own support documentation, end-to-end encryption for cloud backups exists but must be manually enabled. It is not on by default.

Go to Settings → Chats → Chat Backup → End-to-End Encrypted Backup and enable it. You'll set a password or a 64-digit encryption key. Don't lose this — WhatsApp cannot recover it for you. But without this step, your private conversations are sitting in a cloud folder protected only by your Google or Apple account password.

The Linked Devices Trap

Most people don't realize WhatsApp lets you stay logged in on up to four devices simultaneously. This is convenient. It's also how someone can maintain persistent access to your account even after you've recovered it.

If your account has ever been compromised — or if you just want to check — go to Settings → Linked Devices. Look at the list. If you see a device you don't recognize, or one you haven't used in months, remove it immediately.

The scary version of this: an attacker who briefly accessed your account can link their browser or computer and then quietly read your messages for weeks. You'd never know unless you checked this screen.

Your SIM Card Is a Vulnerability Too

Phone numbers are the foundation WhatsApp is built on, and phone numbers can be stolen. This is called a SIM swap — an attacker convinces your mobile carrier to transfer your number to a new SIM card they control.

According to the U.S. Federal Trade Commission, SIM swapping is a documented form of identity theft that mobile carriers have struggled to prevent.

The best defense is to call your carrier and add a verbal PIN or passphrase to your account — something required before any changes can be made. This isn't foolproof, but it raises the bar significantly. If your carrier offers a "SIM lock" or "port freeze" feature, enable it.

Two-step verification in WhatsApp also provides a layer of protection here, because even if someone swaps your SIM, they still can't activate WhatsApp without your personal PIN.

The Social Engineering Script to Know

Attacks targeting WhatsApp almost always follow a predictable script. Someone contacts you — often impersonating a friend whose account has already been taken over — and says something like:

"Hey, I accidentally sent a WhatsApp code to your number instead of mine. Can you send it to me?"

The code they're asking about is not theirs. It's yours. Reading it to them is the entire attack.

No legitimate person, company, or service will ever ask you for a WhatsApp verification code. The moment someone asks, hang up or stop responding. It doesn't matter how convincing the story sounds.

According to Kaspersky's security research blog, this forwarding scam is one of the most common methods used to hijack accounts at scale, because it requires zero technical skill and works entirely on social pressure.

The Honest Caveat

Everything above will make your account significantly harder to compromise. But "harder" isn't the same as "impossible."

If someone has prolonged physical access to your unlocked phone, two-step verification doesn't help you. If your recovery email account gets compromised, your backup encryption key could be at risk. And if a sufficiently motivated, well-resourced attacker targets you specifically — not a bot running a mass scam, but a person with time and intent — the attack surface is always larger than any single article can cover.

This guide is about making you a harder target than most people around you. That matters, because the vast majority of account takeovers happen because of predictable, preventable mistakes — and the attacker moves on when they hit resistance.

Set the PIN. Encrypt the backup. Check your linked devices. Add a SIM lock.

Do those four things and you've already done more than 90% of WhatsApp users.

Sources:

WhatsApp Support — End-to-End Encrypted Backups
U.S. Federal Trade Commission — SIM Swap Scams
Kaspersky Blog — WhatsApp Account Hijacking

The Biggest Mistake People Make After Getting Phished

The Worst Thing You Can Do After Getting Phished (And Almost Everyone Does It)

Your coworker forwards you what looks like a routine IT email. Password reset required, click here, takes thirty seconds. You click it, type in your credentials, and nothing happens. The page just... sits there. You refresh, shrug, and move on with your day.

Three weeks later, your company's finance team gets a wire transfer request — supposedly from your account — for $47,000.

That gap between the click and the consequence is where the real damage happens. Not in the phishing email itself, but in the silence afterward.

The Mistake Isn't Clicking the Link

Here's the thing most people get wrong: they think the phishing email is the attack. It's not. The email is just a door. What happens after you walk through it determines how bad things actually get.

The biggest mistake — by a significant margin — is doing nothing. Not because people are careless, but because they genuinely don't know they've been phished until it's far too late. Or they suspect something felt off, feel embarrassed, and quietly hope the problem resolves itself.

It won't.

The Silence Window

When a criminal gets your credentials, they don't immediately ransack your account. They're patient. They log in quietly, look around, set up forwarding rules on your email so they receive copies of everything you send and receive. Then they wait — sometimes for weeks — learning your communication style, your contacts, your ongoing deals.

According to the IBM Security X-Force Threat Intelligence Index, the average time between a breach occurring and it being detected is measured in months, not days. That's months of an attacker sitting inside your digital life while you carry on completely unaware.

This is why the embarrassed silence is so catastrophic. Every day you don't report it is another day they're reading your emails and building a more convincing impersonation of you.

What You Should Actually Do in the First Hour

If your gut says something was wrong about that link you clicked — trust it. You don't need certainty to act. Here's a direct sequence:

First, don't touch the device. Stop what you're doing. If you're on a work computer, don't try to "fix" anything yourself. Don't run antivirus, don't delete files, don't clear your browser history. You could be destroying forensic evidence your IT team needs.

Second, call someone — out loud, on the phone. Not email. Not Slack. If the attacker already has access to your account, anything you type in those channels could be monitored. Pick up the phone and call your IT or security team directly.

Third, change your password from a different, clean device. Not the one you clicked the link on. Use your phone, or a colleague's computer. Change the password for the account you typed credentials into, and then change it for any other account that shares that password or email address.

That last step matters more than most people realize.

The Password Reuse Bomb

Here's the counterintuitive part that almost no article talks about honestly: the phishing site you landed on probably wasn't even after that specific account.

Attackers know that most people reuse passwords. So when they harvest your credentials from a fake Microsoft login page, they're not just trying to get into your Microsoft account. They're running those credentials through dozens of other services — your bank, your Amazon, your Gmail — in an automated process called credential stuffing.

According to the Verizon Data Breach Investigations Report, stolen credentials are involved in a significant majority of web application breaches. The phishing site is often just the collection point. The actual crime happens somewhere else entirely, using the same username and password you gave up without realizing it.

This is why "just change the hacked account's password" is dangerously incomplete advice. You need to treat every account that shares that password as compromised.

The Emotional Tax Nobody Talks About

Getting phished carries a shame that makes people handle it badly. There's a feeling — especially in professional settings — that admitting you clicked a suspicious link means admitting you're not smart enough to spot a scam.

But modern phishing attacks aren't the obvious Nigerian prince emails from fifteen years ago. They're cloned login pages with valid SSL certificates. They're text messages that know your name and your bank. They're emails that quote your actual recent transactions.

Anyone can get phished. The intelligence failure isn't clicking the link — it's the silence that follows.

If you manage a team and someone comes to you having just clicked a phishing link, your reaction in that moment will determine whether your company survives the next one. Because people who are punished for reporting mistakes will quietly bury the next incident until it's uncontrollable.

After the Immediate Crisis: What Sticks

Once you've done the urgent steps, there are two things worth setting up that genuinely reduce long-term damage:

The first is a password manager. Not because it makes you feel more secure, but because it makes password reuse physically impossible. You stop reusing passwords because you no longer need to remember them. One strong master password, everything else is random gibberish.

The second is hardware-based two-factor authentication where available — a physical key like a YubiKey. According to Google's own security research, physical security keys block 100% of automated phishing attacks in their studies, compared to SMS codes which can still be intercepted or socially engineered around.

These aren't dramatic transformations. They're boring infrastructure changes that quietly make you a much harder target.

The Honest Caveat

None of this guarantees you won't be phished again, or that acting quickly will prevent all damage. If an attacker had access to your account for even a few hours before you caught it, they may already have what they needed. A fast response reduces the blast radius — it doesn't always stop the explosion.

The uncomfortable truth is that much of your security depends on systems outside your control: whether your company stores your password in plain text, whether a site you trusted got breached without telling you, whether your bank catches the fraudulent transfer in time.

You can do everything right and still get hurt. Doing everything right just makes it less likely, and less bad when it happens.

That's the actual promise of good security habits. Not invincibility — just better odds.

Sources:

IBM Security X-Force Threat Intelligence Index
Verizon Data Breach Investigations Report
Google Security Blog — New Research: How Effective Is Basic Account Hygiene

What Hackers Do With Stolen Passwords In The First 60 Seconds

Your friend texts you at 2 AM: "Did you send me a weird link?" You didn't. By the time you see that message in the morning, the damage is already done — and it happened faster than you'd think possible.

Most people imagine hackers hunched over keyboards, slowly and deliberately cracking into accounts. The reality is almost the opposite. The moment your password lands in a criminal's hands, everything that follows is automated, fast, and completely indifferent to who you are.

The First Thing That Actually Happens

Here's what most articles skip: your password probably isn't tested against your account first.

The attacker feeds it into a tool that checks whether you've used that same password — or a close variation — on dozens of other sites simultaneously. This is called credential stuffing, and it runs at machine speed. We're talking thousands of login attempts per minute across Netflix, PayPal, Gmail, Amazon, bank portals, and whatever else sits in a pre-loaded target list.

According to Cloudflare, credential stuffing attacks are responsible for billions of login attempts every month, and they succeed precisely because most people reuse passwords. The attackers don't need to be clever. They just need you to have used "Summer2021!" on more than one site.

The 60-Second Window

Once a valid login is confirmed, the clock becomes critical — not for the attacker, but because of you. They need to act before you notice.

In that first minute, automated scripts do three things almost simultaneously:

Scrape your profile data — full name, phone number, address, any payment info stored in the account
Lock you out — change the recovery email and phone number so password resets go to them, not you
Pivot inward — check your inbox or account activity for clues about what else you own (other accounts, linked services, subscription confirmations)

The lockout step is the one that catches people off guard. You try to reset your password and realize the recovery email is now one you've never seen. At that point, proving you own the account is a customer service nightmare that can take days.

What They're Actually After

Here's the counterintuitive part: most of the time, they don't actually want your account.

They want what your account can get them. A hacked Gmail is valuable not because of your emails, but because it's the master key to everything else — you've used Google to log into dozens of services. A compromised Amazon account means a one-click purchase shipped to a reshipping address. A hijacked social media account gets sold to spam networks or used to scam your contacts, who trust the message because it appears to come from you.

According to Verizon's Data Breach Investigations Report, credentials are the single most common entry point in data breaches — used in over 80% of hacking-related incidents. The password itself is just the door. What's through the door is the actual prize.

The Market on the Other Side

Some stolen passwords don't get used immediately. They get sold.

There are markets — you don't need to know exactly where — where stolen credentials are traded in bulk. A fresh batch of verified logins to a popular streaming service might sell for less than a dollar per account. Financial account credentials go for more. The point is that your login might sit in someone's inventory for weeks before being activated.

This is why you sometimes hear about a breach and think, "nothing happened to me" — and then eight months later, something does. The delay isn't a glitch. It's the supply chain.

What You Should Actually Do Differently

The standard advice you've heard a hundred times — use a password manager, enable two-factor authentication — is correct but incomplete. Here's the more specific version:

On two-factor authentication: Not all 2FA is equal. An SMS code sent to your phone is better than nothing, but it can be intercepted through SIM-swapping attacks, where a fraudster convinces your carrier to transfer your number to their device. Use an authenticator app (Google Authenticator, Authy) or a hardware key if you're protecting anything sensitive. The inconvenience is real; so is the difference in protection.

On password managers: The fear people have — "what if the password manager gets hacked?" — is legitimate but misplaced. According to the Electronic Frontier Foundation, the risk of reusing weak passwords across many sites is statistically far greater than the risk of a well-designed password manager being compromised. You're trading a certain risk for a much smaller one.

On breach alerts: Go to haveibeenpwned.com right now and enter your email. It's free, it's run by a legitimate security researcher, and it will tell you exactly which known breaches your email appeared in. Set up alerts so you know within hours, not months.

The one thing most people don't do: After you change a compromised password, check every account that uses "Sign in with Google" or "Sign in with Facebook." Those linked accounts are invisible to most breach-checkers but very visible to attackers who've gotten into your primary account.

One Honest Limitation

None of this is foolproof, and it would be dishonest to pretend otherwise.

If your password is exposed through a breach at a company you trust — and that company doesn't tell you for six months, which happens more often than anyone admits — the automated tools described above have already run their course before you ever had a chance to respond.

You can do everything right and still get caught in someone else's failure. What the steps above actually do is reduce how much damage that failure causes, not eliminate the possibility of it happening. That's a frustrating answer, but it's the true one.

Sources:

Cloudflare — What Is Credential Stuffing
Verizon Data Breach Investigations Report
Electronic Frontier Foundation — Creating Strong Passwords

How To Tell If Your Webcam Has Been Hacked

Your Webcam Is Watching. But Is Someone Else?

A friend of mine — smart, careful, not the type to click sketchy links — noticed something odd one afternoon. The little green light next to her laptop camera flickered on while she was just reading a document. No video call. No browser open. Just her, a spreadsheet, and a light that had no business being on.

She assumed it was a glitch. It wasn't.

The Light Isn't the Whole Story

Most people think the indicator light is the definitive sign. If it's off, you're safe. This is wrong, and it's the most dangerous assumption you can make.

Some malware — particularly older RATs (Remote Access Trojans) — can disable the indicator light independently of the camera itself. According to Johns Hopkins researchers, this was demonstrated on MacBook cameras as far back as 2014, where firmware could be rewritten to activate the camera without triggering the LED. The hardware hasn't fundamentally changed in ways that eliminate this risk.

So if you're using the light as your only check, you're trusting a warning system that can be switched off by the same person trying to hide from you.

What Actually Happens When Someone Gets In

Webcam hacking isn't usually a dramatic heist. It's quiet and patient.

The most common path is a RAT installed through a phishing email, a fake software update, or a cracked app download. Once it's running, the attacker typically has access to far more than your camera — your files, your keystrokes, your microphone. The webcam is often just one tool in a larger surveillance setup.

The second path is less understood: misconfigured or compromised smart home cameras and baby monitors. These aren't your laptop — they're internet-connected devices that often ship with default passwords nobody changes. According to the FBI's Internet Crime Complaint Center, compromised IoT cameras are a consistent and growing vector for home surveillance intrusions.

Signs That Deserve Your Attention

Forget the generic list of "watch for unusual activity." Here's what actually matters:

The light flickers when nothing should be running. Open your Task Manager (Windows) or Activity Monitor (Mac). Look for processes you don't recognize consuming CPU or network bandwidth. A camera application running silently in the background will show up here.

Your storage is being eaten. Some RATs record footage locally before uploading. If your hard drive is filling faster than your usage explains, that's a flag — especially if temporary folders contain video files you never created.

Network traffic spikes at odd hours. You can check this with a free tool like GlassWire on Windows or Little Snitch on Mac. If data is being sent out at 3am when your computer should be idle, something is running that you didn't authorize.

Your antivirus was quietly disabled. This is the one most people miss. Before hijacking your camera, sophisticated malware will often kill your security software first. If you open your antivirus and it's off — and you didn't turn it off — treat that as a serious incident, not an error.

The Counterintuitive Part Nobody Tells You

Here's what most "webcam safety" articles won't say: physical tape works better than almost any software solution.

This sounds absurd, almost embarrassingly low-tech. But it's what security researchers actually use on their own machines. A small piece of electrical tape or a purpose-made webcam cover costs under two dollars and cannot be bypassed by any firmware exploit, any malware, or any zero-day vulnerability. It is, technically, unbreakable protection against visual surveillance.

Software-based camera controls can be circumvented. Physical obstruction cannot. Mark Zuckerberg famously had tape over his laptop camera in a 2016 photo — and that wasn't paranoia theater, it was correct operational security.

The software version of this — disabling the camera in Device Manager — is better than nothing, but a sufficiently privileged piece of malware can re-enable it without your knowledge.

What To Do Right Now

If you're uncertain whether your webcam is clean, start here:

Audit your running processes. On Windows, open Task Manager and look at the Processes tab. Search anything unfamiliar before you dismiss it. On Mac, use Activity Monitor and sort by CPU usage.
Run a dedicated malware scanner. Your regular antivirus may have already been compromised. Download Malwarebytes (the free version works for this) and run a full scan from a separate, trusted machine if possible.
Check camera permissions. On Windows, go to Settings → Privacy → Camera and see which apps have access. On Mac, go to System Settings → Privacy & Security → Camera. Revoke access for anything you don't actively use.
Change every password on a separate device. If you suspect an active compromise, do not change passwords on the infected machine — the keylogger will capture them as you type.
Cover it physically. Do this now, before you finish reading. A Post-it note works. You can buy a proper slider cover for a few dollars online. According to CISA (Cybersecurity and Infrastructure Security Agency), physical controls are among the most reliable mitigations for device-level surveillance risks.

The Part I Won't Pretend Away

Here's the honest limitation: if a sophisticated attacker — state-sponsored, well-resourced, specifically targeting you — has decided to compromise your system, most of what's in this article won't fully protect you. Advanced persistent threats operate at a level where they can hide from standard scanners, exploit unknown vulnerabilities, and persist through factory resets by embedding in firmware.

For the vast majority of people, this isn't the threat model. The realistic danger is commodity malware, opportunistic attackers, and misconfigured devices — all of which the steps above address effectively.

But if you're a journalist, activist, lawyer handling sensitive cases, or someone who has reason to believe a powerful entity is interested in you specifically, consumer-grade advice has real ceilings. At that point, you need dedicated threat modeling, not a checklist.

The tape still helps though. Even for them.

Sources:

Johns Hopkins University – iSeeYou: Disabling the MacBook Webcam Indicator LED
FBI Internet Crime Complaint Center (IC3) – Public Awareness
CISA – Securing Network Infrastructure Devices

Why Public USB Charging Ports Are A Security Trap

The Airport Outlet That Stole Someone's Life

A friend of mine — sharp guy, works in finance — spent three hours at O'Hare waiting for a delayed flight. His phone was at 8%. He spotted a charging kiosk near the gate, plugged in, and spent those three hours answering emails and scrolling. Normal Tuesday.

Two weeks later, his corporate email credentials showed up in a breach notification. The IT team traced it back to that window of time. He hadn't clicked anything suspicious. He hadn't downloaded anything. He just needed to charge his phone.

That story might sound extreme. It isn't.

What Actually Happens When You Plug In

Here's the thing most people don't know: a USB cable doesn't just carry power. It carries data too. That's the whole point of the standard — it was designed to do both simultaneously.

When you plug into a wall socket at home, you're connecting to a "dumb" charger that only pushes electricity. When you plug into a public USB port — at an airport, a hotel lobby, a coffee shop charging station — you have no way of knowing what's on the other end of that port.

It could be a normal charger. It could also be a small computer running software designed to talk to your phone the moment you connect.

The FBI's Denver field office actually warned about this publicly, recommending people avoid public USB ports entirely and use AC power outlets with their own adapters instead. That warning isn't theoretical — it reflects real investigative patterns.

"Juice Jacking" Is a Stupid Name for a Real Problem

The attack even has a name: juice jacking. Coined around 2011 by security researcher Brian Krebs, it describes exactly this scenario — a compromised charging port that uses the data channel in your USB connection to either pull files off your device or push malware onto it.

Your phone does have a defense. When you plug into an unfamiliar device, it usually asks: "Do you trust this computer?" Most people tap "Trust" without reading it. Some newer phones default to "charge only" mode, which helps. But that setting isn't universal, it can be overridden in certain conditions, and not every user has updated their phone recently enough to have it.

According to the Cybersecurity and Infrastructure Security Agency (CISA), attackers can load malware onto public charging stations that damages mobile devices or exports data and passwords directly — and victims often don't realize anything happened until well after the fact.

The delay is the dangerous part. You plug in, nothing seems wrong, you leave. Weeks later something surfaces and you have no idea where to start tracing it.

The Counterintuitive Part Nobody Talks About

Here's what most security articles skip: the threat isn't limited to sketchy kiosks in airports you've never heard of. Branded, professional-looking charging stations at major hotel chains, conference centers, and airports are exactly the high-value targets, because that's where high-value people charge their phones.

A cybercriminal who compromises the charging kiosk at a random gas station gets random people. One who compromises the kiosk in the business lounge of an international airport gets executives, lawyers, government employees, and journalists — people with credentials worth stealing.

The more legitimate and polished the charging setup looks, the more it might be worth targeting. Counterintuitive, but it follows the logic of where the money is.

What You Can Actually Do

The honest answer is simple, if slightly inconvenient:

Carry your own battery pack. A decent portable charger costs $25–40 and eliminates the problem entirely. You never need a public USB port if you're not starting at 8%.

Use AC outlets, not USB ports. Plug your own charging brick into a standard electrical outlet. The outlet delivers power; your brick handles the USB conversion. Nothing unknown touches your device's data channel.

Get a data-blocking USB adapter. These are small, cheap dongles — often called "USB condoms" by people who find that funny, and "data blockers" by people who have to order them on a corporate card. They physically cut the data pins in the USB connection and let only power through. According to Norton, using a charge-only cable or a USB data blocker is one of the most effective ways to neutralize this specific attack vector.

If you're buying one: look for brands like PortaPow or Privise. They're small enough to live on your keychain and cost less than a airport sandwich.

Turn your phone off before charging in public. Many juice jacking attacks require an active, unlocked device to work. A powered-off phone presents a much harder target.

What If You Already Plugged In?

If you've been using public USB ports for years and nothing obvious has happened, you're probably fine — but "probably" is doing real work in that sentence.

Go to your phone settings and revoke USB access permissions for any devices you don't recognize. On iPhone: Settings → General → Transfer or Reset iPhone → Reset → Reset Location & Privacy (this clears trusted computer permissions). On Android, it varies by manufacturer, but look for Developer Options → Revoke USB debugging authorizations.

Change passwords for anything sensitive you accessed during or shortly after the charging session. Not because you were definitely compromised, but because it costs you ten minutes and eliminates a real variable.

The Honest Limitation

None of this is foolproof. A sophisticated, state-level actor with access to your device's firmware can do things that a data blocker won't stop. If someone really wants what's on your phone and has the resources to pursue it, plugging into a wall outlet instead of a USB port isn't what saves you.

The realistic threat most people face is opportunistic — criminals who set up compromised ports and harvest whatever walks by. Against that, a $12 data blocker works. Against a targeted operation by a well-funded adversary, your best protection is not being interesting enough to target.

That's not a satisfying ending. But it's the accurate one.

Sources:

CISA
Norton – What Is Juice Jacking

The Most Dangerous Apps You Probably Have On Your Phone Right Now

A friend of mine — sharp guy, works in finance — handed me his phone once to show me something. I noticed he had a flashlight app. Not the built-in one. A third-party flashlight app he'd downloaded years ago and never thought twice about. That app had access to his microphone, his contacts, and his precise location. For a flashlight.

That's not a freak case. That's Tuesday.

The Problem Isn't the App You're Afraid Of

Most people worry about shady apps from unknown developers. The uncomfortable truth is that some of the riskiest apps on your phone are ones you use every day — apps you trust, apps with millions of downloads, apps made by companies with marketing budgets bigger than most countries' GDP.

Take free VPN apps. The whole pitch is privacy. You're protecting yourself. But According to the Australian government's cybersecurity center (ACSC), many free VPN providers log your activity and sell that data to third parties — the exact thing you were trying to prevent. You handed your entire browsing history to a company you know nothing about, in exchange for a false sense of security.

That's not irony. That's the business model.

The Apps Sitting in Your Drawer

You know that category of apps you downloaded once, used for a weekend trip or a single project, and then forgot about? Those are quietly dangerous in a way that gets almost no attention.

Old apps stop getting security updates. A vulnerability discovered in 2022 might still be sitting, unpatched, in an app you haven't opened since 2021. But the app still has permissions. It can still run in the background. It's a door you left unlocked in a house you forgot you owned.

Go check your phone's app list right now. If you see apps you haven't opened in six months, ask yourself: does this thing still have access to my camera? My files? My location? For most people, the answer is yes.

The Surprising One Nobody Talks About

Here's where it gets counterintuitive: your keyboard app might be the most invasive app on your phone, and it's one people almost never consider.

Third-party keyboards — the ones with extra themes, emoji packs, or swipe-to-type features — sit between you and everything you type. Every password. Every bank account number you've ever entered. Every private message. The keyboard processes it all before it goes anywhere else.

According to the Electronic Frontier Foundation (EFF), some third-party keyboards transmit keystrokes back to their servers, often to improve autocorrect but with no real limit on what gets collected. If you're using a keyboard made by a company you've never researched, you are trusting that company with the most sensitive data stream on your device.

Switch back to your phone's built-in keyboard. It's not exciting, but excitement isn't what you want from the thing logging everything you type.

Social Media Apps: The Obvious One, With a Twist

Yes, you already know social media apps collect a lot of data. But most people think of this as an abstract privacy concern — some algorithm learns you like hiking, you get hiking ads, fine, whatever.

The real risk is more concrete. Social media apps frequently request permissions they don't functionally need — access to your contacts, microphone, camera, and precise GPS location. According to Mozilla Foundation's Privacy Not Included guide, many apps share or sell this data with dozens of third-party brokers, and once it leaves the app, you have no visibility into where it goes.

That data can end up in background check sites, targeted phishing campaigns, or data broker databases that anyone can pay to access. You're not just feeding an algorithm. You're populating a profile that exists long after you delete the app.

What You Can Actually Do

None of this requires becoming a technical expert. Here's what moves the needle:

Start with a permission audit. On iPhone, go to Settings → Privacy & Security. On Android, go to Settings → Privacy → Permission Manager. Look at which apps have access to your microphone, camera, and location. Ask yourself if that access makes any sense. A recipe app with microphone access does not make sense.

Delete what you don't use. Not archive. Delete. The permissions go with it.

For VPNs, pay for one or use none. The business model of a free VPN is not charity. Mullvad and ProtonVPN are two that have passed independent audits. They cost a few dollars a month. That's the actual product.

Replace your third-party keyboard. This one simple switch closes a significant data exposure most people have never thought about.

Check app update history before downloading anything new. If an app hasn't been updated in over a year, the developer has likely abandoned it. An abandoned app is an unpatched app.

The Part Most Security Articles Skip

Here's what I want to be straight with you about: even if you do everything above, you're not fully protected.

The data that was already collected — before you read this, before you thought to check — is already out there. You can limit future exposure, but there's no retroactive delete button for data that's already been sold, shared, or breached. The best security writing often ends with a clean call to action, as if doing the right thing today erases yesterday. It doesn't.

What it does do is make tomorrow better. That's worth doing, even without the tidy ending.

Sources:

Australian Cyber Security Centre (ACSC)
Mozilla Foundation – Privacy Not Included