Public WiFi Warning Issued For All iPhone And Android Users

Be careful how you connect.
There’s no subject guaranteed to rile cybersecurity experts more than public WiFi security — not even the mythological horrors of juice jacking. Any suggestion users should beware connecting to one of the tens of millions of airport, hotel, mall and coffee shop hotspots will always spawn a tirade of sarcastic posts on social media.
But sometimes the threat is real. Your devices can become “serious liabilities,” the security team at Zimperium has just warned, “especially during travel, when vigilance is low, free public-WiFi are everywhere, and attackers know exactly how to strike.”
Let’s be very clear. Public WiFi is broadly fine. As long as the network is real, you are using encrypted apps or websites, and you don’t download any software or overshare any information with the captive portal that pops up asking you to connect.
The FTC says as much: “Because of the widespread use of encryption, connecting through a public Wi-Fi network is usually safe.”
But even government advice is divisive on this subject, and TSA has a different message: “Don’t use free public WiFi, especially if you’re planning to make any online purchases. Do not ever enter any sensitive info while using unsecure WiFi.”
Zimperium says there have been “over 5 Million Public Unsecured Global Wi-Fi networks found since beginning of 2025, with 33% of users connecting to public unsecured networks.” And that “during travel, these risks multiply.”
Its warning is aimed at enterprises whose employees will be taking summer vacations with devices that connect to corporate email and other IT systems. “Airports, hotels, ride-share hubs, and cafés all offer rich hunting grounds for attackers.”
Public WiFi warning.
Zimperium says “employees, often multitasking or in a hurry, are far more likely to click, install, or connect without thinking twice.” The researchers list four types of attack that users should beware, even as they continue to connect on the go:
- Man-in-the-Middle Attacks, where public WiFi networks are spoofed with “rogue hotspots to intercept data, inject malware, or steal credentials.”
- “Fake boarding passes, hotel confirmations, or itinerary changes sent via SMS or PDF can trick users into entering credentials or downloading malware.”
- Sideloaded apps targeting travelers, such as “language tools, transportation apps, or entertainment,” which play on the need for localized, immediate information.
- Captive portals that “request email addresses, phone numbers, or even social logins can be spoofed or compromised, enabling attackers to harvest personal or corporate data and use it for future phishing or credential-stuffing attacks.”
Attacks are especially prevalent overseas, but Zimperium also warns that “major U.S. cities like Los Angeles, New York, Portland, Miami, and Seattle are seeing increased mobile malware activity—particularly during peak travel months.”
Staying safe is fairly straightforward — follow these five golden rules:
- Disable auto-connection on your phone for public or unknown WiFi networks
- Do not download any software or provide any data other than an email address into a captive portal that gate-keeps your access to a WiFi network.
- Ensure that all website connections are encrypted — check for the padlock, and do not enter any sign-in information into an unexpected popup on your device.
- Check the WiFi network identifier carefully before joining — if it’s a hotel, airport or mall, or even a coffee shop, be sure it’s the official network for the location.
- VPNs do make you more secure — but only reputable, paid VPNs from bluechip developers. A free VPN or a Chinese VPN is more dangerous than no VPN at all.
You should also avoid installing apps from outside official stores and ensure your OS is up-to-date with the latest security patches. If you’re running one of the billion phones with an OS no longer eligible for these updates, you should go get an upgrade.
“Whether you’re heading to Southeast Asia or a European business hub,” Zimperium says, “mobile malware doesn’t discriminate by location—but it thrives on opportunity. And summer travel creates plenty of it.”