April 28, 2025, Cupertino, California – Apple has issued a stark warning to iPhone users, urging them to delete Google Chrome due to significant privacy risks associated with the popular browser. The alert, which highlights Chrome’s tracking practices, comes amid growing tensions between Apple and Google over user data, spotlighting a broader debate about privacy in the tech industry. As consumers become increasingly aware of how their data is handled, Apple’s move could reshape how iPhone users approach online browsing.

According to NY Post, Apple’s warning stems from Chrome’s reliance on third-party cookies, which Google recently decided to retain despite earlier promises to phase them out. These cookies enable advertisers to track users across the web, collecting data on browsing habits, search history, and more. Apple’s advisory specifically targets iPhone users, noting that Chrome’s settings on iOS do not allow users to disable these cookies, leaving them vulnerable to invasive tracking. This issue is particularly concerning given the rise of AI-driven privacy concerns, as companies increasingly use advanced technologies to collect and analyze user data.

Apple has long positioned itself as a champion of user privacy, often contrasting its approach with Google’s ad-driven business model. Forbes reports that Apple’s latest campaign includes a series of videos mimicking Alfred Hitchcock’s The Birds, depicting trackers as birds spying on users. The campaign, titled Flock, is a direct jab at Google’s initial tracking cookie replacement plan, Federated Learning of Cohorts (FLoC), which Apple mocked for its privacy shortcomings. Apple’s message is clear: iPhone users should switch to Safari, which offers more robust privacy controls, including the ability to block third-party cookies by default. This warning comes at a time when privacy features are becoming a key differentiator, as seen with WhatsApp’s advanced privacy controls that block screenshots and exports to protect user data.

The privacy risks associated with Chrome are not new, but Apple’s alert underscores their severity on iOS devices. AL.com notes that Google’s decision to maintain third-party cookies affects Chrome’s 3 billion users, including an estimated 400 million iPhone users. Unlike Android, where users can disable tracking cookies, Chrome on iOS automatically enables them, and disabling them requires clearing cookies entirely—a process that signs users out of websites and deletes saved preferences. This lack of control has fueled Apple’s criticism, especially as Google aims to convert more iPhone users from Safari to Chrome to bolster its search dominance, a strategy that could be disrupted by TikTok’s potential ban and its impact on digital advertising.

What iPhone Users Can Do

Here’s a breakdown of the situation and user options:

• Privacy Risk: Chrome on iOS enables third-party cookies by default, with no option to disable them without clearing all cookies.
• Apple’s Recommendation: Switch to Safari, which blocks third-party cookies and offers enhanced privacy features.
• Alternative Option: Use Chrome’s Incognito Mode, which offers better privacy but comes with trade-offs in functionality.
• Broader Context: The warning reflects ongoing tensions between Apple and Google over user data and privacy practices.

Apple’s warning also highlights the broader implications of in-app browser security risks, a topic that has gained attention in recent years. Colitco points out that Chrome’s tracking practices are part of a larger issue with in-app browsers, which can monitor user activity even within apps like Instagram and Facebook. This aligns with Apple’s App Tracking Transparency (ATT) feature, introduced in 2021, which requires apps to seek permission before tracking users across different platforms. However, ATT does not fully address tracking within in-app browsers, leaving a gap that Chrome exploits on iOS. For users concerned about digital safety, exploring AI-driven privacy solutions could provide additional context on how companies are addressing these challenges.

The tech industry is at a crossroads when it comes to privacy, with Apple and Google representing two opposing philosophies. Apple’s focus on user control and data minimization contrasts sharply with Google’s ad-driven model, which relies on extensive data collection to fuel its advertising business. This clash has been evident in other areas, such as Google’s Veo 2 rollout, which raised questions about data usage in AI-generated content. As privacy becomes a top priority for consumers, Apple’s warning could push more iPhone users to reconsider their browser choices, potentially shifting the balance in the ongoing browser wars.

For iPhone users, the decision to delete Chrome may depend on their priorities. Safari offers a more privacy-focused experience, but Chrome’s integration with Google services like Gmail and Drive remains a draw for many. Those who choose to keep Chrome can mitigate risks by using Incognito Mode or regularly clearing cookies, though these solutions are far from ideal. As the debate over privacy continues, Apple’s warning serves as a reminder of the importance of understanding how apps and browsers handle personal data. What’s your take on Apple’s alert? Are you switching to Safari, or sticking with Chrome? Share your thoughts in the comments, and let’s discuss the future of online privacy.

A new phishing campaign is leveraging Google’s own systems to dispatch ultra‑convincing scam emails from genuine “[email protected]” addresses. Security experts warn this technique could ensnare millions of Gmail users before filters catch on.

Google first acknowledged the flaw in mid‑April after multiple reports surfaced of fraudulent messages masquerading as subpoena notices. The attack’s sophistication lies in its exploitation of Google’s OAuth framework and DomainKeys Identified Mail (DKIM) — allowing malicious emails to pass authentication checks that normally mark spoofed mail as spam.

Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google’s infrastructure, and given their refusal to fix it, we’re likely to see it a lot more. Here’s the email I got: pic.twitter.com/tScmxj3um6

— nick.eth (@nicksdjohnson) April 16, 2025

Why It Matters:
With over 2 billion active Gmail accounts, a successful breach of trust in Google’s email infrastructure represents one of the largest‑scale phishing threats in recent memory. The campaign illustrates how attackers are escalating beyond basic spoofing to weaponize trusted platforms.

In the most prevalent variant, recipients receive an email seemingly from Google saying their account is under legal scrutiny, complete with a fake court case number and a link to review documents. Clicking the link takes victims to a counterfeit login page hosted on Google Sites, where credentials and two‑factor tokens can be harvested. According to a 9to5Mac security alert, the attackers created a malicious OAuth app that signs outgoing mail with Google’s own DKIM signature, bypassing spam filters altogether.

Several early victims described the email as indistinguishable from genuine Google correspondence. “It even used the correct Google logo and footer,” one cybersecurity researcher told Forbes, underscoring how the scam’s professional polish left users with little reason to doubt its veracity.

How the Scam Evades Defenses

To execute the scheme, attackers register an app through Google’s OAuth developer console. They configure it to send messages from a “[email protected]” address and to request only minimal permissions — just enough to harvest the user’s email and basic profile data. Once a user consents (often without reading the fine print), the app gains tokenized access to send mail on their behalf.

Next, the phishers make use of DKIM authentication, which cryptographically signs outbound mail with Google’s private key. Because the signature matches Google’s published DNS record, anti‑spoofing checks pass and the message lands in the inbox rather than the spam folder.

Worst of all, the landing page URL begins with a legitimate “sites.google.com” domain. Victims who hover over the link see “google.com” and rarely suspect the page’s true intent. Once credentials are entered, attackers can log in to the real Gmail account and install malware, exfiltrate data, or pivot to other internal systems.

Google’s Mitigation Efforts

By late April, Google deployed patches to tighten OAuth app verification and began grandfathering in stricter enforcement of its DMARC policy. A company spokesperson told Newsweek that the loophole “no longer allows unauthorized apps to spoof Google’s no‑reply address” and that “users who have not yet been targeted are automatically protected.”

Google also issued a blog post advising all Gmail users to:

• Enable Two‑Factor Authentication (2FA). Accounts using SMS or auth‑app codes are significantly harder to hijack.

• Use Passkeys. Passkeys replace passwords entirely and are immune to credential‑phishing.

• Review Connected Apps. In Gmail’s security settings, users should revoke any unfamiliar OAuth apps.

Despite these measures, experts warn that variations of the scam could emerge. “We’ve seen threat actors pivot to invite‑based sharing links and even abuse Google Forms,” said the lead analyst at a major security firm.

Broader Implications for Email Security

This incident highlights a troubling trend: attackers are moving from simple display‑name spoofing into deeper technical manipulations of trust frameworks. Last year’s surge in AI‑generated phishing made generic scams easier to craft; now, criminals are weaponizing legitimate developer tools against users.

Organizations must therefore rethink perimeter defenses. Briskfeeds recently published a report on corporate email security that recommends advanced solutions, such as:

• OAuth Anomaly Detection. Flagging apps that request minimal yet suspicious permissions.

• Zero‑Trust Email Gateways. Inspecting inbound mail even if it passes DKIM/DMARC.

• User Education Campaigns. Simulated phishing drills to train employees on spotting unconventional threats.

What Users Should Do Now

Even with Google’s patch, vigilance remains crucial:

1. Verify Unusual Requests. If an email demands urgent action—like reviewing subpoena documents—contact Google support directly rather than clicking links.

2. Check the App Permissions Page. Navigate to Gmail’s Settings → Security → Third‑Party Apps to revoke dubious entries.

3. Keep Software Updated. Ensure your browser and OS have the latest security fixes to block drive‑by downloads.

4. Report Phishing Attempts. Use Gmail’s “Report phishing” feature to help improve Google’s filters.

Conclusion

As phishing tactics evolve, the line between legitimate and malicious email continues to blur. This latest campaign underscores the need for layered defenses, from technical controls to user awareness. For a deeper dive into enterprise‑grade email protections, see our Briskfeeds report on corporate email security. Stay informed—your inbox depends on it.