How to stay secure on Public Wi-Fi – iOS & Android
Updated:
Free Wi-Fi is one of those things we’ve come to expect everywhere — coffee shops, airports, hotels, restaurants. And most of the time, we connect without giving it a second thought.
That habit is exactly what hackers count on.
Public Wi-Fi networks are one of the most common ways attackers intercept personal data, steal account credentials, and even install malware on phones. The risks are real, but they’re also easy to defend against once you understand what’s actually going on.
This guide breaks down the main threats on public Wi-Fi and walks you through how to protect yourself on both iPhone and Android.
Table of Contents
What makes public Wi-Fi risky?
Most public Wi-Fi networks are poorly secured. Many cafes and restaurants set up their router years ago and haven’t touched the settings since. Some don’t even use encryption, meaning all data traveling across the network is essentially readable by anyone on it.
The other problem is that there’s no built-in way to verify that a network is what it claims to be. Your phone sees a network called “Airport Free WiFi” and connects. But is it the airport’s network? There’s no reliable way to tell.
In 2024, the FBI’s Internet Crime Complaint Center received over 859,000 complaints, with reported losses exceeding $16 billion. While not all of these stem from Wi-Fi attacks, it illustrates the scale of the broader threat landscape these attacks feed into.
Is your phone protected?
Run a free security scan with Certo to check your device for threats and vulnerabilities — including risks from unsafe Wi-Fi networks.
The main threats on public Wi-Fi
The original framing of “man-in-the-middle attacks” covers a lot of ground. In practice, there are several distinct attack types that happen on public networks, and understanding each one helps you make smarter decisions.
1. Passive eavesdropping
On unencrypted Wi-Fi networks, data is transmitted openly — and anyone connected to the same network can potentially read it.
Using freely available tools called packet sniffers, an attacker can capture the raw data flowing across a network without ever needing to interact with your device. If you’re browsing a site that uses HTTP (rather than HTTPS), the contents of those pages — and anything you type into them — can be read in plain text.
This is passive. The attacker isn’t doing anything to your connection — they’re just listening.
Pro Tip: Look for the padlock icon in your browser’s address bar, or “https://” at the start of a URL. That means the connection is encrypted and far harder to intercept. Avoid entering any personal information on sites that don’t use HTTPS.
2. Evil twin attacks
An evil twin is a fake Wi-Fi hotspot designed to look identical to a legitimate one.
An attacker sets up their own network with the exact same name as a real one — say, “CoffeeHouse_WiFi” — and your phone connects to it, often automatically. From that point, all of your internet traffic flows through the attacker’s device. They see everything.
Unlike simple eavesdropping, an effective evil twin attack can also involve disruption — attackers may forcibly disconnect users from the legitimate router, pushing them onto the fake one.
These attacks are more common than people realize, and they’re especially easy to pull off in busy, high-traffic locations. In September 2024, Wi-Fi services at 19 major UK train stations were suspended after a security incident where users were redirected to malicious web pages upon connecting.
3. Man-in-the-middle interception
Where eavesdropping is passive, a man-in-the-middle (MITM) attack is active. The attacker positions themselves between your device and the internet, relaying your traffic while simultaneously reading — and potentially altering — it.
This can happen on a compromised network or via an evil twin. The attacker isn’t just watching. They can redirect you to a fake banking page, swap out download links for malicious files, or inject content into the pages you visit — all while your browser behaves completely normally.
4. Session hijacking
When you log into a website, your browser stores a session token — a small piece of data that keeps you logged in so you don’t have to re-enter your password on every page.
On an unsecured network, those session tokens can be intercepted. An attacker who captures your session cookie can replay it to access your account — without ever knowing your password. Your email, social media, and other accounts can all be at risk this way.
5. Malware distribution
Public networks can also be used to push malware onto connected devices — typically through fake software update prompts, malicious pop-ups, or infected files. If a network has been compromised, attackers can sometimes inject malicious code into unencrypted downloads or redirect you to sites that attempt to install software on your phone.
How to protect yourself
The good news is that a few straightforward habits dramatically reduce your exposure to all of the above.
Verify the network before you connect
Before joining any public network, ask a member of staff for the exact name. Don’t assume the strongest signal or most plausible-sounding network is the right one. Evil twin networks often have near-identical names — “CafeGuest” vs. “Cafe_Guest” — so it’s worth confirming.
Turn off Auto-Join for public networks
Your phone remembers every network it’s ever connected to and will rejoin automatically. That’s convenient at home, but dangerous in public — your phone could silently connect to a malicious network without you realizing.
On iPhone: Go to Settings > Wi-Fi, tap the ⓘ icon next to any public network you’ve previously joined, and toggle Auto-Join off.
Fig 1. Turning off Auto-Join on iOS.
On Android: Go to Settings > Connections > Wi-Fi. Tap the gear icon next to a saved public network and turn off the auto-reconnect option. (The exact label varies depending on your phone’s manufacturer.)
Fig 2. Turning off Auto reconnect on Android.
Use a VPN
A VPN (Virtual Private Network) encrypts all data between your phone and the internet, so even if someone intercepts your traffic, they can’t read it. It’s the most effective single protection against eavesdropping and MITM attacks on public Wi-Fi.
If you’re an Android user, Certo Antispy includes a built-in secure VPN — along with real-time threat protection, spyware detection, and dark web monitoring. It’s a clean, ad-free package that covers you well beyond just Wi-Fi.
For iPhone, the free Certo Mobile Security app can analyze Wi-Fi networks for potential threats and run a broader security check on your device settings.
Pro Tip: Avoid free VPN services. Many log your data or sell it to third parties — which defeats the purpose entirely. Use a reputable paid service, or one bundled with a trusted security app.
Stick to HTTPS and avoid sensitive tasks
Even without a VPN, sticking exclusively to HTTPS sites keeps most of your browsing encrypted. Check for the padlock in your browser address bar before entering anything sensitive.
As a rule: avoid logging into your bank, entering payment details, or accessing sensitive accounts on public Wi-Fi. If you have to, use your phone’s mobile hotspot instead.
Switch to mobile data
When a task genuinely can’t wait and you don’t trust the network you’re on, simply turn off Wi-Fi and use your cellular connection instead. Mobile data doesn’t route through a shared public network, so the eavesdropping and interception risks described above don’t apply.
It uses your data allowance, but for anything sensitive — banking, payments, logging into accounts — it’s the safer choice.
Keep your phone updated
Both Apple and Google regularly release security updates that patch vulnerabilities attackers can exploit. Running an outdated OS version leaves known weaknesses open. Make sure automatic updates are turned on so you’re always running the latest version your device supports.
Fig 3. Updating a iOS and Android phone.
Wrapping Up
Public Wi-Fi doesn’t have to be avoided entirely — but it does need a bit of healthy skepticism. Confirm the network name before you connect, turn off auto-join on networks you don’t control, and switch to mobile data for anything sensitive. Those habits alone put you well ahead of most people sharing that coffee shop connection with you.
It’s also worth doing a periodic security check on your device. The Certo app for both iPhone and Android lets you scan for vulnerabilities and review your settings — a useful baseline to come back to, especially if you connect to public networks regularly.
The threats are real, but none of them are inevitable. A little awareness goes a long way.
FAQs
Is it safe to use public Wi-Fi for browsing?
General browsing on HTTPS sites carries relatively low risk. The bigger dangers come from logging into accounts, entering payment details, or downloading files. Using a VPN reduces risk significantly for all of these.
Can my phone be hacked just from connecting to a Wi-Fi network?
Simply connecting to a network doesn’t automatically compromise your phone, but it does expose you to the risks described above. Modern iPhones and Android phones have protections built in, but they’re not a complete defense against all Wi-Fi-based attacks — especially on unencrypted or compromised networks.
How do I know if a Wi-Fi network is encrypted?
On iPhone and Android, password-protected networks are generally encrypted. Open networks (those with no password required) are typically unencrypted. That said, even a password doesn’t guarantee the network is secure — it just means it’s harder to join.
Sophia is a Senior Cybersecurity Writer at Certo, with over five years of experience writing about digital security, privacy, and emerging threats. Drawing on a background in IT and technology, she specializes in translating complex cybersecurity topics into clear, practical guidance that helps everyday users stay protected online.