Security considerations for updating Apple products over public internet connections

Consider the following situation: > You want to update your Mac, iPhone, and/or iPad to the latest software, kernel, and firmware version using Software Update. However, the only internet connection that you have access to is a *public, unencrypted (open) WiFi network*. You do not have a physical copy of the software update (i.e., on a disk, etc.) that you can use to update your device. **I'm wondering if there's any risk that my connection could be MITM-ed, intercepted, or otherwise attacked so that a malicious actor could download and install an unauthentic operating system, kernel, and/or firmware image to my device.** In addition to the above scenario: 1. **What if the WiFi connection is encrypted but untrusted?** For example, what if you are using a café WiFi network that is encrypted with WPA, but the password for that network is posted on the café's website? What if the WiFi network has a password of 1234567890 or something that could be easily guessed by an attacker? *Is there any difference in the security of updating software over a completely open WiFi network and one that is encrypted but untrusted?* 2. **Does using a VPN make the update more secure?** Does Software Update connect to Apple servers over a VPN configured through an app? If so, does this help ensure that the connection to the software update server cannot be intercepted and that the content of the update cannot be changed? 3. **Is it safer to update an iPhone or iPad by wiring it via USB to a Mac? Does it make a difference if that Mac is connected to the Internet via a VPN?** The [Apple website](https://support.apple.com/en-us/guide/security/secf683e0b36/web) mentions that "[f]or greater software update security, when the device to be upgraded is physically connected to a Mac, a full copy of iOS or iPadOS is downloaded and installed," but it is not clear why this makes the update more secure. Are over-the-air updates (where "only the components required to complete an update are downloaded") less secure and/or not cryptographically signed? If there's anything else that you think may be helpful, please feel free to include it in your answer.