Apple has released its first-ever update with background security improvements for iPhone, called iOS 26.3.1 (a), along with corresponding updates for iPad and Mac. It’s designed to address vulnerabilities in the iPhone, but the way it appears on the iPhone is different from the standard software version. Here’s how to find and install it.
More from ForbesApple iPhone 18 Pro prices detailed in new reportDavid Phelan
The evolution of “silent” security patches
Three years ago, Apple adopted a different emergency update process for security priorities, called Rapid Security Response. These have been retired and earlier this year Apple established the framework for BSI updates.
Which iPhones can run iOS 26.3.1 (a)?
While this is a novel launch method, it applies to all iPhones starting with iPhone 11, that is, all iPhones released from 2019 to the present. These include second- and third-generation iPhone SE phones. All members of the iPhone 17 series are also supported, as well as the iPhone Air.
How to download and install iOS 26.3.1 (1)
Crucially, this update is not in the same location as where you find regular updates. Open the Settings app on your iPhone and scroll down to Privacy & Security. At the bottom you’ll see background security improvements. Clicking this button has an automatic installation option. However, this isn’t always the fastest way for it to arrive. If a new BSI is available, you can choose to download it. On my iPhone 17 Pro Max. Download and installation are fast – less than 5 minutes total.
Note that unlike regular updates, once installed, you can remove it. To do this, click on the “i” to the right of BSI and an option will appear to delete it and restart your phone.
iOS 26.3.1 (a) — Publishing content
Apple said in a support page that the BSI is designed to resolve issues in WebKit, an open source browser engine that displays Web content in applications.
The issue, numbered CVE-2026-20643, is a “cross-origin” flaw in the Navigation API. It handles maliciously crafted web content that could allow attackers to bypass the Same Origin Policy and potentially access sensitive data from other open tabs. This update has addressed the issue with what Apple calls “improved input validation.” Since WebKit powers Safari and in-app browsers, this is considered an emergency fix for all users.
More from ForbesIf your iPhone is on this list, upgrade now—liquid glass ‘won’t go away’David Phelan
