Background Security Improvements in Apple operating systems
Background Security Improvements are supported and enabled for future releases starting with iOS 26.1, iPadOS 26.1, and macOS 26.1. This enables rapid delivery of ongoing and regular lightweight security releases between software updates for components such as the Safari browser, WebKit framework stack, and other system libraries that benefit from smaller, ongoing security patches. In rare instances of compatibility issues, Background Security Improvements may be temporarily removed and then enhanced in a subsequent software update.
Background Security Improvement security content is published in the Apple Support article Apple security releases.
Background Security Improvements differ from software updates in the following ways:
On devices with macOS, Safari security improvements delivered through a Background Security Improvement become active as soon as Safari is relaunched, even before the whole operating system restarts.
Background Security Improvements are activated instantly upon restart; the system volume doesn’t need to be cryptographically resealed, and therefore the device doesn’t need to cycle through a RAM disk.
Background Security Improvements require a much lower battery state of charge than is required to install a software update.
A Background Security Improvement can be removed, which reverts the device to the baseline software update state with no Background Security Improvements applied.
A Background Security Improvement can be reapplied after removal.
The system volume in iOS, iPadOS, and macOS has been reorganized to support Background Security Improvements. Content that can be patched using the Background Security Improvement mechanism has been moved into cryptexes, which are optimized, cryptographically sealed disk images that reside on the preboot volume alongside other boot firmware. Cryptexes have different subtypes for operating system framework components and apps, and they can be updated by applying a binary patch to their backing disk image file.
Cryptex content is bootstrapped after the kernel has booted. The measurements of the cryptexes, their file system seals, and their associated trust caches are all represented in a separate Image4 ticket, which is cryptographically bound to the device on which it resides. When a Background Security Improvement is being applied, the device sends a request to Apple’s trusted signing service to obtain a corresponding Cryptex1Image4 manifest; the existing AP boot ticket isn’t updated.
On devices with macOS, a Background Security Improvement may offer the user the option to apply the changes in the Background Security Improvement to the Safari web browser by quitting and relaunching it. After Safari has been relaunched, it uses the framework and library content from the new cryptexes. The rest of the operating system remains unaffected and doesn’t make use of the new content until the system restarts.
Removing Background Security Improvements
Background Security Improvements are intended to be removable in case a critical regression associated with the Background Security Improvement is discovered. Users can also elect to remove all Background Security Improvements currently applied on their device. In addition, in the rare event that a Background Security Improvement affects software compatibility or quality, Apple may remove the most recently applied Background Security Improvement from users’ devices using the Automatic Software Update mechanism. To facilitate removal, Background Security Improvements ship both a patch and an antipatch to the device.
If the user removes Background Security Improvements, the removal action removes all currently installed Background Security Improvements (returning all cryptexes to their base state) and returns patched system binaries to the version from the last installed software update. The user must restart the device to complete Background Security Improvement removal. For more information, see the Apple Support article If you need to remove a Background Security Improvement.
Removal recommendations
If Apple observes that a Background Security Improvement is contributing to a potentially higher rate of application crashes, the identities of the affected applications are published by a service that devices regularly query. Devices having that Background Security Improvement installed then use an on-device analytics system to see whether one of the affected applications has crashed significantly more often after installing the Background Security Improvement. If the user encounters such a crash, the operating system lets them know the Background Security Improvement may be contributing to the issue, and the user is offered the opportunity to remove all Background Security Improvements and restore the device to its last software update.
Analytics related to removal recommendations (for example, the app that triggered the recommendation or the fact that the recommendation was displayed) are sent to Apple only if the user has agreed to share this information using the following settings:
iPad: Settings > Privacy & Security > Analytics & Improvements > Share iPad Analytics
iPhone: Settings > Privacy & Security > Analytics & Improvements > Share iPhone & Watch Analytics
Mac: Settings > Privacy & Security > Analytics & Improvements > Share Mac Analytics