• Rapid Security Response can patch your iPhone or Mac without a full update. 
  • It’s on by default in iOS 16. 
  • RSR is less secure than a proper OSD update, but it’s also faster at patching new vulnerabilities.

An iPhone with the Apple update logo on the screen sitting on a MacBook computer.

There's one new feature in Apple's iOS 16 which you probably haven't heard of, but that will make a huge difference to your security. 

It’s called Rapid Security Response (RSR), and it allows Apple to quickly patch security holes on-the-fly. Unlike regular iOS software and security updates, RSR doesn’t require a reboot after installation, which further lowers the barrier to keeping you as safe as possible, as soon as possible. But it’s not all upside. RSRs are relatively untested in the wild and not as secure as baking them into operating system updates. And they are also removable. 

“The big danger is that, because these patches are built and distributed quickly, they won’t get tested as thoroughly,” Dr. Howard Oakley, a Mac expert, told Lifewire via email. “So they could cause more problems with compatibility, hence the importance of users being able to remove them if they wish.”

Rapid Security Response

When Apple discovers a vulnerability in iOS or macOS, it has to push out an entire OS update to patch it, which is a pain for the user. First, they may not update at all. Then, even if they have automatic updates enabled in settings, the updates can take several days and sometimes longer to arrive. 

And even if you are on top of all this, the fact that you have to restart and let the installer run might make you put it off. RSRs fix this by allowing hot-patching of the OS without a restart. These patches can also be smaller, making the downloads quicker. The upshot is that you are protected as soon as possible without having to do anything. 

Closeup of someone holding an iPhone with the SRS update option turned on.

However, there are two downsides. One is that these patches are not fully integrated and can theoretically be futzed with or removed by malicious actors. The other is that those malicious actors could possibly install their own RSR patches if they work out how it's done. 

“Great move. I have friends and relatives that don’t update iOS very often, and [they] have missed out on lots of security patches. Wish we had this feature years ago, but better late than never,” said Mac user and expert Roncron on the MacRumors forums. 

To see how this works, we must dig into what makes Apple's operating systems so secure. 

All the Way Down

In the bad old days, system files were just files that sat in folders on your computer. You might need to enter your password to move, delete, or modify them, but with a password, malware—or a hacker—could modify your computer, and you would never know. 

Now, Apple uses something called a signed system volume, or SSV. When you install an OS update, your Mac (or iPhone) calculates a unique key (called a hash) for every file it installs. These are grouped, and each new group gets its own hash, and so on. 

Eventually, like traveling back along the branches of a tree, you get to a single hash calculated from all those below it. That is the “seal.” This seal can be compared to Apple’s master seal for that version of iOS or macOS, and if it doesn’t match, your Mac knows it has been compromised. The whole setup makes it impossible to modify the system. If it is, your computer won’t boot. 

Closeup on someone holding a smartphone that is updating.

"Basically, making any change to the SSV is bulky, time-consuming, space-hungry, and requires a reboot. That's the way that it should be, so it's also hard for malicious software," says Oakley. "What Apple has engineered in RSRs is a mechanism for doing this without touching the SSV itself. Provided it proves secure, it's a huge improvement and ideal for distributing patches in between macOS updates and security updates."

RSR patches exist outside this tree of cryptographic hashes and are therefore less secure. But in practice, we still don't know if they are actually less secure. After all, if these RSR updates fix known vulnerabilities, then they also make your computer more secure at the same time. 

And these quick-fix updates should also end up as a part of the subsequent full OS update, where they will be properly integrated into that tree of trust. This is good news for us, the users, especially as we don't have to do anything. The new RSR feature is enabled by default, which is kind of the point. It's yet another reason to update to iOS 16 and macOS Ventura as soon as possible.

Source