Apple pushes critical WebKit patch

Apple shipped the first Background Security Improvement labeled iOS 26.3.1 (a) on March 17, 2026 to patch a WebKit cross‑origin bug tracked as CVE‑2026‑20643. (expertinsights.com) The flaw sits in WebKit’s Navigation API and Apple’s advisory says processing “maliciously crafted web content” could bypass the Same‑Origin Policy, allowing attackers to access authentication tokens or session data exposed to a browser context. (cybersecuritynews.com) WebKit is the engine behind Safari and the WKWebView API that many iOS apps embed for in‑app browsers and consent pages, meaning embedded web content in apps could surface the same cross‑origin risk. (developer.apple.com) Major wearable platforms use OAuth2 token flows to grant third‑party access to sleep, activity and biometric endpoints — Oura documents OAuth2 server/client flows and Fitbit’s developer portal documents its Web API and OAuth usage — so exposed tokens could give API access to those data sources. (cloud.ouraring.com) Apple’s Background Security Improvements are applied automatically when the “Automatically Install” setting is enabled, but Apple warns BSI releases can cause “rare instances of compatibility issues” and that removing a BSI reverts the device to the baseline OS version. (support.apple.com) Industry guidance that deprecates OAuth-in‑WebView patterns and Apple’s AuthenticationServices API both exist: Google explicitly discourages embedded WebViews for OAuth, and ASWebAuthenticationSession is the platform API designed to isolate OAuth redirects from in‑app web rendering. (support.google.com) Because the update is delivered out‑of‑band via BSI, app release and QA processes should explicitly test embedded WKWebView flows, OAuth consent windows and third‑party connector behavior against iOS 26.3.1 (a) and the BSI removal scenario to validate token handling and UX compatibility. (inspiringapps.com)