Security Bite

Security Bite: The two biggest security upgrades in iOS 26.4 explained

Arin Waichulis | Feb 20 2026 - 5:58 am PT

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

Earlier this week, Apple surprised users with the first iOS 26.4 beta for the iPhone. Many were disappointed (including me) when the update didn’t include the much-anticipated improvements to the estranged Siri assistant. However, this was nowhere near a featureless update. iOS 26.4 beta 1 introduced at least forty new features and changes, including notable upgrades to RCS and Stolen Device Protection.

E2EE for RCS messaging (beta)

Encrypted RCS message thread label in iOS 26.4 beta 1

Back in March 2025, which is the equivalent of a decade in tech years, Apple announced that it was leading a cross-industry effort to bring end-to-end encryption (E2EE) to the RCS Universal Profile. Previously, I predicted this would be unveiled at WWDC25. That didn’t happen. In fact, it was nearly a year of radio silence from Apple until this week, when the company dropped the first iOS 26.4 beta, finally offering the first signs of life for a feature I was beginning to think was DOA.

Apple added RCS support to iPhone in iOS 18 beta 2, to better the messaging experience with Android users. It was a welcoming move for people with parents who refused to get an iPhone (Hi, Dad).

Unlike the now-old industry standard SMS, RCS offers familiar features such as read receipts, the classic typing indicator animation, audio messages, and improved image size and quality, but it also adds the ability for enhanced privacy and security.

The keyword here is “ability.”

There’s a common misconception that RCS comes with E2EE baked in, but that’s not the case. Google’s Messages app is basically to blame. It was one of the most widely used RCS clients, which offers E2EE between Android devices as an extra layer of security for those using the service. This is similar to how iMessage provides E2EE exclusively between Apple devices.

When an iPhone communicates with a non-Apple device via RCS, messages are only encrypted in transit using transport-layer encryption (like TLS). While this protects against basic interception during transmission, it doesn’t guarantee that messages cannot still be accessible server-side, unlike E2EE, where only the sender and recipient can read the content.

In iOS 26.4 beta 1, the option to test the feature is now available. Apple does state that not all carriers and devices support encrypted RCS messages, though. You’ll know if it was established by the message thread being labeled “Encrypted.” I haven’t had much luck getting existing threads to switch to E2EE. As of now, this feature appears to only apply to newly created ones.

RCS message thread not encrypted end-to-end on iOS 26.4 beta 1

Stolen Device Protection is now on by default

iPhone thefts are still common, especially in parts of Europe. Stolen Device Protection is Apple’s solution to protect data stored on an iPhone. Now it’s on by default!

The feature came about after the Wall Street Journal’s Joanna Stern published an investigative report on the rise of iPhone thieves around restaurants and bars.

The attacks were typically carried out by observing victims enter their passcode before stealing the device, changing their Apple ID password, and turning off Find My iPhone to prevent remote tracking or wiping. From here, a thief can lock victims out of accounts (i.e., Venmo, CashApp, other banking apps, etc) by using passwords saved to the Keychain password manager.

Stolen Device Protection completely thwarts this vulnerability in two key ways. The feature requires Face ID or Touch ID authentication (with no passcode fallback) before users can change important security settings like Apple ID passwords or device passcodes.

It also enacts a one-hour security delay before users can change critical security settings. Designed to give victims time to mark an iPhone as lost (and wipe it) before a thief can make changes. This can be set to “Always” or “Away from Familiar Locations.”