Apple plans to release the next versions of iOS, iPadOS, macOS, and watchOS to the general public on September 16, the company announced via its website following its iPhone-centric product event earlier today. From a report: We should also see updates for tvOS and the HomePod operating system on the same date. The new releases bring a number of new features and refinements to Apple's platforms: better texting with Android devices thanks to support for the RCS standard, iPhone Mirroring that allows you to interact with your iPhone via your Mac, more UI customization options for iPhones and iPads, and other improvements besides. What won't be included in these initial releases is any hint of Apple Intelligence, the batch of generative AI and machine learning features that Apple announced at its Worldwide Developers Conference in June. Apple is testing some of the Apple Intelligence features in betas of iOS 18.1, iPadOS 18.1, and macOS 15.1, updates that will be released later this fall.

The Register reports that Google "recently rewrote the firmware for protected virtual machines in its Android Virtualization Framework using the Rust programming language." And they add that Google "wants you to do the same, assuming you deal with firmware."

A post on Google's security blog by Android engineers Ivan Lozano and Dominik Maier promises to show "how to gradually introduce Rust into your existing firmware," adding "You'll see how easy it is to boost security with drop-in Rust replacements, and we'll even demonstrate how the Rust toolchain can handle specialized bare-metal targets."

This prompts the Register to quip that easy "is not a term commonly heard with regard to a programming language known for its steep learning curve." Citing the lack of high-level security mechanisms in firmware, which is often written in memory-unsafe languages such as C or C++, Lozano and Maier argue that Rust provides a way to avoid the memory safety bugs like buffer overflows and use-after-free that account for the majority of significant vulnerabilities in large codebases. "Rust provides a memory-safe alternative to C and C++ with comparable performance and code size," they note. "Additionally it supports interoperability with C with no overhead."
At one point the blog post explains that "You can replace existing C functionality by writing a thin Rust shim that translates between an existing Rust API and the C API the codebase expects." But their ultimate motivation is greater security. "Android's use of safe-by-design principles drives our adoption of memory-safe languages like Rust, making exploitation of the OS increasingly difficult with every release."

And the Register also got this quote from Lars Bergstrom, Google's director of engineering for Android Programming Languages (and chair of the Rust Foundation's board of directors). "At Google, we're increasing Rust's use across Android, Chromium, and more to reduce memory safety vulnerabilities. We're dedicated to collaborating with the Rust ecosystem to drive its adoption and provide developers with the resources and training they need to succeed.

"This work on bringing Rust to embedded and firmware addresses another critical part of the stack."

Digital rights activists want device manufacturers to disclose a "guaranteed minimum support time" for devices — and federal regulations ensuring a product's core functionality will work even after its software updates stop.

Influential groups including Consumer Reports, EFF, the Software Freedom Conservancy, iFixit, and U.S. Pirg have now signed a letter to the head of America's Consumer Protection bureau (at the Federal Trade Commision), reports The Register: In an eight-page letter to the Commission (FTC), the activists mentioned the Google/Levis collaboration on a denim jacket that contained sensors enabling it to control an Android device through a special app. When the app was discontinued in 2023, the jacket lost that functionality. The letter also mentions the "Car Thing," an automotive infotainment device created by Spotify, which bricked the device fewer than two years after launch and didn't offer a refund...

Environmental groups and computer repair shops also signed the letter... "Consumers need a clear standard for what to expect when purchasing a connected device," stated Justin Brookman, director of technology policy at Consumer Reports and a former policy director of the FTC's Office of Technology, Research, and Investigation. "Too often, consumers are left with devices that stop functioning because companies decide to end support without little to no warning. This leaves people stranded with devices they once relied on, unable to access features or updates...."

Brookman told The Register that he believes this is the first such policy request to the FTC that asks the agency to help consumers with this dilemma. "I'm not aware of a previous effort from public interest groups to get the FTC to take action on this issue — it's still a relatively new issue with no clear established norms," he wrote in an email. "But it has certainly become an issue" that comes up more and more with device makers as they change their rules about product updates and usage.
"Both switching features to a subscription and 'bricking' a connected device purchased by a consumer in many cases are unfair and deceptive practices," the groups write, arguing that the practices "infringe on a consumer's right to own the products they buy." They're requesting clear "guidance" for manufacturers from the U.S. government. The FTC has a number of tools at its disposal to help establish standards for IoT device support. While a formal rulemaking is one possibility, the FTC also has the ability to issue more informal guidance, such as its Endorsement Guides12 and Dot Com Disclosures.13 We believe the agency should set norms...
The groups are also urging the FTC to:

• Encourage tools and methods that enable reuse if software support ends.

• Conduct an educational program to encourage manufacturers to build longevity into the design of their products.

• Protect "adversarial interoperability"... when a competitor or third-party creates a reuse or modification tool [that] adds to or converts the old device.

Thanks to long-time Slashdot reader Z00L00K for sharing the article.

Long-time FOSS-watcher Bruce Byfield writes that while people "still dream of a completely free alternative, increasingly the emphasis in FOSS seems to be on accepting coexistence with proprietary software." Many, too, have always preferred the permissive BSD licenses, which permits combining FOSS and proprietary software. From some perspectives, Debian's newest [non-free firmware] repository or Nobara's popularity [a Fedora-based distro but with proprietary drivers and gaming applications] is simply an admission of the true state of affairs...

On the other hand, the FOSS philosophy may be weakened because it no longer has a strong advocate. Sixteen years ago, the FSF reached a peak of authority in the discussions of 2006-2007 about the structure of GPLv3 — then immediately lost that authority by not reaching a consensus. That was followed by the cancellation of Richard Stallman in 2017, which, deserved or not, had the side effect of silencing free software's most influential representative. Today the FSF that Stallman led continues to function, with Stallman returned to the board of directors, but its actions go unreported, and it seems to speak to a much smaller group of loyalists. The Linux Foundation, with its corporate emphasis, is not an adequate substitution. In these circumstances, there is reason to wonder whether FOSS has lost its way.

While the issue has yet to reach the mainstream, Bruce Perens, one of the coiners of the term "open source" in 1998, is already trying to describe what he calls the Post-Open Source era. Not only does Perens believe that FOSS licenses no longer fulfill their original purpose, but they no longer inform or benefit the average user. According to Perens,

"Open Source has completely failed to serve the common person. For the most part, if they use us at all they do so through a proprietary software company's systems, like Apple iOS or Google Android, both of which use Open Source for infrastructure but the apps are mostly proprietary. The common person doesn't know about Open Source, they don't know about the freedoms we promote which are increasingly in their interest. Indeed, Open Source is used today to surveil and even oppress them."

As a remedy, Perens proposes that licenses should be replaced by contracts. He envisions that companies pay for the benefits they receive from using FOSS. Compliance for each contract would be checked, renewed, and paid for yearly, and the payments would go towards funding FOSS development. Individuals and nonprofits would continue to use FOSS for free. In March 2024, Perens posted a draft Post-Open license. The draft includes a description of the contract-related files to be shipped with FOSS software, a description of the status of derivative works, how revenue is collected, and conditions of termination. The draft has yet to be reviewed by a lawyer, but what is immediately noticeable is how it draws on both contract language and FOSS licenses to produce something different.
Byfield concludes that "free licenses are straining to respond to loopholes, and a discussion needs to be had about whether they are adequate to modern pressures."

SpyAgent is a new Android malware that uses optical character recognition (OCR) to steal cryptocurrency wallet recovery phrases from screenshots stored on mobile devices, allowing attackers to hijack wallets and steal funds. The malware primarily targets South Korea but poses a growing threat as it expands to other regions and possibly iOS. BleepingComputer reports: A malware operation discovered by McAfee was traced back to at least 280 APKs distributed outside of Google Play using SMS or malicious social media posts. This malware can use OCR to recover cryptocurrency recovery phrases from images stored on an Android device, making it a significant threat. [...] Once it infects a new device, SpyAgent begins sending the following sensitive information to its command and control (C2) server:

- Victim's contact list, likely for distributing the malware via SMS originating from trusted contacts.
- Incoming SMS messages, including those containing one-time passwords (OTPs).
- Images stored on the device to use for OCR scanning.
- Generic device information, likely for optimizing the attacks.

SpyAgent can also receive commands from the C2 to change the sound settings or send SMS messages, likely used to send phishing texts to distribute the malware. McAfee found that the operators of the SpyAgent campaign did not follow proper security practices in configuring their servers, allowing the researchers to gain access to them. Admin panel pages, as well as files and data stolen from victims, were easily accessible, allowing McAfee to confirm that the malware had claimed multiple victims. The stolen images are processed and OCR-scanned on the server side and then organized on the admin panel accordingly to allow easy management and immediate utilization in wallet hijack attacks.

An anonymous reader shares a report: It's been a rough week for OSOM Products. The company has been embroiled in legal controversy stemming from a lawsuit filed by a former executive. Now, Android Authority has learned that the company is effectively shutting down later this week. OSOM Products was formed in 2020 following the disbanding of Essential, a smartphone startup led by Andy Rubin, the founder of Android.

Essential collapsed following the poor sales of its first smartphone, the Essential Phone, as well as a loss of confidence in Rubin due to allegations of sexual misconduct at his previous stint at Google. Although Essential as a company was on its way out after Rubin's departure, many of its most talented hardware designers and software engineers remained at the company, looking for another opportunity to build something new. In 2020, the former head of R&D at Essential, Jason Keats, along with several other former executives and employees came together to form OSOM, which stands for "Out of Sight, Out of Mind." The name reflected their desire to create privacy-focused products such as the OSOM Privacy Cable, a USB-C cable with a switch to disable data signaling, and the OSOM OV1, an Android smartphone with lots of privacy and security-focused features.

Google's Android Earthquake Alerts System, initially launched in 2020, is now available in all 50 U.S. states and 6 territories. Droid Life reports: For users in California, Oregon and Washington, users will continue to have their alerts powered by the ShakeAlert system, utilizing traditional seismometers to detect earthquakes. For all out states and supported territories, "this expansion uses the built-in accelerometers in Android phones to bring another layer of preparedness and potentially life-saving information to people across every state," the company explained in a blog post.

Using the accelerometer to sense vibrations and an apparent earthquake, the system quickly analyzes the crowdsourced data to determine if an earthquake is occurring. Google says it has been working with many experts to continue the system's improvement. Depending on the severity of the earthquake, you'll get two types of notifications. A little pop up on your screen if it's pretty weak with light shaking or a complete screen takeover for moderate to extreme shaking. These are called Take Action alerts, complete with the classic drop, cover, and hold instructions.

Firefox 130 introduces several enhancements, including improved local translation handling, better Android page load performance, and the WebCodecs API for low-level audio/video processing on desktop platforms. Notably, it also supports third-party AI chatbots like ChatGPT and Google Gemini via the new Firefox Labs feature. Phoronix reports: The WebCodecs API is particularly useful for web-based apps like video/audio editors and video conferencing that may want control over individual frames of a video stream or audio chunks. For any web software interested in that low-level audio/video encode/decode handling there is now WebCodecs API working on the Firefox desktop builds. As for the third-party AI chatbots, here's what Mozilla's Ian Carmichael said back in June: "If you want to use AI, we think you should have the freedom to use (or not use) the tools that best suit your needs. Instead of juggling between tabs or apps for assistance, those who opt-in will have the option to access their preferred AI service from the Firefox sidebar to summarize information, simplify language, or test their knowledge, all without leaving their current web page."

You can learn more about Firefox 130 via developer.mozilla.org. Binaries for Linux can be found at Mozilla.org.

Google has released Android 15 for developers, with support for Pixel phones expected in the coming weeks. The update will roll out to compatible devices from Samsung, Motorola, OnePlus, and other manufacturers in the following months.

Key features of Android 15 include single-tap passkeys, theft detection, improved multitasking for large-screen devices, and app access limitations. The update also enhances TalkBack, Android's screen reader, with Gemini AI integration for audio descriptions of images. Google is expanding its Circle to Search feature with song identification capabilities and extending earthquake alerts to all U.S. states and six territories. The alerts use data from Android devices' accelerometers to detect potential seismic activity, complementing traditional seismometer readings in states with access to the USGS ShakeAlert system.

A former executive of smartphone startup OSOM Products has filed a lawsuit alleging the company's founder misused funds for personal expenses, including two Lamborghinis and a lavish lifestyle. Mary Ross, OSOM's ex-Chief Privacy Officer, is seeking access to company records in a Delaware court filing.

OSOM, founded in 2020 by former Essential employees, launched two products: the Solana-backed Saga smartphone and a privacy cable. Android founder Andy Rubin founded Essential, which sought to compete with Apple and Android-makers on a smartphone, but later shutdown after not find many takers for its phone. The lawsuit claims OSOM founder Jason Keats used company money for racing hobbies, first-class travel, and mortgage payments.

The Google Play Store is now rolling out support for downloading up to three Android app updates simultaneously, addressing a long-standing limitation where apps could only be downloaded one at a time. 9to5Google reports: We're seeing simultaneous app update downloads working in the Google Play Store today across multiple devices, and a few of our readers are seeing the same behavior this week as well. It's unclear if this is a server-side change on Google's part or an update to the Play Store itself, but the functionality is much appreciated. As far as we can tell, you can download up to three app updates at once through the Play Store. The apps will start to download, with only anything beyond three showing the "Pending" status that we're all so used to seeing in the Play Store. This matches the App Store on iOS which can also download up to three apps at once. The same limit of three also now applies to new app installs, which was previously limited to two at a time.

Spotify claims Apple may be again in violation of European regulation, the Digital Markets Act (DMA), which requires interoperability from big technology companies dubbed "gatekeepers." From a report: This time, the issue isn't about in-app purchases, links or pricing information, but rather how Apple has discontinued the technology that allows Spotify users to control the volume on their connected devices.

When streaming to connected devices via Spotify Connect on iOS, users were previously able to use the physical buttons on the side of their iPhone to adjust the volume. As a result of the change, this will no longer work. To work around the issue, Spotify iOS users will instead be directed to use the volume slider in the Spotify Connect menu in the app to control the volume on connected devices. The company notes that this issue doesn't affect users controlling the volume on iOS Bluetooth or AirPlay sessions, nor users on Android. It only applies to those listening via Spotify Connect on iOS. As a result, Spotify iOS users globally will be directed to use the new in-app volume slider beginning on September 3.

Google says it has evidence that Russian government hackers are using exploits that are "identical or strikingly similar" to those previously made by spyware makers Intellexa and NSO Group. From a report: In a blog post on Thursday, Google said it is not sure how the Russian government acquired the exploits, but said this is an example of how exploits developed by spyware makers can end up in the hands of "dangerous threat actors." In this case, Google says the threat actors are APT29, a group of hackers widely attributed to Russia's Foreign Intelligence Service, or the SVR. APT29 is a highly capable group of hackers, known for its long-running and persistent campaigns aimed at conducting espionage and data theft against a range of targets, including tech giants Microsoft and SolarWinds, as well as foreign governments.

Google said it found the hidden exploit code embedded on Mongolian government websites between November 2023 and July 2024. During this time, anyone who visited these sites using an iPhone or Android device could have had their phone hacked and data stolen, including passwords, in what is known as a "watering hole" attack. The exploits took advantage of vulnerabilities in the iPhone's Safari browser and Google Chrome on Android that had already been fixed at the time of the suspected Russian campaign. Still, those exploits nevertheless could be effective in compromising unpatched devices.

An anonymous reader quotes a report from TechCrunch: [...] Anthropic, in its continued effort to paint itself as a more ethical, transparent AI vendor, has published the system prompts for its latest models (Claude 3 Opus, Claude 3.5 Sonnet and Claude 3 Haiku) in the Claude iOS and Android apps and on the web. Alex Albert, head of Anthropic's developer relations, said in a post on X that Anthropic plans to make this sort of disclosure a regular thing as it updates and fine-tunes its system prompts. The latest prompts, dated July 12, outline very clearly what the Claude models can't do -- e.g. "Claude cannot open URLs, links, or videos." Facial recognition is a big no-no; the system prompt for Claude Opus tells the model to "always respond as if it is completely face blind" and to "avoid identifying or naming any humans in [images]." But the prompts also describe certain personality traits and characteristics -- traits and characteristics that Anthropic would have the Claude models exemplify.

The prompt for Claude 3 Opus, for instance, says that Claude is to appear as if it "[is] very smart and intellectually curious," and "enjoys hearing what humans think on an issue and engaging in discussion on a wide variety of topics." It also instructs Claude to treat controversial topics with impartiality and objectivity, providing "careful thoughts" and "clear information" -- and never to begin responses with the words "certainly" or "absolutely." It's all a bit strange to this human, these system prompts, which are written like an actor in a stage play might write a character analysis sheet. The prompt for Opus ends with "Claude is now being connected with a human," which gives the impression that Claude is some sort of consciousness on the other end of the screen whose only purpose is to fulfill the whims of its human conversation partners. But of course that's an illusion. "If the prompts for Claude tell us anything, it's that without human guidance and hand-holding, these models are frighteningly blank slates," concludes TechCrunch's Kyle Wiggers. "With these new system prompt changelogs -- the first of their kind from a major AI vendor -- Anthropic is exerting pressure on competitors to publish the same. We'll have to see if the gambit works."

Microsoft has decided to donate the Mono Project to the developers of Wine, FOSS that allows Windows applications to run on Unix-like operating systems. "Mono is a software platform designed to allow developers to easily create cross platform applications," notes GameOnLinux's Liam Dawe. "It is an open source implementation of Microsoft's .NET Framework based on the ECMA standards for C# and the Common Language Runtime."

"Wine already makes use of Mono and this move makes sense with Microsoft focusing on open-source .NET and other efforts," adds Phoronix's Michael Larabel. "Formally handing over control of the upstream Mono project to WineHQ is a nice move by Microsoft rather than just letting the upstream Mono die off or otherwise forked." Microsoft's Jeff Schwartz announced the move on the Mono website and in a GitHub post: The Mono Project (mono/mono) ('original mono') has been an important part of the .NET ecosystem since it was launched in 2001. Microsoft became the steward of the Mono Project when it acquired Xamarin in 2016. The last major release of the Mono Project was in July 2019, with minor patch releases since that time. The last patch release was February 2024. We are happy to announce that the WineHQ organization will be taking over as the stewards of the Mono Project upstream at wine-mono / Mono - GitLab (winehq.org). Source code in existing mono/mono and other repos will remain available, although repos may be archived. Binaries will remain available for up to four years.

Microsoft maintains a modern fork of Mono runtime in the dotnet/runtime repo and has been progressively moving workloads to that fork. That work is now complete, and we recommend that active Mono users and maintainers of Mono-based app frameworks migrate to .NET which includes work from this fork. We want to recognize that the Mono Project was the first .NET implementation on Android, iOS, Linux, and other operating systems. The Mono Project was a trailblazer for the .NET platform across many operating systems. It helped make cross-platform .NET a reality and enabled .NET in many new places and we appreciate the work of those who came before us.

Thank you to all the Mono developers!

Android Authority's Mishaal Rahman reports: Security vulnerabilities are lurking in most of the apps you use on a day-to-day basis; there's just no way for most companies to preemptively fix every possible security issue because of human error, deadlines, lack of resources, and a multitude of other factors. That's why many organizations run bug bounty programs to get external help with fixing these issues. The Google Play Security Reward Program (GPSRP) is an example of a bug bounty program that paid security researchers to find vulnerabilities in popular Android apps, but it's being shut down later this month. Google announced the Google Play Security Reward Program back in October 2017 as a way to incentivize security searchers to find and, most importantly, responsibly disclose vulnerabilities in popular Android apps distributed through the Google Play Store. [...]

The purpose of the Google Play Security Reward Program was simple: Google wanted to make the Play Store a more secure destination for Android apps. According to the company, vulnerability data they collected from the program was used to help create automated checks that scanned all apps available in Google Play for similar vulnerabilities. In 2019, Google said these automated checks helped more than 300,000 developers fix more than 1,000,000 apps on Google Play. Thus, the downstream effect of the GPSRP is that fewer vulnerable apps are distributed to Android users.

However, Google has now decided to wind down the Google Play Security Reward Program. In an email to participating developers, such as Sean Pesce, the company announced that the GPSRP will end on August 31st. The reason Google gave is that the program has seen a decrease in the number of actionable vulnerabilities reported. The company credits this success to the "overall increase in the Android OS security posture and feature hardening efforts."

Epic Games launched its digital app store on iOS and Android devices on Friday, marking Fortnite's return to Apple's platform in the European Union after a four-year absence. The move follows the implementation of the EU's Digital Markets Act, which mandates Apple to allow third-party app stores. Epic's store is available globally on Android and in the EU for iOS devices running iOS 17.6 or later.

Fortnite, along with Rocket League Sideswipe and Fall Guys, are now accessible through Epic's mobile store and the EU's AltStore. This marks Fall Guys' mobile debut. Epic CEO Tim Sweeney hailed the development as "tangible progress" but noted challenges remain, including Apple's new fees for third-party app distribution. The company aims for 100 million mobile store installations by year-end and plans to offer third-party games by December, with self-publishing slated for early 2025. Epic's 88/12 revenue split model will extend to mobile, potentially disrupting the mobile gaming marketplace dominated by Apple and Google.

Californians' driver's licenses are going digital as people will soon be able to carry them in their Apple or Google wallets. From a report: The governor's office says it's a secure and convenient tool that will allow users to more easily undergo ID verification, such as airport screenings. The virtual wallet capabilities, which are set to roll out "in the coming weeks," will allow users to add and access California driver's licenses and ID cards on their iPhones, Apple Watch and Android devices -- similar to credit cards.

They will be authorized for use in TSA screenings, select apps and select businesses, such as Circle K. Participating airports in the state include SFO, SJC and LAX. The new format, which Gov. Gavin Newsom is expected to announce Thursday, is part of the DMV's broader mobile driver's license (mDL) pilot, which launched last year. "This is a big step in our efforts to better serve all Californians, meeting people where they're at and with technology people use every day," Newsom said in a statement shared first with Axios.

Google's master software for some Android phones includes a hidden feature that is insecure and could be activated to allow remote control or spying on users, according to a security company that found it inside phones at a U.S. intelligence contractor. From a report: The feature appears intended to give employees at stores selling Pixel phones and other models deep access to the devices so they can demonstrate how they work, according to researchers at iVerify who shared their findings with The Washington Post. The discovery and Google's lack of explanation alarmed the intelligence contractor, data analysis platform vendor Palantir Technologies, to the extent that it has stopped issuing Android phones to employees, Palantir told The Post.

"Mobile security is a very real concern for us, given where we're operating and who we're serving," Palantir Chief Information Security Officer Dane Stuckey said. "This was very deleterious of trust, to have third-party, unvetted insecure software on it. We have no idea how it got there, so we made the decision to effectively ban Androids internally." The security company said it contacted Google about its findings more than 90 days ago and that the tech giant has not indicated whether it would remove or fix the application. On Wednesday night, Google told The Post that it would issue an update to remove the application. "Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update," said company spokesperson Ed Fernandez. He said distributors of other Android phones would also be notified.

Judge James Donato just made it crystal clear: Google will pay. From a report: Eight months after a federal jury unanimously decided that Google's Android app store is an illegal monopoly in Epic v. Google, Donato held his final hearing on remedies today. While we don't yet know what will happen, he repeatedly shut down any suggestion that Google shouldn't have to open up its store to rival stores, that it'd be too much work or cost too much, or that the proposed remedies go too far.

"We're going to tear the barriers down, it's just the way it's going to happen," said Donato. "The world that exists today is the product of monopolistic conduct. That world is changing." Donato will issue his final ruling in a little over two weeks.