Google has restructured Android's decade-old monthly security update process into a "Risk-Based Update System" that separates high-priority patches from routine fixes. Monthly bulletins now contain only vulnerabilities under active exploitation or in known exploit chains -- explaining July 2025's unprecedented zero-CVE bulletin -- while most patches accumulate for quarterly releases.

The September 2025 bulletin contained 119 vulnerabilities compared to zero in July and six in August. The change reduces OEM workload for monthly updates but extends the private bulletin lead time from 30 days to several months for quarterly releases. The company no longer releases monthly security update source code, limiting custom ROM development to quarterly cycles.

"There has never been a successful, widespread malware attack against iPhone," notes Apple's security blog, pointing out that "The only system-level iOS attacks we observe in the wild come from mercenary spyware... historically associated with state actors and [using] exploit chains that cost millions of dollars..."

But they're doing something about it — this week announcing a new always-on memory-safety protection in the iPhone 17 lineup and iPhone Air (including the kernel and over 70 userland processes)... Known mercenary spyware chains used against iOS share a common denominator with those targeting Windows and Android: they exploit memory safety vulnerabilities, which are interchangeable, powerful, and exist throughout the industry... For Apple, improving memory safety is a broad effort that includes developing with safe languages and deploying mitigations at scale...

Our analysis found that, when employed as a real-time defensive measure, the original Arm Memory Tagging Extension (MTE) release exhibited weaknesses that were unacceptable to us, and we worked with Arm to address these shortcomings in the new Enhanced Memory Tagging Extension (EMTE) specification, released in 2022. More importantly, our analysis showed that while EMTE had great potential as specified, a rigorous implementation with deep hardware and operating system support could be a breakthrough that produces an extraordinary new security mechanism.... Ultimately, we determined that to deliver truly best-in-class memory safety, we would carry out a massive engineering effort spanning all of Apple — including updates to Apple silicon, our operating systems, and our software frameworks. This effort, together with our highly successful secure memory allocator work, would transform MTE from a helpful debugging tool into a groundbreaking new security feature.

Today we're introducing the culmination of this effort: Memory Integrity Enforcement (MIE), our comprehensive memory safety defense for Apple platforms. Memory Integrity Enforcement is built on the robust foundation provided by our secure memory allocators, coupled with Enhanced Memory Tagging Extension (EMTE) in synchronous mode, and supported by extensive Tag Confidentiality Enforcement policies. MIE is built right into Apple hardware and software in all models of iPhone 17 and iPhone Air and offers unparalleled, always-on memory safety protection for our key attack surfaces including the kernel, while maintaining the power and performance that users expect. In addition, we're making EMTE available to all Apple developers in Xcode as part of the new Enhanced Security feature that we released earlier this year during WWDC...

Based on our evaluations pitting Memory Integrity Enforcement against exceptionally sophisticated mercenary spyware attacks from the last three years, we believe MIE will make exploit chains significantly more expensive and difficult to develop and maintain, disrupt many of the most effective exploitation techniques from the last 25 years, and completely redefine the landscape of memory safety for Apple products. Because of how dramatically it reduces an attacker's ability to exploit memory corruption vulnerabilities on our devices, we believe Memory Integrity Enforcement represents the most significant upgrade to memory safety in the history of consumer operating systems.

Kevin Barry, founder and sole developer of Nova Launcher, has left parent company Branch Metrics after being told to stop work on both the launcher and an open-source release. While the app remains on Google Play, the launcher's website currently shows a 404 error. The Verge reports: Mobile analytics company Branch Metrics acquired Nova in 2022. The company's CEO at the time, co-founder Alex Austin, said on Reddit that if Barry were to leave Branch, "it's contracted that the code will be open-sourced and put in the hands of the community." Austin left Branch in 2023, and now with Barry officially gone from the company, too, it's unclear if the launcher will now actually be open-sourced.

"I think the newer leadership since Alex Austin left has put a different focus on the company and Nova simply isn't part of that focus in any way at all," Cliff Wade, Nova's former customer relations lead who left as part of the 2024 layoffs, tells The Verge. "It's just some app that they own but no longer feel they need or want." Wade also said that "I don't believe Branch will do the right thing any time soon with regards to open-sourcing Nova. I think they simply just don't care and don't want to invest time, unless of course, they get enough pressure from the community and individuals who care."

Users have started a change.org petition to ask for the project to be open-sourced, and Wade says it's a "great start" to apply that pressure. Wade said he hasn't personally seen Barry's contract, so couldn't corroborate the claim of a contractual obligation to open-source Nova. Still, he said that the community "deserves" for the launcher to be open-sourced. "Branch just simply needs to do the right thing here and honor what they as a company have stated as well as what then CEO Alex Austin has stated numerous times prior to him leaving Branch."

Signal has begun rolling out end-to-end encrypted cloud backups in its latest Android beta release. The opt-in feature allows users to restore message history if their phone is lost or damaged. Free backups include all text messages and 45 days of media attachments. A $1.99 monthly subscription extends media storage to 100GB.

Users generate a 64-character recovery key on their device that Signal's servers never access. Backups refresh daily, excluding view-once messages and those set to disappear within 24 hours. The nonprofit cited storage costs as the reason for its first paid tier. iOS and Desktop support will follow the Android rollout. Signal said it stores backup archives without linking them to specific user accounts or payment information.

Researchers from Nanjing University and the University of Sydney developed an AI-powered bug-hunting agent that mimics human vulnerability discovery, validating flaws with proof-of-concept exploits. The Register reports: Ziyue Wang (Nanjing) and Liyi Zhou (Sydney) have expanded upon prior work dubbed A1, an AI agent that can develop exploits for cryptocurrency smart contracts, with A2, an AI agent capable of vulnerability discovery and validation in Android apps. They describe A2 in a preprint paper titled "Agentic Discovery and Validation of Android App Vulnerabilities."

The authors claim that the A2 system achieves 78.3 percent coverage on the Ghera benchmark, surpassing static analyzers like APKHunt (30.0 percent). And they say that, when they used A2 on 169 production APKs, they found "104 true-positive zero-day vulnerabilities," 57 of which were self-validated via automatically generated proof-of-concept (PoC) exploits. One of these included a medium-severity flaw in an Android app with over 10 million installs.

An anonymous reader shares a report: Adobe is bringing its video editor Premiere to iPhone, promising "pro-level" editing on the go for free. The app will launch later this month, with an Android version also under development.

The Premiere app features a familiar multi-track timeline, with support for an unlimited number of video, audio, and text layers. There's automatic captioning, 4K HDR support, and one-tap exporting to TikTok, YouTube Shorts, and Instagram -- including automatic resizing that frames content for each platform.

The iOS version of Premiere will be free to download and use, though Adobe says there will be charges for additional cloud storage and generative AI credits. Speaking of, it includes support for Adobe's generative sound effects and AI-powered speech enhancement, plus a wider range of AI assets generated through Adobe Firefly. If you'd rather not use AI content, there's a selection of Adobe fonts, along with images, sounds, music, and video assets that are free to use.

Google's September Pixel drop brings the new Material 3 Expressive UI, AI-powered Gboard writing tools, and Bluetooth Auracast upgrades to older Pixel devices, including the Pixel 6 and Pixel Tablet. "Among other tweaks, Google made it possible to add 'Live Effects,' including a few that cover the weather, to your phone's lock screen wallpaper," notes Engadget. "Material 3 Expressive also gives you more control over how the contact cards your phone displays when your friends and family call you look. Even if you're not one to endlessly tweak Android's appearance, as part of the redesign Google has once again reworked the Quick Settings pane in hopes of making it easier to use."

On the audio front, Pixel Buds Pro 2 gain intuitive nod-and-shake gesture controls, Adaptive Audio for balanced awareness, and Loud Noise Protection to guard against sudden sound spikes. Voice clarity has also been improved with Gemini Live in noisy environments.

A full breakdown of what's new can be found here.

A federal judge spared Google from the harshest penalties in its antitrust case. The search giant can keep Chrome and avoid breaking up Android, but it has been barred from exclusive contracts and ordered to limit data sharing with rivals. CNBC reports: U.S. District Judge Amit Mehta ruled against the most severe consequences that were proposed by the U.S. Department of Justice, including selling off its Chrome browser, which provides data that helps its advertising business deliver targeted ads. "Google will not be required to divest Chrome; nor will the court include a contingent divestiture of the Android operating system in the final judgment," the decision stated. "Plaintiffs overreached in seeking forced divesture of these key assets, which Google did not use to effect any illegal restraints."

The company can make payments to preload products, but it cannot have exclusive contracts, the decision stated. The DOJ asked Google to stop the practice of "compelled syndication," which refers to the practice of making certain deals with companies to ensure its search engine remains the default choice in browsers and smartphones. [...] The judge ordered the parties to meet by September 10th for the final judgement.

"Google will not be barred from making payments or offering other consideration to distribution partners for preloading or placement of Google Search, Chrome, or its GenAI products. Cutting off payments from Google almost certainly will impose substantial -- in some cases, crippling -- downstream harms to distribution partners, related markets, and consumers, which counsels against a broad payment ban." [...] Google said it will appeal the ruling, which would delay any potential penalties. Mehta ruled Tuesday that Google will have to make available certain search index data and user interaction data though "not ads data." The court narrowed the datasets Google will be required to share and said they must occur on "ordinary commercial terms that are consistent with Google's current syndication services."

Developer Hugo Tunius, writing in a blog post: Sideloading has been a hot topic for the last decade. Most recently, Google has announced further restrictions on the practice in Android. Many hundreds of comment threads have discussed these changes over the years. One point in particular is always made: "I should be able to run whatever code I want on hardware I own." I agree entirely with this point, but within the context of this discussion it's moot.

When Google restricts your ability to install certain applications they aren't constraining what you can do with the hardware you own, they are constraining what you can do using the software they provide with said hardware. It's through this control of the operating system that Google is exerting control, not at the hardware layer. You often don't have full access to the hardware either and building new operating systems to run on mobile hardware is impossible, or at least much harder than it should be. This is a separate, and I think more fruitful, point to make. Apple is a better case study than Google here. Apple's success with iOS partially derives from the tight integration of hardware and software. An iPhone without iOS is a very different product to what we understand an iPhone to be. Forcing Apple to change core tenets of iOS by legislative means would undermine what made the iPhone successful.

Google will require identity verification for all Android app developers, including those distributing apps outside the Play Store, starting September 2026 in Brazil, Indonesia, Singapore, and Thailand before expanding globally through 2027. Developers must register through a new Android Developer Console beginning March 2026. The requirement applies to certified Android devices running Google Mobile Services. Google cited malware prevention as the primary motivation, noting sideloaded apps contain 50 times more malware than Play Store apps.

Hobbyist and student developers will receive separate account types. Developer information submitted to Google will not be displayed to users.

"Google has confirmed that its Battery Health Assistance feature can't be turned off on the Pixel 10 phones," reports Android Authority: Google introduced a Battery Health Assistance feature on the Pixel 9a earlier this year. This feature gradually drops your phone's charging speed and battery voltage in the name of battery health. This tool is mandatory on the Pixel 9a but optional on other Pixel phones. However, there's bad news for the Pixel 10 series. Google confirmed to Android Authority that Battery Health Assistance is mandatory on the Pixel 10 series and can't be disabled. That means your phone's charging speed and effective battery life will drop over time...

All smartphone batteries degrade over time, resulting in shorter and shorter endurance. Google says the Pixel 8a and newer Pixel phones can withstand 1,000 charging cycles before their batteries drop down to 80% effective capacity. However, this Battery Health Assistance feature essentially reduces the phone's battery capacity over and above standard degradation. This is particularly disappointing as users aren't given a choice in the matter.

It's also disappointing as some rival smartphone makers address battery health concerns by offering more durable batteries. For example, Samsung's top phones can withstand 2,000 charging cycles before dropping down to 80% effective capacity, while OnePlus and OPPO's lithium-ion batteries offer 1,600 cycles before reaching 80% capacity. So there likely wouldn't be a need for a Battery Health Assistance tool if Google's batteries had similar longevity.
"The issue also comes after several older Pixel A series models suffered from major battery issues in 2025..."

BrianFagioli writes: Google is preparing to bring its television platforms in line with the rest of Android. Starting August 1, 2026, both Google TV and Android TV will require app updates that include native code to provide 64-bit support. The move follows similar requirements for phones and tablets, and it paves the way for upcoming 64-bit TV devices.

Starting September 1st, Russia will require all smartphones and tablets sold in the country to come with MAX, a state-backed messaging app seen as a rival to WhatsApp and Telegram. Critics say the app could be used to track users. Reuters reports: The Russian government said in a statement that MAX, which will be integrated with government services, would be on a list of mandatory pre-installed apps on all "gadgets," including mobile phones and tablets, sold in Russia from September 1. State media says accusations from Kremlin critics that MAX is a spying app are false and that it has fewer permissions to access user data than rivals WhatsApp and Telegram. It will also be mandatory that from September 1, Russia's domestic app store, RuStore, which is pre-installed on all Android devices, will be pre-installed on Apple devices.

A Russian-language TV app called LIME HD TV, which allows people to watch state TV channels for free, will be pre-installed on all smart TVs sold in Russia from January 1, the government added. [...] MAX said this week that 18 million users had downloaded its app, parts of which are still in a testing phase. Russia's interior ministry said on Wednesday that MAX was safer than foreign rivals, but that it had arrested a suspect in the first fraud case using the new messenger.

Google's Android 16 QPR2 beta 1 is rolling out with new customization features, including the ability to force dark mode and icon themes on apps that don't support them. The update also adds enhanced parental controls, better data migration, PDF editing, and Bluetooth audio sharing, with a full release expected in December. The Verge reports: The beta includes a new dark theme option that will "intelligently invert the UI of apps that appear light despite users having selected the dark theme" when enabled, according to Google's announcement, forcibly making apps that don't natively support the feature to appear darker. Google says this is "largely intended as an accessibility feature" for users with low vision or photosensitivity, and will also automatically darken app splash screens and adjust status bar colors to match the darker theming.

Another feature will allow users to forcibly apply themed icon colors to apps that don't natively support them. Android's icon theming currently only works if app developers have provided a monochrome version of their app icon that can be adjusted, which is annoying for users who want to apply a consistent aesthetic across their entire home page. Auto-themed app icons spare developers from adding this capability manually, removing the hassle for users to customize their phone's theme. The full list of features in the QPR2 beta 1 update can be found on the Android developers' blog.

Amazon is plotting a big change to its Fire tablet lineup following years of escalating gripes from consumers and app developers over the company's homegrown operating system. Reuters: As part of a project known internally as Kittyhawk, Amazon plans to release a higher-end tablet as soon as next year offering the Android operating system software for the first time, according to six people familiar with the matter. Since the Fire tablet's introduction in 2011, Amazon has used what is known as a "forked" version of Android with custom modifications that make it work like a unique operating system.

[...] The first Amazon Android tablet, slated for next year, will be pricier than current models, the people said. One of them said Amazon had discussed a $400 price tag, nearly double the cost of its current higher-end $230 Fire Max 11 tablet. IPads, by comparison, range from $350 to $1,200. Reuters could not learn additional specifications for the planned Amazon tablet, such as screen size and speaker quality or memory capacity. Amazon historically has avoided using software or other products from third parties, preferring to develop the services in-house or, barring that, to acquire a competitor.

Google announced its Pixel 10 smartphone lineup today, introducing the Tensor G5 processor and Qi2 magnetic wireless charging across four models priced from $799 to $1,799. The base Pixel 10 adds a 5x telephoto lens for the first time at $799. The Pixel 10 Pro maintains its $999 starting price in a 6.3-inch size while the Pro XL starts at $1,199 for the 6.8-inch variant.

The $1,799 Pixel 10 Pro Fold becomes the first foldable phone to achieve IP68 water and dust resistance through a redesigned gearless hinge. All models feature 3,000-nit peak brightness displays, Android 16, and Google's Material 3 Expressive interface redesign. The Tensor G5 enables on-device AI features including Magic Cue for contextual information retrieval and Camera Coach for photography guidance. Pro models gain 100x hybrid zoom capabilities through computational photography. Preorders begin today for August 28 availability, except the Pro Fold which ships October 9.

Protected KVM (pKVM), the hypervisor powering the Android Virtualization Framework, has officially achieved SESIP Level 5 certification (in testing by cybersecurity lab Dekra against the TrustCB SESIP scheme).

Google's security blog called the certification "a watershed moment," and a "new benchmark" for both open-source security — and for the future of consumer electronics. "It provides a single, open-source, and exceptionally high-quality firmware base that all device manufacturers can build upon." This makes pKVM the first software security system designed for large-scale deployment in consumer electronics to meet this assurance bar. The implications for the future of secure mobile technology are profound. With this level of security assurance, Android is now positioned to securely support the next generation of high-criticality isolated workloads. This includes vital features, such as on-device AI workloads that can operate on ultra-personalized data, with the highest assurances of privacy and integrity...

Achieving Security Evaluation Standard for IoT Platforms (SESIP) Level 5 is a landmark because it incorporates AVA_VAN.5, the highest level of vulnerability analysis and penetration testing under the ISO 15408 (Common Criteria) standard. A system certified to this level has been evaluated to be resistant to highly skilled, knowledgeable, well-motivated, and well-funded attackers who may have insider knowledge and access. This certification is the cornerstone of the next-generation of Android's multi-layered security strategy. Many of the TEEs (Trusted Execution Environments) used in the industry have not been formally certified or have only achieved lower levels of security assurance... Looking ahead, Android device manufacturers will be required to use isolation technology that meets this same level of security for various security operations that the device relies on. Protected KVM ensures that every user can benefit from a consistent, transparent, and verifiably secure foundation.
"This achievement represents just one important aspect of the immense, multi-year dedication from the Linux and KVM developer communities and multiple engineering teams at Google developing pKVM and AVF," the post concludes.

"We look forward to seeing the open-source community and Android ecosystem continue to build on this foundation, delivering a new era of high-assurance mobile technology for users."

Duolingo's stock peaked at $529.05 on May 16th. Three months later, it's down 38% — with that drop starting shortly after backlash to the CEO's promise to make it an "AI-first" company.

Yet "The backlash against Duolingo going 'AI-first' didn't even matter," TechCrunch wrote August 7th, noting Duolingo's stock price surged almost 30% overnight. That surge vanished within two days — and instead of a 30% surge, Duolingo now shows a 5% drop over the last eight days.

Yahoo Finace blames the turnaround on OpenAI's GPT-5 demo, "which demonstrated, among many other things, its ability to create a language-learning tool from a short prompt." OpenAI researcher Yann Dubois asked the model to create an app to help his partner learn French. And in a few minutes GPT-5 churned out several iterations, with flashcards, a progress tracker, and even a simple snake-style game with a French twist, a mouse and cheese variation to learn new vocab....

[Duolingo's] corporate lawyers, of course, did warn against this in its annual 10-K, albeit in boilerplate language. Tucked into the risk factors section, Duolingo notes, "It is possible that a new product could gain rapid scale at the expense of existing brands through harnessing a new technology (such as generative AI)." Consider this another warning to anyone making software. [The article adds later that "Rapid development and fierce competition can leave firms suddenly behind — perceived as under threat, inferior, or obsolete — from every iteration of OpenAI's models and from the moves of other influential AI players..."]

There's also irony in the wild swings. Part of Duolingo's successful quarter stemmed from the business's efficient use of AI. Gross margins, the company said, outperformed management expectations due to lower AI costs. And AI conversational features have become part of the company's learning tools, helping achieve double-digit subscriber growth... But the enthusiasm for AI, which led to the initial stock bump this week, also led to the clawback. AI giveth and taketh away.
Meanwhile, this week a blog announced it was "able to activate a long-rumored Practice feature" hidden in Google Translate, notes PC Magazine, with the blogger even sharing a screen recording of "AI-led features within Translate" showing its ability to create personalized lessons. "Google's take on Duolingo is effectively ready for release," the Android Authority blog concluded. "Furthermore, the fact that a Telegram user spotted this in their app suggests that Google is already testing this in a limited fashion."

Duolingo's CEO revisited the backlash to his original "AI-first" promise today in a new interview today with the New York Times, emphasizing his hope that AI would only reduce the company's use of contractors. "We've never laid off any full-time employees. We don't plan to...." But: In the next five years, people's jobs will probably change. We're seeing it with many of our engineers. They may not be doing some rote tasks anymore. What will probably happen is that one person will be able to accomplish more, rather than having fewer people.

NYT: How are you managing that transition for employees?

Every Friday morning, we have this thing: It's a bad acronym, f-r-A-I-days. I don't know how to pronounce it. Those mornings, we let each team experiment on how to get more efficient to use A.I.
Yesterday there was also a new announcement from attorneys at Pomerantz LLP, which calls itself "the oldest law firm in the world dedicated to representing the rights of defrauded investors."

The firm announced it was investigating "whether Duolingo and certain of its officers and/or directors have engaged in securities fraud or other unlawful business practices."

Meta's Threads has surpassed 400 million monthly active users, adding 50 million in the last quarter and closing the gap with rival X in mobile daily usage. "As of a few weeks ago [there are] more than 400 million people active on Threads every month," said Instagram head Adam Mosseri. "It's been quite the ride over the last two years. This started as a zany idea to compete with Twitter, and has evolved into a meaningful platform that fosters the open exchange of perspectives. I'm grateful to all of you for making this place what it is today. There's so much work to do from our side, more to come." TechCrunch reports: X, meanwhile, has north of 600 million monthly active users, according to previous statements made by its former CEO, Linda Yaccarino. Recent data from market intelligence provider Similarweb showed that Threads is nearing X's daily app users on mobile devices. In June 2025, Threads' mobile app for iOS and Android saw 115.1 million daily active users, marking a 127.8% increase compared to the previous year. On the other hand, X reached 132 million daily active users, reflecting a 15.2% year-over-year decline.

However, Similarweb found that X's worldwide daily web visits are well ahead of Threads, as the [...] social network saw 145.8 million average daily web visits worldwide in June, while Threads had just 6.9 million.

Google has quietly admitted defeat in selling advertising for its smart TV platform, returning ad inventory to publishers and accepting a revenue share instead of controlling ad spots directly, according to The Verge. The policy reversal comes as Google spends hundreds of millions of dollars annually on Google TV without breaking even, while Amazon outspends the company on retail incentives that have already pushed Google TV sets out of Costco stores in favor of Fire TV models.

Amazon pays up to $50 per activated television to retailers and manufacturers, The Verge reported. Google TV has grown to 270 million monthly active devices worldwide since unifying Android TV and Chromecast under a single brand in 2020, but many devices operate in overseas markets that generate little revenue or run customized versions controlled by pay-TV operators. YouTube's success in the living room -- generating $9.8 billion in quarterly ad revenue and accounting for 12.5% of all US television viewing -- has reduced internal support for Google TV, with sales teams prioritizing the video platform and some YouTube executives arguing the smart TV budget should be redirected, the report adds.