Apple's new iOS 13 update adds a new privacy measure that requires apps to get your consent in order to use your device's Bluetooth. From a report: After installing the latest version of iOS, trust me when I say you'll be surprised by the number of apps asking for Bluetooth permission the next time you open them. Some might seem very strange (like Dunkin' Donuts in my case), but others probably won't make you think twice about giving the thumbs-up. The reason Apple implemented this is because Bluetooth has enabled companies to sneakily track your location over Bluetooth by using beacons in stores, shopping malls, and even on popular city streets if they're placed within range of a place you'd walk by.

This is entirely separate from your iPhone's location privacy settings, which makes it seem all the more underhanded. A beacon is very easily able to detect your device's Bluetooth chip and log that with a retailer or some other app on your phone. So getting more strict about Bluetooth is a good move by Apple to prevent unwanted tracking of its customers. Similarly, the company is also getting even more transparent about location, showing you on a map how often and where apps have recorded your position. This prompt is much easier to understand, and will probably startle people into slimming down the list of apps that can monitor where they are. As it should!

Microsoft is enabling Google's Assistant to work with its Xbox One console. From a report: Much like the existing Alexa integration, Microsoft is allowing Google Assistant to launch games and apps, turn the console on and off, pause videos, and much more. You'll need to use the Google Assistant app for iOS or Android or a device like Google's Home with Assistant on it to control an Xbox One. Google Assistant won't run on the Xbox One itself; instead, it will receive commands from other devices running Assistant.

tearmeapart writes (edited to add more details): Cloudflare is opening up its security and speed-focused mobile VPN service called WARP and WARP Plus to the general public. WARP is a mobile app for Android and Apple to establish a VPN to CloudFlare's huge global network. Cloudflare is promising:
1. No user-identifiable log data to disk;
2. No selling browsing data;
3. No need to provide any personal information
4. Regularly get audited. This is the second time Cloudflare is launching Warp. The VPN builds on Cloudflare's existing mobile app 1.1.1.1, which encrypts domain name system connections. But Warp goes beyond this protection to encrypt the whole journey from your device to a web server and back -- even if the website itself still isn't offering HTTPS web encryption. And all of this happens quickly, without draining your battery, and without complicated setup. In an interview with Wired, Cloudflare CEO Matthew Prince said: Yeah, what we thought was going to be easy back in April turned out to be a lot harder than we expected. We had been testing this primarily in San Francisco and Austin and London, which is where the teams that were working on this are based. But as soon as users started to get anywhere that didn't have a fairly reliable internet connection, just all hell broke loose. The report adds: In describing the hurdles Cloudflare faced getting Warp off the ground, John Graham-Cumming, the company's chief technology officer, and Dane Knecht, its head of product strategy, note that many of the challenges came from dealing with interoperability issues between mobile device models, operating system versions, and different mobile network and Wi-Fi configurations around the world. For example, Warp is built on a newer secure communication protocol for VPNs known as WireGuard, which isn't ubiquitous yet and therefore isn't always natively supported by devices. The team also faced challenges dealing with web protocols and standards that are implemented inconsistently across different wireless carriers and internet service providers around the world. Cloudflare's 1.1.1.1 focuses on encrypting DNS connections specifically, but Warp aims to encompass everything in one protected tunnel. Keeping everything together as data traverses the labyrinth of servers that make up the internet, including Cloudflare's own massive network, was tough. Warp is free to use without any bandwidth caps or limitations. But Warp Plus, which is being offered through a monthly subscription fee, offers a "faster version of Warp that you can optionally pay for. The fee for Warp Plus varies by region and is designed to approximate what a McDonald's Big Mac would cost in the region. On iOS, the Warp Plus pricing as of the publication of this post is still being adjusted on a regional basis, but that should settle out in the next couple days. Warp Plus uses Cloudflare's virtual private backbone, known as Argo, to achieve higher speeds and ensure your connection is encrypted across the long haul of the Internet. We charge for it because it costs us more to provide," the company said in the blog post.

Apple is warning users of a bug in iOS 13 and iPadOS involving third-party keyboards. From a report: In a brief advisory posted Tuesday, the tech giant said the bug impacts third-party keyboards which have the ability to request "full access" permissions. iOS 13 was released last week. Both iOS 13.1 and iPadOS 13.1, the new software version for iPads, are out today. Third-party keyboards can either run as standalone, or with "full access" they can talk to other apps or get internet access for additional features, like spell check. But "full access" also allows the keyboard maker to capture to its servers keystroke data or anything you type -- like emails, messages or passwords. This bug, however, may allow third-party keyboards to gain full access permissions -- even if it was not approved.

An anonymous reader quotes Forbes: Apple's updated operating system will now show you how often your location has been recorded and by which apps. It will do this proactively via a pop up, which shows a map of where you have been tracked, including the option to allow or limit it. Previously, many apps were able to track you in the background without your knowledge. They were able to collect vast amounts of data on you, which they could use to target you with advertising.

Along the same theme, another blow to apps such as Facebook and WhatsApp is a change in Apple's iOS 13 that will not allow messaging and calling apps to run in the background when the programs are not actively in use. Before, apps such as these were able to collect information on what you were doing on your device.

People are certainly becoming more aware of the way their data is used, following incidents such as the Cambridge Analytica scandal. In this context, many of the changes could be seen as a direct blow to Apple's rivals Google and Facebook: iOS 13 highlights their data collection practices and gives iPhone users the opportunity to stop them. In this way, it's an attack on Facebook and Google's business models. It's true: There are many apps that track you and collect data on you, and iOS 13 will affect all of these. But it is also worth considering the position that Apple holds in the market. When Apple speaks, people listen.
Forbes concludes that these features in iOS 13 "could encourage even the most apathetic Apple users to care more about their privacy."

An anonymous reader quotes a report from Ars Technica: Apple released iOS 13 with a bunch of new features. But it also released the new OS with something else: a bug disclosed seven days ago that exposes contact details without requiring a passcode or biometric identification first. Independent researcher Jose Rodriguez published a video demonstration of the flaw exactly one week ago. It can be exploited by receiving a FaceTime call and then using the voiceover feature from Siri to access the contact list. From there, an unauthorized person could get names, phone numbers, email addresses, and any other information stored in the phone's contacts list. An Apple representative told Ars the bypass will be fixed in iOS 13.1, scheduled for release on Sept. 24.

Apple's latest iPhone software, iOS 13, is now available -- but on Tuesday, you'll already be able to download the first update, iOS 13.1. And you'll be able to revitalize your iPad with Apple's software created for its tablets. From a report: Apple may be best known for its hardware, but it's really the seamless integration of its devices with its software that's set it apart from rivals. The company's ability to control every aspect of its products -- something that began when Steve Jobs and Steve Wozniak founded Apple in 1976 -- has been key in making Apple the most powerful company in tech. The company's mobile software, iOS, gets revamped every year and launches when its latest phones hit the market. Starting Tuesday, you'll also be able to download the first update to the software, as well as the new iPadOS software tailored for Apple's tablets. iOS 13 brings a dedicated dark mode, a new swipe keyboard and a revamped Photos app (complete with video editing tools). iOS 13.1 will bring bug fixes and will let you share your ETA with friends and family members through Apple Maps. Siri shortcuts can be added to automations, and you can set up triggers to run any shortcut automatically.

A scam. A publicity stunt. Premature. These are just a few of the things Chinese developers are saying about the release of Huawei's supposed secret weapon: The Ark Compiler. From a report: Developers are even claiming the program feels incomplete. The reception has been so bad that one programmer told Abacus that he wondered whether it was released just for publicity. "Maybe they're doing it to help in the PR and trade war, adding leverage against the US," said Max Zhou, co-founder of app-enhancement company MetaApp and former head of engineering at Mobike. The Ark Compiler is a key component of Huawei's new operating system, HarmonyOS. The tool is meant to allow developers to quickly port their Android apps to the new OS, ideally helping to quickly bridge the gap of app availability. It is also said to be able to improve the efficiency of Android apps, making them as smooth as apps on iOS. As of right now, though, developers say promises are too good to be true.

"Despite new initiatives by the Federal Communications Commission (FCC) and carriers, robocalls aren't on the wane," reports Forbes.

"Americans are still facing a scourge of 200 million unwanted robocalls a day, according to a report from Transaction Network Services (TNS), a major telecommunications network and services company. And nearly 30% of all U.S. calls were negative (nuisance, scam or fraud calls) in the first six months of the year, TNS said..." Nuisance calls jumped 38% from the third quarter of last year, while high-risk calls -- such as scammers targeting identity theft -- were up 28%, TNS said. And the FCC actually saw an 8% increase year-over year in consumer robocall complaints when comparing February-June 2019 to February-June 2018, as cited by TNS in the report. There is a limit to what major U.S. carriers can do. They are only a small part of the problem, TNS said. While 70% of all calls (normal calls and unwanted calls) come from major U.S. carriers, only 12% of the high-risk calls are from the big carriers. That means the problem lies with lesser-known providers...

A growing threat is robocall hijacking -- when a subscriber's number is hijacked by a bad guy -- doubling over last year's figure, TNS said. TNS estimates that 1 in 1,700 numbers were hijacked by spoofers in 28 day-period. In the last report the frequency was only 1 in 4,000. In one case of hijacking, a spoofer placed over 36,000 scam calls in a 3-day period according to the TNS report.

Another spoofing threat cited in the report is that of legitimate toll-free numbers of leading tech companies. Here, the scammer will claim there is something wrong with the victim's account at the company and try to get personal information.
You can stop getting robocalls with a "simple but very effective" solution, according to the article. Both Android and iOS phones have a "Do Not Disturb" option in Settings -- so just enable that for everyone except your own contacts.

Slashdot reader dryriver writes: A security researcher discovered that if you get your hands on someone else's iThing running iOS 13, and place a phone call to it, you can choose to respond with a TXT message, and get to see the contents of the address book on the iThing without actually getting past the lock screen...

The security researcher who found the flaw was not financially rewarded or acknowledged by Apple, but rather given the cold shoulder. The security researcher says all he'd wanted was a $1 Apple Store card to keep as a trophy, according to The Register: The procedure, demonstrated below in a video, involves receiving a call and opting to respond with a text message, and then changing the "to" field of the message, which can be accomplished via voice-over. The "to" field pulls up the owner's contacts list, thus giving an unauthorized miscreant the ability to crawl through the address book without ever needing to actually unlock the phone.
They also report that while the insecure-lock-screen iOS 13 will be officially released on September 19, a fixed version, iOS 13.1, "is due to land on September 30."

H&âOEouml;vding spent four years developing their next-generation bicycle helmet, the Metro reports: Easier to use, adjustable and enabled with Bluetooth technology, the helmet, according to H&âOEouml;vding 's CEO Frederik Carling, is the world's safest. Donning advanced airbag tech and functions such as the ability to contact next-of-kin in the event of an accident, Frederik and the team spent years surveying people to make the kit as bespoke, safe and desirable as possible. Fredrik says: "Our surveys of cyclists in seven major European cities show that 70% would cycle more if they felt safer. We have focused on this and want to contribute to greater safety."

New features include the new patented airbag, along with an upgraded battery that can last for up to 15 hours. An iOS and Android compatible app allows the company to gather data relating to where urban cyclists experience the most accidents. The result? Data that can be used to argue for more cycling infrastructure and, of course, tech that saves more lives...

When the design-savvy headgear is activated, it registers movements 200 times a second and in the event of an accident, is inflated in 0.1 seconds to enclose the head and hold the cyclist's neck in place. 185,000 cyclists currently use it, with over 4,000 saying that it had made a significant difference during close calls.

In addition to all its safety features, Carling hopes that his helmet can be used to help the environment in the long run. "Cycling may be the answer to many of the challenges relating to the environment, congestion in cities and health, and we want to take cyclist protection to the next level," he says.

Google's previewing something new in the SDK for their Dart programming language: machine learning-powered automatic code completion.

ZDNet reports: ML Complete works with the editor to offer developers completions as they type their code. It's also meant to help developers quickly explore lists of completions that are likely to be what they want next, rather than having to sort through options alphabetically. "With code completions, developers can both avoid misspellings and explore APIs by typing the beginning of expected symbols and choosing from the offered completions," explains Google project manager Michael Thomsen in his article, 'Announcing Dart 2.5: Supercharged development'.

Google's take on AI-powered code completion for Dart relies on a model trained on a large body of Dart code on GitHub. The model is powered by Google's TensorFlow Lite deep-learning framework and can predict what developers will type next as they're editing code.
ML Complete is built into the Dart analyzer, meaning the preview is available in "Dart-enabled editors" including Android Studio, IntelliJ, and VS Code.

Google is starting to make its Chrome 77 browser update available to Windows, Mac, iOS, and Android this week. While there are many visual changes to Chrome this time, Google is introducing a new send webpage to devices feature. From a report: You can right-click on a link and a new context menu will appear that simply lets you send links to other devices where you use Chrome. If you're using Chrome on iOS you'll need to have the app open and a small prompt will appear to accept the sent tab. The feature has started showing up on Windows, Android, and iOS versions of Chrome, but it doesn't appear to be enabled in the macOS variant just yet. Chrome has long supported the ability to browse your open and recent tabs across multiple devices, but this send to device feature just makes things a little quicker if you're moving from browsing on a PC or laptop to a phone or vice versa.

An anonymous reader shares a report: Apple's extended warranty, AppleCare+, has always covered iOS and Apple Watch devices for a total of two years. But after its iPhone 11 event, the company quietly introduced a new option that basically turns AppleCare+ into a full-on monthly subscription, allowing consumers to continue paying beyond the regular coverage period and keep going for as long as Apple is able to service their product. The change was spotted by 9to5Mac. Apple had already offered monthly installments for AppleCare+, but that was only an alternative to paying a lump sum for the same two-year coverage total. And it seems Apple has now eliminated this payment option. With the new approach, Apple uses the pretty clear wording of "pay monthly until canceled." As 9to5Mac notes, you'd end up paying more through the monthly option for the standard 24 months of coverage than if you just opted to buy that length of time outright. The new subscription is really best for people who plan to hold on to their gadgets for several years.

An anonymous reader shares a report: When Microsoft bought 6Wunderkinder, the developer of Wunderlist, in 2015, officials said they planned to shut down that task-management app at some point and replace it with its own To Do app. That move still hasn't happened. But this week, Microsoft is rolling out a redesign of To Do that attempts to make it look more like Wunderlist. On September 9, Microsoft introduced the redesigned To Do, which has smaller headers and more colors. The app is more customizable now with a variety of backgrounds, "including the beloved Berlin TV tower that was a feature in Wunderlist." The app can sync across Mac, iOS, Android, Windows and the Web. And it integrates with Microsoft work or school email accounts; hosted email accounts like Outlook, Hotmail or Live; Microsoft Planner; and Microsoft Launcher on Android. Just so it happens, last week Wunderlist founder Christian Reber said that he'd like to buy Wunderlist back from Microsoft. Today he tweeted "GREAT timing," in regards to Microsoft's To Do makeover.

Last week, Apple published a statement in which it disputed Google's Project Zero team's findings about the worst iOS attack in history. Alex Stamos, adjunct professor at Stanford University's Center for International Security and Cooperation and former CSO at Facebook, writes on Twitter: Apple's response to the worst known iOS attack in history should be graded somewhere between "disappointing" and "disgusting". First off, disputing Google's correct use of "indiscriminate" when describing a watering hole attack smacks of "it's ok, it didn't hit white people." The use of multiple exploits against an oppressed minority in an authoritarian state makes the likely outcomes *worse* than the Huffington Post example a former Apple engineer posited. It is possible that this data contributed to real people being "reeducated" or even executed. Even if we accept Apple's framing that exploiting Uyghurs isn't as big a deal as Google makes it out to be, they have no idea whether these exploits were used by the PRC in more targeted situations. Dismissing such a possibility out of hand is extremely risky.

Second, the word "China" is conspicuously absent, once again demonstrating the value the PRC gets from their leverage over the world's most valuable public company. To be fair, Google's post also didn't mention China. Their employees likely leaked attribution on background. Third, the pivot to Apple's arrogant marketing is not only tone-deaf but really rings hollow to the security community when Google did all the heavy lifting here. I'm guessing we won't hear Tim talk about how they are going to do better on stage next week. Dear Apple employees: I have worked for companies that took too long to publicly address their responsibilities. This is not a path you want to take. Apple does some incredible security work, but this kind of legal/comms driven response can undermine that work. Demand better. Michael Tsai raises further questions about the way Apple framed its statement: "A blog," rather than "a blog post"? I love how Apple is subtly trying to discredit Project Zero by implying that it's a mere blog. And let's be sure everyone knows it's affiliated with Google, the privacy bad guys, even though it's a responsible, technically focused group. Apple says: "First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones 'en masse' as described."
Project Zero literally referred to "a small collection of hacked websites" that received "receive thousands of visitors per week." And it does seem like a particular subpopulation was targeted "en masse." The sites in question were on the public Internet; it wasn't links being sent to target particular individuals. Apple is blaming the messenger for things it didn't even say.

Apple adds: "The attack affected fewer than a dozen websites that focus on content related to the Uighur community."
Oh, I get it. Most people would consider "fewer than a dozen" to be "a small collection." But in Apple-speak, there were "a small number" of corrupt App Store binaries causing crashes, and "a small number" of MacBook Pro users experiencing butterfly keyboard problems, not to be confused with the "very small number" of iPhones that unexpectedly shut down. So, yeah, I can see why Apple wants people to know that this "small collection" doesn't mean "millions." Although there are apparently 10 million Uigurs in China. Apple adds: "Google's post, issued six months after iOS patches were released[...] It's great that Project Zero reported this in a responsible way, because now we can downplay it as old news.

An anonymous reader shares a report: Apple Music doesn't work on traditional Linux distributions like Ubuntu or Fedora. It does, however, work on Windows, macOS, iOS, and Android. Chromebook users can take advantage of the Apple Music Android app from the Play Store. Traditional Linux users, however, are sadly left out of the party. This week, this changes, as Apple Music finally comes to the web -- in beta. This is something many other streaming music services, such as Spotify and Google, already offer. Better late than never, eh? This means traditional Linux users can finally enjoy Apple Music by simply visiting a website.

In a rare move, Apple has released a statement to comment on the attacks on iPhone users revealed by Google last week. From a report: Last week, Google dropped a bombshell in the form of a long, detailed analysis of five chains of iOS vulnerabilities discovered by its security teams. Google didn't say who was behind the attacks, nor who was targeted, but described the attack as "indiscriminate," and potentially hitting "thousands" of people. Apple disagrees. Friday, Apple published a brief press release that disputes some relatively minor details that Google released about the attacks. Namely, that the attacks lasted for a shorter amount of time and that they were less widespread than Google reported.

"First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones 'en masse' as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community." Apple wrote. "Google's post, issued six months after iOS patches were released, creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,' stoking fear among all iPhone users that their devices had been compromised. This was never the case. Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not 'two years' as Google implies," the statement continued.

A change Apple is making to improve privacy in an upcoming version of its iPhone operating system has alarmed an unlikely group of software makers: developers of privacy-focused encrypted messaging apps. The Information (paywalled): They warn the change, which is already available in public test versions of iOS 13, could end up undermining the privacy goals that prompted it in the first place. The Information previously reported that the technical change Apple is making to its next operating systems, iOS 13, has sparked concern at Facebook, which believes it will have to make significant modifications to encrypted messaging apps like Facebook Messenger and WhatsApp to comply. But a much wider group of developers of encrypted messaging apps -- including Signal, Wickr, Threema and Wire -- is scrambling to overhaul their software so that key privacy features continue to work. Apple told The Information on Wednesday in a statement that it is working with the developers to resolve their concerns. "We've heard feedback on the API changes introduced in iOS 13 to further protect user privacy and are working closely with iOS developers to help them implement their feature requests," an Apple spokesperson said.

Zerodium, a company which claims it buys and then resells software exploits to government and law enforcement agencies, has updated its price list today, and Android exploits are worth more than iOS exploits for the first time ever. From a report: According to the company, starting today, a zero-click (no user interaction) exploit chain for Android can get hackers and security researchers up to $2.5 million in rewards. A similar exploit chain impacting iOS is worth only $2 million. Zerodium's new price for Android exploits is almost twelve times more when compared to the maximum of $200,000 the company was willing to offer a year ago, and even 100 times more than Zerodium was paying for some of the lower-impact Android exploits. Zerodium has timed its announcement with Google's official release for Android 10, scheduled for later today. Further reading: Exploit Sellers Say There are More iPhone Hacks on the Market Than They've Ever Seen.