Category: 4. Technology

Android’s big UI overhaul, Material 3 Expressive, was announced earlier this year and is preinstalled on the new Pixel 10 series of smartphones. Now it’s time for older Pixel devices to get the makeover treatment, thanks to the September Pixel Drop. 

Material 3 Expressive is now coming to Pixel 6 devices and up, including the Pixel tablet. Google’s focus with the UI overhaul aims to make Android more personalized, colorful, and livelier overall. It’s easier to identify actions you want to take within apps and the splash of color throughout gives the OS a somewhat youthful and fresh feel to it. 

While some Android phones receive only major version releases and security updates, Pixel owners not only typically get these updates sooner but are also treated to “Pixel Drop” updates. These updates are quarterly and can take the form of a system update, Google app updates with new features or both. The update also includes the latest security updates for supported Pixel devices, which patch the latest identified vulnerabilities. 

While the big news from this update is the addition of Material 3 Expressive, a handful of other features have also been added in the latest drop:

• Google’s keyboard, Gboard, is getting new AI writing tools that will fix grammatical errors and change the tone of your messages faster with a new Writing Tools button that will appear in the keyboard’s suggestion bar.  
• Emoji Kitchen, Google’s emoji remixer, is now better than ever. You can now browse the entire library of stickers and favorite them for quicker access. 
• Now you can share audio with someone directly or create a private broadcast that others can join just by scanning a QR code.
• The Android Quick Share menu has been revamped so you can toggle between sending files and files you’ve received, creating a more fluid experience. 

New for Pixel Buds Pro 2

Coming later this month, the Pixel Buds Pro 2 will also see an update that will give it a few new and welcomed features, too. Here’s what’s on the way:

• Adaptive Audio will automatically adjust to your environment to stay aware of your surroundings. 
• Loud Noise Protection will give your ears some added protection from, well, loud noises. 
• Have an uninterrupted experience with Gemini when your environment is particularly noisy, like when your TV is on or people are talking around you. 
• You’ll soon be able to accept calls or dismiss replying to texts by nodding or shaking your head.

For more, don’t miss our hands-on with Samsung’s latest Galaxy Tab S11 tablets.

SAVE $630.01: The Jackery Explorer 2000 v2 portable power station with 102W fast charger is on sale for $968.99 at Amazon, down from the normal price of $1,599. That’s a 39% discount and an all-time low price for this bundle.

---

In some parts of the country, the sun is still blazing, and there’s still a desire to bring a personal fan everywhere you go. But eventually, fall will arrive, and with it will come epic rain and windstorms. These storms are notorious for knocking down tree branches, which often spells a power outage. Years ago, we all just accepted living with no power and relied on a power bank to keep our phones going. Portable power stations, however, have changed this fate forever. If you don’t yet own one, check out this deal.

As of Sept. 4, the Jackery Explorer 2000 v2 portable power station with a 102W fast charger is on sale at Amazon for $968.99. That’s marked down from the normal price of $1,599, which works out to a 39% discount. In total, you’ll be saving $630.01. Today’s sale price is also a new record low for this bundle at Amazon.

The Jackery Explorer 2000 v2 comes with a massive 2042Wh of battery life thanks to a long-lasting LiFePo4 battery. That gives you tons of power to recharge devices come an inevitable power outage. The Jackery Explorer 2000 v2 will keep your phones charged, allow you to use a CPAP machine for sleeping, or use the hairdryer come morning.

You can also use it to keep lights on, so no one trips on the way to the bathroom at midnight. It’s also powerful enough to use with a microwave or your refrigerator. Jackery says this model can keep your refrigerator cooling for up to 72 hours during an outage.

Mashable Deals

Another major benefit of the Explorer 2000 v2 is its weight of just under 40 pounds. Many portable power stations that pack in 2000Wh are pretty hefty, so this model’s weight is a nice surprise. For comparison, the DJI Power 2000 weighs almost 50 pounds.

This bundle deal also includes a 102W fast charger, so you can recharge the Explorer 2000 v2 quickly. Before the storms hit, snag this Jackery Explorer 2000 v2 deal from Amazon and be prepared for any power outages. In doing so, you’ll be saving over $630.

Cloudflare on Thursday acknowledged this failure, writing:

We failed three times. The first time because 1.1.1.1 is an IP certificate and our system failed to alert on these. The second time because even if we were to receive certificate issuance alerts, as any of our customers can, we did not implement sufficient filtering. With the sheer number of names and issuances we manage it has not been possible for us to keep up with manual reviews. Finally, because of this noisy monitoring, we did not enable alerting for all of our domains. We are addressing all three shortcomings.

Ultimately, the fault lies with Fina; however, given the fragility of the TLS PKI, it’s incumbent on all stakeholders to ensure system requirements are being met.

And what about Microsoft? Is it at fault, too?

There’s some controversy on this point, as I quickly learned on Wednesday from social media and Ars reader comments. Critics of Microsoft’s handling of this case say that, among other things, its responsibility for ensuring the security of its Root Certificate Program includes checking the transparency logs. Had it done so, critics said, the company would have found that Fina had never issued certificates for 1.1.1.1 and looked further into the matter.

Additionally, at least some of the certificates had non-compliant encoding, and listed domain names with non-existent top-level domains. This certificate, for example, lists ssltest5 as its common name.

Instead, like the rest of the world, Microsoft learned of the certificates from an online discussion forum.

Some TLS experts I spoke to said it’s not within the scope of a root program to do continuous monitoring for these types of problems.

In any event, Microsoft said it’s in the process of making all certificates part of a disallow list.

Microsoft has also faced long-standing criticism that it’s too lenient in the requirements it imposes on CAs included in its Root Certificate Program. In fact, Microsoft and one other entity, the EU Trust Service, are the only ones that, by default, trust Fina. Google, Apple, and Mozilla don’t.

“The story here is less the 1.1.1.1 certificate and more why Microsoft trusts this carelessly operated CA,” Filippo Valsorda, a Web/PKI expert, said in an interview.

I asked Microsoft about all of this and have yet to receive a response.

 

Limited to just 30 units, the track-only GT2 Edition W16 blends Formula 1® technology with GT racing DNA.

The Mercedes-AMG Motorsport portfolio is expanding to include a new, highly attractive model: the Mercedes-AMG GT2 Edition W16, a limited-production track car delivering up to 818 HP–the most powerful customer racing car ever built by the brand.

Inspired by the Mercedes-AMG F1 W16 E PERFORMANCE, the model features a Push2Pass system, drag reduction system (DRS), lightweight magnesium wheels and a hand-painted livery accented in PETRONAS green. Only 30 units will be built, each signed by F1 driver Kimi Antonelli. Deliveries will take place at a European race track, where owners will also enjoy a meet-and-greet with the Mercedes-AMG PETRONAS F1 Team. Designed exclusively for track use, the GT2 Edition W16 is positioned as both a performance benchmark and an exclusive ownership experience.

Read more information, including technical specs, on the Mercedes-Benz USA website.

MOTU’s new 848 audio interface offers Thunderbolt 4 / USB4 connectivity and AVB networking.

Cambridge, MA (September 4, 2025)—Offering both Thunderbolt 4 and USB4 connectivity, MOTU’s new 848 is a 1U rack-mounted audio interface capable of tackling 60 total channels of I/O, 64-channel mixing with effects, and 128 channels of AVB network input and output.

The 28×32 848 connects to a Mac, PC or iPad with 40 Gbps Thunderbolt 4 or USB4, USB3, and USB2, due to ESS Sabre32 Ultra DAC technology inside.

Using typical drivers to interface with audio apps, the 848 is said to deliver roundtrip latency (RTL) lower than 1.9 ms at 96 kHz with a 32 sample host buffer. A second Thunderbolt port connects additional computer peripherals, such as a second monitor, hard drive, USB hub or Thunderbolt dock.

The front panel sports a 3.9-inch full-color TFT display that shows custom meter configurations. Two headphone outputs provide independent volume control and fully-programmable source selection, including analog or digital inputs or outputs, mixer buses (with built-in reverb), host audio channels, or network channels. Individual controls for preamp gain (+74 dB), -20 dB pad, and 48V phantom power are provided for the unit’s four rear-panel mic inputs. Phase invert is also provided via included software, and all preamp settings can be controlled remotely from a computer or iOS device. Control room features include talkback with front panel “Talk” button and “A/B/C” monitor select, Mute, and (sum to) Mono buttons for the designated monitor outputs.

MOTU 16A Audio Interface — A Mix Product of the Week

The 848 rear panel provides 12 balanced TRS analog (line-level) outputs suitable for Dolby Atmos Monitoring configurations up to 7.1.4. The 848 features an integrated AVB switch with two Gigabit Ethernet ports, allowing users to daisy-chain as many as eight 848 and/or 16A units using standard network cabling. 32-bit floating point DSP delivers 64-channel mixing from any sources: the physical inputs on the 848 interface itself, audio channels from host software, audio network streams, or mixer outputs.

Accessed in the included CueMix Pro app for macOS, Windows and iOS, the mixer provides 26 aux busses, plus main, reverb, monitor, and solo buses. All mixer inputs and output buses provide 4-band parametric EQ and a compressor at all sample rates up to 96 kHz.

Discover more great stories—get a free Mix SmartBrief subscription!

The 848 also ships with MOTU Performer Lite workstation software for macOS and Windows, and 6GB of loops and sounds from Big Fish Audio, LucidSamples, Loopmasters and MOTU.

AI models get slammed for producing sloppy bug reports and burdening open source maintainers with hallucinated issues, but they also have the potential to transform application security through automation.

Computer scientists affiliated with Nanjing University in China and The University of Sydney in Australia say that they’ve developed an AI vulnerability identification system that emulates the way human bug hunters ferret out flaws.

Ziyue Wang (Nanjing) and Liyi Zhou (Sydney) have expanded upon prior work dubbed A1, an AI agent that can develop exploits for cryptocurrency smart contracts, with A2, an AI agent capable of vulnerability discovery and validation in Android apps.

They describe A2 in a preprint paper titled “Agentic Discovery and Validation of Android App Vulnerabilities.”

The authors claim that the A2 system achieves 78.3 percent coverage on the Ghera benchmark, surpassing static analyzers like APKHunt (30.0 percent). And they say that, when they used A2 on 169 production APKs, they found “104 true-positive zero-day vulnerabilities,” 57 of which were self-validated via automatically generated proof-of-concept (PoC) exploits.

One of these included a medium-severity flaw in an Android app with over 10 million installs.

“We discovered an intent redirect issue,” said Liyi Zhou, a lecturer in computer science at The University of Sydney, in an email to The Register. “This is not a trivial bug, and it shows A2’s ability to uncover real, impactful flaws in the wild.”

An intent redirect, he explained, happens when an Android app sends an intent – a message used to request an action, like opening a screen or passing data – but fails to check carefully where it is going. The vulnerability allows a malicious app to change that intent to a component it controls.

Zhou contends there’s no class of vulnerabilities that A2 cannot handle.

A2’s value as a source of signal rather than noise follows from its ability to validate its findings. As the authors observe, “Existing Android vulnerability detection tools overwhelm teams with thousands of low-signal warnings yet uncover few true positives.”

There are a lot of potential vulnerabilities in code, but few of them can be exploited easily. And the problem of false positives is compounded by error-prone AI coding tools that report inconsequential issues.

“A2’s breakthrough is that it mirrors how human security experts actually work,” said Zhou.

The agentic system consists of various commercial AI models – OpenAI o3 (o3 2025-04-16), Gemini 2.5 Pro (gemini-2.5-pro), Gemini 2.5 Flash (gemini-2.5-flash), and GPT oss (gpt-oss-120b) – deployed in three roles: the planner that designs the attack, the task executor that carries out the attack, and the task validator that generates test oracles – systems that make decisions – and verifies the results.

The researchers’ A1 system only did planning and execution, said Zhou. Its validation is limited to a fixed oracle that decides whether the attack would make money or not.

“The key novelty in A2 is its validator,” said Zhou.

As an example, he describes this setup, based on a task from the Ghera dataset. An app has a password reset flow. It stores the AES key as a plain string in strings.xml. With that key, the app creates a token from the email. Knowing the key lets an attacker forge tokens for any email.

A2, Zhou explained, breaks this into three tasks:

Task 1: Extract the hardcoded key

1. Planner: set the task to find the key in res/values/strings.xml.
2. Executor: read the file and extract the key.
3. Validator: (i) Check that the file exists. (ii) Check the key value matches.

Both pass, so the key is confirmed.

Task 2: Forge a password reset token

1. Input a victim email, e.g., example@example.com.
2. Encrypt it with AES-ECB using the key.
3. Base64 encode the ciphertext to form the token.
4. Validator recomputes the token independently and compares outputs.

They match, so the token is confirmed.

Task 3: Prove authentication bypass

1. Launch NewPasswordActivity with the forged token.
2. App decrypts the token and displays the bound email.
3. Validator: (i) Confirm the activity is NewPasswordActivity. (ii) Confirm the email appears on screen.

Both checks pass, proving the forged token bypasses authentication.

“In short: Task 1 shows the key exists; Task 2 shows the key mints a valid token; Task 3 shows the token bypasses authentication,” said Zhou. “All three steps are concretely validated.”

Zhou argues that AI is already outpacing traditional tools.

“In Android, our A2 system beats existing static analysis, and in smart contracts, A1 is close to state of the art,” he said. “Tools are still useful, but they are slow and hard to build. AI is fast and accessible — we just call APIs, while the AI companies pour billions into training. We are standing on their shoulders.”

The AI capex looks like a windfall for those pursuing bug bounties.

“Detection-only costs range from $0.003-0.029 per APK (o3), $0.0004-0.001 per APK (gpt-oss-120b), to $0.002-0.014 per APK (Gemini variants),” the paper says. “Aggregation increases costs to $0.04-0.33 per APK for gpt-oss-120b, $0.06-0.66 per APK for gemini-2.5-flash, $0.26-0.61 per APK for gemini-2.5-pro, and $0.84-3.35 per APK for o3.”

The full validation pipeline with a mixed set of LLMs costs between $0.59-4.23 per vulnerability, with a median cost of $1.77. When using gemini-2.5-pro for everything, costs range from $4.81-26.85 per vulnerability, with a median cost of $8.94.

Last year, University of Illinois Urbana-Champaign computer scientists showed that OpenAI’s GPT-4 can generate exploits from security advisories at a cost of about $8.80 per exploit.

To the extent that found flaws can be monetized through bug bounty programs, the AI arbitrage opportunity looks promising for those who can make accurate reports, given that a medium severity award might be several hundred or several thousand dollars.

But Zhou observes that bug bounty programs have limited scope. “A cat-and-mouse game is inevitable,” he said. “A2 can uncover serious flaws today, but bug bounty programs only cover a fraction of them. That gap creates a strong incentive for attackers to exploit these bugs directly. How this plays out depends on how quickly defenders move.

“The field is about to explode. The success of A1 and A2 means researchers and hackers alike will rush in. Expect a surge of activity — both in defensive research and in offensive exploitation.”

Asked what a system like A2 might mean for security research, Adam Boynton, senior security strategy manager at Jamf, told The Register, “AI is moving vulnerability discovery from endless scan alerts to proof-based validation. Security teams get fewer false positives, faster fixes, and focus on real risks.”

A2 source code and artifacts have been limited to those with institutional affiliation and a declared research purpose in an effort to balance open research with responsible disclosure. ®

SAVE $26.50: As of Sept. 4, get the Anker Soundcore V20i open-ear headphones for just $23.49, that’s 53% off.

Open-ear headphones are our preferred style of headphones for working out outdoors. They’re designed to offer noise-transparency so you can stay aware of your surroundings, whether that be car horns, ambulance sirens, or a conversation with a running buddy. And right now, you can find a pair for truly cheap.

As of Sept. 4, get the Soundcore V20i Open-Ear Headphones for just $23.49. That saves you $26.50 off their $49.99 list price. Plus, according to CamelCamelCamel, they’re the cheapest they’ve ever been at 53% off.

Each brand takes a different approach to open-ear headphones, and with Soundcore, they have adjustable hooks to snugly fit around your ears. Their 16mm drivers keep the music bumping while you run, while still allowing situational awareness. Four microphones are included in the headphones so that you can take calls on the go, too. Plus, for a little extra flair, the headphones even have customizable lights.

Mashable Deals

Shop the Anker Soundcore V20i Open-Ear Headphones now for just $23.49 at Amazon.

SAVE $30: As of Sept. 4, the Fitbit Charge 6 is on sale for $129.95 at Amazon. That’s a 19% saving on the list price.

---

The Fitbit Charge 6 is back on sale at Amazon, and for what you get with this popular fitness tracker, it’s a great deal.

As of Sept. 4, the Fitbit Charge 6 is on sale at Amazon for $129.95, saving you $30 on list price. And with this deal, you also get a free six-month Fitbit Premium membership. This gives you access to even more in-depth stats as well as a range of workouts and exercise routines. This price is specific to the red band color, but for $5 more, you can get the black or white bands.

For a small device, it’s got a lot going for it. It has built-in GPS so you can head out for a run, bike ride, or walk without taking your phone with you, and pace, distance, and route tracking using satellite data, so you get a clear map of where you’ve been. It does all the basics too, like logging your steps, calories burned, and Active Zone Minutes, a clever Fitbit stat that tracks how much time you spend in elevated heart rate zones.

It uses Fitbit’s PurePulse 2.0 sensor for advanced heart rate monitoring, so you’ve got 24/7 heart rate tracking. This also means you get data on your resting heart rate, heart rate zones during workouts, and even alerts if your heart rate goes unusually high or low.

Mashable Deals

We should note that if you’re looking for a watch specifically for running, the Charge 6 is lacking an altimeter, a tool used to measure elevation climbed more accurately. If this is a deal breaker, we recommend checking out the Fitbit Versa 4 instead.

Get this Fitbit deal from Amazon.

The news: PayPal and Venmo users can receive early access to Perplexity’s new browser, Comet, with a free 12-month trial of Perplexity Pro. 

For a limited time, US customers can get $50 back if they link and pay for three subscriptions in the hub

How we got here: PayPal and Venmo partnered with Perplexity this summer to power “conversational commerce” shopping within Perplexity’s AI chat interface. 

With Comet, PayPal stands to pick up significant payment volume—the browser specializes in hyperpersonalized ads.

Mutual advantages: As the designated payment platform for Perplexity, PayPal is trying to gain an early mover advantage in agentic commerce. 

Perplexity, meanwhile, is trying to tap PayPal and Venmo’s combined 170.1 million US users, per our forecast, to chip away at Chrome’s browser dominance: Chrome controls 67.1% of all internet browser traffic, per StatCounter. 

Perplexity made a $34.5 billion bid to buy Chrome this August amid Google’s antitrust battle. While the recent ruling was a better case scenario for Google—no break up, only oversight—Perplexity’s name still wiggled its way into the mainstream as a potential competitor to Chrome. 

Our take: Big Tech is betting that agentic commerce is the future of shopping, but consumers aren’t on board yet: Nearly 70% of US adults are not interested in AI-powered shopping assistants, per a September 2024 EMARKETER and CivicScience survey. 

While jostling for future positioning in the market, PayPal, Venmo, and Perplexity need to convince consumers that agentic commerce is a desirable payment option, lest they repeat a metaverse investment flop.

You will soon be able to edit videos on the go with one of the most popular editing tools — for free.

Adobe announced Thursday that it would be rolling out Adobe Premiere app for iPhone users. Premiere is one of the top editing tools used by creators, especially those who need to edit on the go, and having the ability to do so could prove extremely useful.

Wrote Adobe in a blog post:

Mashable Light Speed

“That’s why we’re bringing Adobe Premiere to mobile: the trusted editor of your favorite YouTubers, filmmakers, music video editors, and more — now reimagined as a fast, free, and intuitive app that puts pro-level creative control in your hands, without the pro-level complexity.”

The app promises to make things easier for editors who might not be sitting at a desktop. It will allow users to record AI-assisted audio, save work for later desktop editing, and export directly to platforms like TikTok, YouTube Shorts, or Instagram. You’ll also be able to use Firefly, Adobe’s generative AI tool.

Adobe pitched the new app as an upgraded, pro-level editor, compared to its current offering, Premiere Rush. Adobe said the new Premiere iPhone app would launch later this month, and the listing on the App Store notes it’s expected Sept. 30.