Banana Pi has revealed a new board resembling the Raspberry Pi Computer Module 3. According to Tom's Hardware, it features a powerful eight-core processor, up to 8GB of RAM and 32GB eMMC. Additional features like ports will require you to connect it to a carrier board. From the report: At the core of the Banana Pi board is a Rockchip RK3588 SoC. This brings together four Arm Cortex-A76 cores at up to 2.6 GHz with four Cortex-A55 cores at 1.8 GHz in Arm's new DynamIQ configuration - essentially big.LITTLE in a single fully integrated cluster. It uses an 8nm process. The board is accompanied by an Arm Mali-G610 MP4 Odin GPU with support for OpenGLES 1.1, 2.0, and 3.2, OpenCL up to 2.2, and Vulkan1.2. There's a 2D graphics engine supporting resolutions up to 8K too, with four separate displays catered for (one of which can be 8K 30FPS), and up to 8GB of RAM, though the SoC supports up to 32GB. Built-in storage is catered for by up to 128GB of eMMC flash. It offers 8K 30fps video encoding in the H.265, VP9, AVS2 and (at 30fps) H.264 codecs.

That carrier board is a monster, with ports along every edge. It looks to be about four times the area of the compute board, though no official measurements have been given. You get three HDMIs (the GPU supports version 2.1), two gigabit Ethernet, two SATA, three USB Type-A (two 2.0 and one 3) one USB Type-C, micro SD, 3.5mm headphones, ribbon connectors, and what looks very like a PCIe 3.0 x4 micro slot. The PCIe slot seems to breakout horizontally, an awkward angle if you are intending to house the board in a case. Software options include Android and Linux.

A new finding suggests Samsung is throttling the performance of thousands of Android apps on Galaxy smartphones, including Google and Samsung's first-party apps. XDA Developers reports: Samsung has an app called Game Optimization Service that comes preinstalled on many Galaxy phones. Although the name suggests the app helps improve gaming performance, it's apparently being used to limit the performance of non-gaming apps. Users on the Korean tech forum Meeco have posted a list of affected apps that are subject to performance throttling. The list includes 10,000 popular apps, including Instagram, TikTok, Netflix, Microsoft Office, Google Keep, Spotify, Snapchat, YouTube Music, and more. Samsung's own apps such as Samsung Pay, Secure Folder, Bixby, and others are also on the list. Notably, there are no benchmark apps on this blacklist.

A video posted by Korean YouTuber shows how blacklisted apps are subject to inferior performance while benchmark apps are given a free hand. In his test, the YouTuber changed the package name of the 3DMark benchmark app to Genshin Impact, one of the apps on the blacklist. The unmodified version of 3D Mark scored 2618 points in the Wild Life Extreme test. When he ran the same test with the spoofed version, there was a significant drop in the score -- 1141 points. In other words, the spoofed version performed 56% worse than the unmodified version. It's not immediately clear if the Game Optimization Service app is installed on every Galaxy phone. Samsung is reportedly aware of the issue and conducting an internal investigation. "While Samsung hasn't clarified why it's throttling Android apps, it's likely in an attempt to improve battery life," notes XDA.

Well-known open source advocate and developer Miguel de Icaza, who joined Microsoft in 2016 when it acquired Xamarin, the mobile-tool company he cofounded, is leaving Microsoft. From a report: De Icaza -- a Microsoft distinguished engineer -- confirmed to me on March 2 that he has decided to leave and will be taking some time off before moving to a new job. Ever since de Icaza's colleague and former Xamarin CEO Nat Friedman left Microsoft in November 2021, there's been speculation that de Icaza also would leave Microsoft. Friedman was the CEO of Microsoft's GitHub division. Friedman said late last year he had decided to go back to his startup roots. De Icaza has been with Microsoft for just over six years. Most recently, he has been working on various AI projects with the ONNX team. ONNX, the Open Neural Network Exchange, is an evolving standard format for machine learning models that is being championed by Microsoft, Meta and Amazon. De Icaza worked with the team to get the ONNX runtime on Android and iOS to support mobile developers using Xamarin.

Microsoft's latest Windows 11 test build is another substantial one, adding two important features: payment information, and a new security feature called Smart App Control that will watch over new apps and games that you add to your PC. PCWorld reports: Microsoft released Windows 11 Insider Preview Build 22567 for the Dev Channel on Wednesday with other changes, tooâ"including a tweak to Windows Update, so that now you can configure your PC to turn on an update when renewable energy is at its most plentiful. (Remember, code that Microsoft tests within the Dev Channel may make its way to your PC eventually -- or not.)

Asking for credit-card information within Windows isn't that startling, as you've probably already entered payment information into the Microsoft ecosystem either for buying apps or movies on the Microsoft Store app or for making similar purchases via your Xbox. Still, those transactions are normally performed via your Microsoft Account web page, which manages all of that online and behind the scenes. (You can reach them via the Windows 11 Settings > Accounts > Your Microsoft account.) Microsoft considers the additional credit-card info as part of the subscription option it added last month. Now, if your subscription risks falling through because of an expired credit card, Microsoft will alert you. Conceptually, however, it implies that your PC is as much a tool to make purchases as it is to simply work and game.

Another interesting addition is what Microsoft calls Smart App Control, or SAC. Microsoft describes it as a "new security feature for Windows 11 that blocks untrusted or potentially dangerous applications." What those applications are, apparently, is up to Microsoft. And yes, there's always a concern that SAC would flag otherwise innocuous applications that it simply hasn't seen before. But Microsoft is gently easing SAC onto your PC. For one thing, you'll need to perform a clean install to enable it. For another, SAC won't immediately insert itself. Other tweaks and changes include the ability to have Windows update your PC when clean energy is more commonly available (via Microsoft's partners electricityMap or WattTime) and better integration between your Android phone and PC via Windows 11 OOBE (Out of the Box Experience).

Additionally, "Microsoft now offers wider availability of speech packs to improve transcription, the ability to choose a mic for dictation/ transcription, and the ability to mute your speakers by simply clicking the volume icon in the hardware indicator for volume," reports PCWorld.

MediaTek might have just beaten out Qualcomm to claim the biggest market share of any chipmaker for Android phones in the United States -- at least, according to one analyst group. The Verge reports: According to IDC's quarterly mobile phone sales tracker, as Q4 2021 MediaTek chips account for 48.1 percent of all Android phones in the United States, compared to 43.9 percent for Qualcomm, as spotted by PCMag. Those numbers are a stark inversion from the previous quarter, where MediaTek had a 41 percent market share to Qualcomm's 56 percent. IDC's report notes that MediaTek's surge was driven largely by sales of the Galaxy A12, Galaxy A32, and G Pure, which made up 51 percent of MediaTek devices sold in Q4 and 24 percent of the entire Android market in the US. There are conflicting reports, however. According to The Verge, "Counterpoint Research's own report puts the Q4 2021 split at 55 percent for Qualcomm, and 37 percent for MediaTek, so it's possible that Qualcomm is still holding on to its crown for now."

A year and a half later, Amazon's Luna cloud gaming service has formally launched in the U.S. for Android, iOS, Chrome OS, macOS and Windows. Engadget reports: The core Luna+ service with over 100 games will normally cost $10 per month, with the kid-friendly Family Channel and Ubisoft+ Channels available for a respective $6 and $18 per month. Amazon hopes to reel in newcomers by dropping the monthly fees of Luna+ and the Family channel to $6 and $3 for anyone who signs up during March. Existing users just have to maintain their subscriptions to lock in that pricing.

The official debut comes alongside some new channels. A Prime Gaming channel, as the name implies, gives Amazon Prime members a free, rotating mix of games. The March selection will include titles like Devil May Cry 5 and Flashback. Pay $5 per month for the Retro Channel and you'll get Capcom and SNK classics like Street Fighter II Hyper Fighting and Metal Slug 3, while a similar outlay for the Jackbox Games Channel provides access to all eight Jackbox Party Pack titles. Luna's latest update also makes it simpler to stream gameplay from a Fire TV device, Mac or Windows PC on Twitch.

Jolla, a Finnish startup that develops a mobile Linux-based alternative to Google's Android which has had some take-up by the Russian government in the past, is looking to restructure its business to jettison links to the Russian state. TechCrunch reports: We reached out to the startup earlier this week to ask if it was concerned about the impact of looming EU sanctions on Russia -- given how, since 2018, it has counted Russian telecom company, Rostelecom, as a strategic investor. "We have actually ramped down business and exports to Russia already in 2021," CEO and co-founder Sami Pienimaki told TechCrunch. "Thus, the potential tech sanctions would not impact Jolla's business anymore. In parallel, Jolla is growing in particular rapidly in the automotive sector, and it formed already significant part of our 2021 revenues. In regards the ownership, that is correct, and something we're looking to re-structure during this year," he also confirmed. Sailfish has been certified in Russia for government and corporate use since 2016.

Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year's Galaxy S21. Threatpost reports: Researchers at Tel Aviv University found what they called "severe" cryptographic design flaws that could have let attackers siphon the devices' hardware-based cryptographic keys: keys that unlock the treasure trove of security-critical data that's found in smartphones. What's more, cyber attackers could even exploit Samsung's cryptographic missteps -- since addressed in multiple CVEs -- to downgrade a device's security protocols. That would set up a phone to be vulnerable to future attacks: a practice known as IV (initialization vector) reuse attacks. IV reuse attacks screw with the encryption randomization that ensures that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts will each be distinct.

The design flaws primarily affect devices that use ARM's TrustZone technology: the hardware support provided by ARM-based Android smartphones (which are the majority) for a Trusted Execution Environment (TEE) to implement security-sensitive functions. TrustZone splits a phone into two portions, known as the Normal world (for running regular tasks, such as the Android OS) and the Secure world, which handles the security subsystem and where all sensitive resources reside. The Secure world is only accessible to trusted applications used for security-sensitive functions, including encryption.

Matthew Green, associate professor of computer science at the Johns Hopkins Information Security Institute, explained on Twitter that Samsung incorporated "serious flaws" in the way its phones encrypt key material in TrustZone, calling it "embarrassingly bad." "They used a single key and allowed IV re-use," Green said. "So they could have derived a different key-wrapping key for each key they protect," he continued. "But instead Samsung basically doesn't. Then they allow the app-layer code to pick encryption IVs." The design decision allows for "trivial decryption," he said.

Samsung responded to the academics' disclosure by issuing a patch for affected devices that addressed CVE-2021-25444: an IV reuse vulnerability in the Keymaster Trusted Application (TA) that runs in the TrustZone. Keymaster TA carries out cryptographic operations in the Secure world via hardware, including a cryptographic engine. The Keymaster TA uses blobs, which are keys "wrapped" (encrypted) via AES-GCM. The vulnerability allowed for decryption of custom key blobs. Then, in July 2021, the researchers revealed a downgrade attack -- one that lets attacker trigger IV reuse vulnerability with privileged process. Samsung issued another patch -- to address CVE-2021-25490 -- that remoged the legacy blob implementation from devices including Samsung's Galaxy S10, S20 and S21 phones.

An anonymous reader quotes a report from TechCrunch, written by security editor Zack Whittaker: Consumer-grade spyware is often sold under the guise of child monitoring software, but also goes by the term "stalkerware" for its ability to track and monitor other people or spouses without their consent. Stalkerware apps are installed surreptitiously by someone with physical access to a person's phone and are hidden from home screens, but will silently and continually upload call records, text messages, photos, browsing history, precise location data and call recordings from the phone without the owner's knowledge. Many of these spyware apps are built for Android, since it's easier to plant a malicious app than on iPhones, which have tighter restrictions on what kind of apps can be installed and what data can be accessed. Last October, TechCrunch revealed a consumer-grade spyware security issue that's putting the private phone data, messages and locations of hundreds of thousands of people, including Americans, at risk. But in this case it's not just one spyware app exposing people's phone data. It's an entire fleet of Android spyware apps that share the same security vulnerability.

On the front line of the operation is a collection of white-label Android spyware apps that continuously collect the contents of a person's phone, each with custom branding, and fronted by identical websites with U.S. corporate personas that offer cover by obfuscating links to its true operator. Behind the apps is a server infrastructure controlled by the operator, which is known to TechCrunch as a Vietnam-based company called 1Byte. TechCrunch found nine nearly identical spyware apps that presented with distinctly different branding, some with more obscure names than others: Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy. Other than their names, the spyware apps have practically identical features under the hood, and even the same user interface for setting up the spyware. Once installed, each app allows the person who planted the spyware access to a web dashboard for viewing the victim's phone data in real time -- their messages, contacts, location, photos and more. Much like the apps, each dashboard is a clone of the same web software. And, when TechCrunch analyzed the apps' network traffic, we found the apps all contact the same server infrastructure. But because the nine apps share the same code, web dashboards and the same infrastructure, they also share the same vulnerability.

The vulnerability in question is known as an insecure direct object reference, or IDOR, a class of bug that exposes files or data on a server because of sub-par, or no, security controls in place. It's similar to needing a key to unlock your mailbox, but that key can also unlock every other mailbox in your neighborhood. IDORs are one of the most common kinds of vulnerability [...]. But shoddy coding didn't just expose the private phone data of ordinary people. The entire spyware infrastructure is riddled with bugs that reveal more details about the operation itself. It's how we came to learn that data on some 400,000 devices -- though perhaps more -- have been compromised by the operation. Shoddy coding also led to the exposure of personal information about its affiliates who bring in new paying customers, information that they presumably expected to be private; even the operators themselves. After emailing 1Byte with details of the security vulnerability, the email address was shut down along with "at least two of the branded spyware apps," according to TechCrunch. "That leaves us here. Without a fix, or intervention from the web host, TechCrunch cannot disclose more about the security vulnerability -- even if it's the result of bad actors themselves -- because of the risk it poses to the hundreds of thousands of people whose phones have been unknowingly compromised by this spyware."

In a separate report, security editor Zack Whittaker explains how one can remove common consumer-grade spyware.

There's won't be a big revival for BlackBerry phones anytime soon. OnwardMobility, the Austin-based startup that announced its plans to release a 5G BlackBerry device with a physical keyboard back in 2020, is shutting down. From a report: The company posted a notice of its closure on its website, making it clear that it won't be proceeding with the development of the smartphone. This comes a month after it responded to people asking about the status of the project with a blog post entitled "contrary to popular belief, we are not dead." While OnwardMobility didn't expound on the reason behind its closure, Android Police reported a few days ago that its license to use the BlackBerry name had been canceled. Apparently, BlackBerry wants to distance itself from its past as a smartphone manufacturer after it sold off its remaining mobile patents for $600 million in the beginning of February. OnwardMobility reportedly decided not to push through with the development of a new smartphone without the BlackBerry name, especially since it won't be easy entering the market with an ongoing global component shortage.

AndroidPolice reports: Google has confirmed to us that the Pixel 3 series has received its last update, marking the end of a three-year promise. But revisiting the 2018-era flagship, I still can't help but be disappointed that Google didn't try harder to keep it supported longer. Google may have met its marketing requirements, but as I've said before, it's hypocritical for a company committed to sustainability and customer security to leave old smartphones behind so quickly. Revisiting it for the last few days, the Pixel 3 is still a perfectly good phone that could have years of life left in it. And, according to everyone I've spoken to, there aren't any good technical reasons for it being left behind. Google just doesn't care.

Linux programmers fixed bugs faster than anyone — in an average of just 25 days (improving from 32 days in 2019 to just 15 in 2021). That's the conclusion of Google's "Project Zero" security research team, which studied the speed of bug-fixing from January 2019 to December 2021.

ZDNet reports that Linux's competition "didn't do nearly as well." For instance, Apple, 69 days; Google, 44 days; and Mozilla, 46 days. Coming in at the bottom was Microsoft, 83 days, and Oracle, albeit with only a handful of security problems, with 109 days.

By Project Zero's count, others, which included primarily open-source organizations and companies such as Apache, Canonical, Github, and Kubernetes, came in with a respectable 44 days.

Generally, everyone's getting faster at fixing security bugs. In 2021, vendors took an average of 52 days to fix reported security vulnerabilities. Only three years ago the average was 80 days. In particular, the Project Zero crew noted that Microsoft, Apple, and Linux all significantly reduced their time to fix over the last two years.

As for mobile operating systems, Apple iOS with an average of 70 days is a nose better than Android with its 72 days. On the other hand, iOS had far more bugs, 72, than Android with its 10 problems.

Browsers problems are also being fixed at a faster pace. Chrome fixed its 40 problems with an average of just under 30 days. Mozilla Firefox, with a mere 8 security holes, patched them in an average of 37.8 days. Webkit, Apple's web browser engine, which is primarily used by Safari, has a much poorer track record. Webkit's programmers take an average of over 72 days to fix bugs.

The Washington Post reports: Google announced it will begin the process of getting rid of long-standing ad trackers on its Android operating system, upending how advertising and data-collection work on phones and tablets used by more than 2.5 billion people around the world.

Right now, Google assigns special IDs to each Android device, allowing advertisers to build profiles of what people do on their phones and serve them highly targeted ads. Google will begin testing alternatives to those IDs this year and eventually remove them completely, the company said in a Wednesday blog post. Google said the changes will improve privacy for Android users, limiting the massive amounts of data that app developers collect from people using the platform.

But the move also could give Google even more power over digital advertising, and is likely to deepen concerns regulators have already expressed about the company's competitive practices... It made $61 billion in advertising revenue in the fourth quarter of 2021 alone....

The announcement comes over a year after Apple began blocking trackers on its own operating system, which runs on its iPhones, giving customers more tools to limit the data they share with app developers.... Google contrasted its plan with Apple's, saying it would make the changes over the next two years, working closely with app developers and the advertising industry to craft new ways of targeting ads and measuring their effectiveness before making any drastic changes.

"We realize that other platforms have taken a different approach to ads privacy, bluntly restricting existing technologies used by developers and advertisers," said Anthony Chavez, vice president of product management for Android security and privacy, in the blog post. "We believe that without first providing a privacy-preserving alternative path such approaches can be ineffective and lead to worse outcomes for user privacy and developer businesses."
The Post also includes this quote from the chief security office of Mozilla (which began restricting ad tracking in Firefox several years ago). "Google's two year plan is too long. People deserve better privacy now."

An anonymous reader quotes a report from CNET: The delayed 5G BlackBerry phone is dead, OnwardMobility has confirmed on its website. "It is with great sadness that we announce that OnwardMobility will be shutting down, and we will no longer be proceeding with the development of an ultra-secure smartphone with a physical keyboard," OnwardMobility said in a message posted Friday, as spotted earlier by CrackBerry. "Please know that this was not a decision that we made lightly or in haste. We share your disappointment in this news and assure you this is not the outcome we worked and hoped for." Android Police and CrackBerry originally reported the phone had been cancelled on Feb. 11, saying OnwardMobility, a Texas-based startup seeking to revitalize the iconic brand through an Android-based, next-gen Wi-Fi device, lost the license from BlackBerry Ltd. to use the BlackBerry brand name. OnwardMobility did not expand on why it is shutting down and cancelling production of the phone. The news comes after BlackBerry ended service for its legacy devices in early January. "Before OnwardMobility picked up the license, Chinese manufacturer TCL was the most recent maker of BlackBerry-branded phones," adds CNET.

Most recently, the company sold its prized patent portfolio to "Catapult IP Innovations Inc." for $600 million.

Microsoft last month received a US patent covering modifications to a data-encoding technique called rANS, one of several variants in the Asymmetric Numeral System (ANS) family that support data compression schemes used by leading technology companies and open source projects. The Register reports: The creator of ANS, Jaroslaw Duda, assistant professor at Institute of Computer Science at Jagiellonian University in Poland, has been trying for years to keep ANS patent-free and available for public use. Back in 2018, Duda's lobbying helped convince Google to abandon its ANS-related patent claim in the US and Europe. And he raised the alarm last year when he learned Microsoft had applied for an rANS (range asymmetric number system) patent.

Now that Microsoft's patent application has been granted, he fears the utility of ANS will be diminished, as software developers try to steer clear of a potential infringement claim. "I don't know what to do with it -- [Microsoft's patent] looks like just the description of the standard algorithm," he told The Register in an email. The algorithm is used in JPEG XL and CRAM, as well as open source projects run by Facebook (Meta), Nvidia, and others. "This rANS variant is [for example] used in JPEG XL, which is practically finished (frozen bitstream) and [is] gaining support," Duda told The Register last year. "It provides ~3x better compression than JPEG at similar computational cost, compatibility with JPEG, progressive decoding, missing features like HDR, alpha, lossless, animations. "There is a large team, mostly from Google, behind it. After nearly 30 years, it should finally replace the 1992 JPEG for photos and images, starting with Chrome, Android."

The Food and Drug Administration cleared a smartphone app from Tandem Diabetes Care to program insulin delivery for its t:slim X2 insulin pump, the company announced Wednesday. The Verge reports: It's the first phone app for both iOS and Android to able to deliver insulin, the company said in a statement. Previously, delivery had to be handled through the pump itself. With this update, pump users will be able to program or cancel bolus doses of insulin, which are taken at mealtimes and are crucial in keeping blood glucose levels under control. "Giving a meal bolus is now the most common reason a person interacts with their pump, and the ability to do so using a smartphone app offers a convenient and discrete solution," John Sheridan, president and CEO of Tandem Diabetes Care, said in a statement. [...] Tandem said in the statement that it will launch the new bolus delivery update for select users this spring ahead of a wider launch this summer.

An anonymous reader quotes a report from Ars Technica: Now that Windows 11's first major post-release update has been issued, Microsoft has started testing a huge collection of new features, UI changes, and redesigned apps in the latest Windows Insider preview for Dev channel users. By and large, the changes are significant and useful -- there's an overhauled Task Manager, folders for pinned apps in the Start menu, the renewed ability to drag items into the Taskbar (as you could in Windows 10), improvements to the Do Not Disturb and Focus modes, new touchscreen gestures, and a long list of other fixes and enhancements.

But tucked away toward the bottom of the changelog is one unwelcome addition: like the Home edition of Windows 11, the Pro version will now require an Internet connection and a Microsoft account during setup. In the current version of Windows 11, you could still create a local user account during setup by not connecting your PC to the Internet -- something that also worked in the Home version of Windows 10 but was removed in 11. That workaround will no longer be available in either edition going forward, barring a change in Microsoft's plans. While most devices do require a sign-in to fully enable app stores, cloud storage, and cross-device sharing and syncing, Windows 11 will soon stand alone as the only major consumer OS that requires account sign-in to enable even basic functionality.

Google said on Wednesday that it was working on privacy measures meant to limit the sharing of data on smartphones running its Android software. But the company promised those changes would not be as disruptive as a similar move by Apple last year. From a report: Apple's changes to its iOS software on iPhones asked users for permission before allowing advertisers to track them. Apple's permission controls -- and, ultimately, the decision by users to block tracking -- have had a profound impact on internet companies that built businesses on so-called targeted advertising. Google did not provide an exact timeline for its changes, but said it would support existing technologies for at least two more years.

This month, Meta, the company founded as Facebook, said Apple's privacy changes would cost it $10 billion this year in lost advertising revenue. The revelation weighed on Meta's stock price and led to concerns about other companies reliant on digital advertising. Anthony Chavez, a vice president at Google's Android division, said in an interview before the announcement that it was too early to gauge the potential impact from Google's changes, which are meant to limit the sharing of data across apps and with third parties. But he emphasized that the company's goal was to find a more private option for users while also allowing developers to continue to make advertising revenue.

An anonymous reader quotes a report from Ars Technica: Here's a fun new feature of Android 13: working virtualization support. Google is building virtualization into Android for its own reasons, but Android developer kdrag0n has commandeered the feature to boot ARM Windows 11 and desktop Linux. The developer even got the Windows version of Doom running, all inside a VM on the Pixel 6. kdrag0n says that Android 13 has "full KVM functionality" at "near-native performance." You need root to enable the functionality, which doesn't support GPU acceleration. The functionality also doesn't support nested virtualization, so while you can now run Android on Windows and Windows on Android, making an infinitely nested OS turducken is out of the question.

This makes for a neat demo that's not at all what Google wants to do with Android's upcoming VM support. Esper's Mishaal Rahman has been meticulously tracking Android's virtualization progress for some time now, and the apparent plan is to someday (maybe in Android 13) use virtual machines as a security and privacy sandbox for various features. Imagine instead of processing sensitive data at the normal app permission level, the data could be processed in a separate OS, so any attackers would have to break through the app security model, then Android, then the hypervisor, then this other, private OS.

Google has announced a new version of Chrome OS called Chrome OS Flex, which is designed to run on old PCs and Macs. The Verge reports: The operating system can be installed "within minutes," according to Google's blog post. Google told me that Chrome OS Flex will look and feel identical to Chrome OS on a Chromebook -- it's built from the same code base and follows the same "release cadence." It did caveat that some features may be dependent on the hardware of the PC you're using. In fact, it said this for every specific feature I asked about, including always-on Google Assistant and Android phone syncing. So, if you're going to try this, keep an eye out.

If you want to try out Chrome OS Flex yourself, you can learn more on the Chrome Enterprise website. Note that the OS is still in early access mode, so you may encounter bugs -- you can boot it directly from a USB drive if you'd rather poke around before installing it on your machine.