88 critical bugs found in Android - HotHardware
88 critical bugs found in Android

88 critical bugs found in Android

If you're using applications on your Android phone to store or transmit sensitive data (like your bank account), you might want to rethink that. A recent analysis of Android as implemented in HTC's Droid Incredible discovered 359 bugs of which 88 are considered critical. These include memory corruption, resource and memory leaks, and uninitialized variables.

The analysis was conducted by Coverity, a company that makes software quality assurance products. Android was the general subject for the Coverity Scan 2010 Open Source Integrity Report but researchers looked specifically at the HTC Droid Incredible because there's no such thing as a pure Android kernel. Each OEM may start with the same Android package, but then they customize. Coverity's Andy Chou writes in his blog, "Why the Incredible? Well, one of our sales engineers has one and he wanted to know what bugs are in it. Turns out, there are quite a few."

HTC Droid IncredibleHTC Droid Incredible

But the team also tried to zero in on bugs that are most likely to be common to all Android devices. They determined that with the Incredible, "the Android-specific portions of the kernel (which is largely derived from Linux) have a higher defect density (0.78 defects / 1000 loc) than the rest of the kernel (0.47)."

While we were appalled to hear about so many bugs in the Incredible, it turns out that 0.47 bugs/1000 lines-of-code is considered a not-bad result. Coverity says that the industry average is 1 bug per 1000 loc. On the other hand, by that logic the iPhone is practically impenetrable. Coverity notes that when Apple released its latest iPhone operating system in September, IOS 4.1, it was found to have a mere 24 security holes -- and nearly all of them -- 80% -- came from WebKit, "an open source web browser engine also seen on Android OS and Chrome," Andy Chou writes.

Given the dozens to hundreds of flaws in mobile operating systems, it's not surprising that wares that promise to secure smartphones have begun to emerge. Is it wise for one of them to throw down the gauntlet at hackers? Mobile security software maker Blackbelt this week issued just such a challenge. It wants all to try and crack its new Android Antitheft software. Antitheft lets users locate, wipe or lock their mobile phones in the event said phone turns up missing.

Blackbelt is confident to the point of cocky that no one will best it. "To win you must break into one of four AntiTheft-installed virtual devices and recover several pieces of information in order to prove that you have ‘cracked’ the lock. We’re so confident that you won’t be able to retrieve the necessary information that if and when your attempts fail we'll then offer you the chance to win by simply entering your details," Blackbelt says.

In the meantime, Coverity disclosed the bugs to HTC and figures 30 days is enough time for HTC to fix all the problems it found. At that point, it will make the bugs public, and we'll see what kinds of proof-of-code exploits emerge from there.

+1
+ -

Nothing is safe. Nothing.

But intelligent usage will help one hedge their bet.

Right 3vi1?

+3
+ -

"Therein, in fact, lies the second, even more significant point to remember here: It is only by virtue of the fact that Android's kernel is open source that these problems were even found. There's an excellent chance that Apple's iPhone, for instance, includes at least as many programming flaws, but the world will never know because that code is proprietary and visible only to Apple." - Ripped from PC World. Read the entire article HERE.

0
+ -

You hit the nail on the head SD but an exploitable flaw is a major flaw none the less. I don't think this sort of thing will keep most folks (including me) from using Android-based products that's for sure but it's an interesting situation to observe and an action item for the Android community in general. First there's was the Android enablement stage and now that we have all this goodness at our fingertips, it's time to secure it.

0
+ -

Dave_HH:
it's time to secure it

Agreed, and we shouldn't have to wait long to see it happen either. I think that they'll be responsive about fixing all of it.

+1
+ -

The biggest thing to remember is that almost all of these flaws in Android are kernel flaws. Their flaws that are in Linux as well. Kernel flaws aren't exactly the easiest thing to exploite unless their really big honking flaws which wouldn't make it through testing.

Nice article by the way Dave.

Login or Register to Comment
Post a Comment
Username:   Password: