If you're using applications on your Android phone to store or transmit sensitive data (like your bank account), you might want to rethink that. A recent analysis of Android as implemented in HTC's Droid Incredible discovered 359 bugs of which 88 are considered critical. These include memory corruption, resource and memory leaks, and uninitialized variables.
The analysis was conducted by Coverity, a company that makes software quality assurance products. Android was the general subject for the Coverity Scan 2010 Open Source Integrity Report but researchers looked specifically at the HTC Droid Incredible because there's no such thing as a pure Android kernel. Each OEM may start with the same Android package, but then they customize. Coverity's Andy Chou writes in his blog, "Why the Incredible? Well, one of our sales engineers has one and he wanted to know what bugs are in it. Turns out, there are quite a few."
But the team also tried to zero in on bugs that are most likely to be common to all Android devices. They determined that with the Incredible, "the Android-specific portions of the kernel (which is largely derived from Linux) have a higher defect density (0.78 defects / 1000 loc) than the rest of the kernel (0.47)."
While we were appalled to hear about so many bugs in the Incredible, it turns out that 0.47 bugs/1000 lines-of-code is considered a not-bad result. Coverity says that the industry average is 1 bug per 1000 loc. On the other hand, by that logic the iPhone is practically impenetrable. Coverity notes that when Apple released its latest iPhone operating system in September, IOS 4.1, it was found to have a mere 24 security holes -- and nearly all of them -- 80% -- came from WebKit, "an open source web browser engine also seen on Android OS and Chrome," Andy Chou writes.
Given the dozens to hundreds of flaws in mobile operating systems, it's not surprising that wares that promise to secure smartphones have begun to emerge. Is it wise for one of them to throw down the gauntlet at hackers? Mobile security software maker Blackbelt this week issued just such a challenge. It wants all to try and crack its new Android Antitheft software. Antitheft lets users locate, wipe or lock their mobile phones in the event said phone turns up missing.
Blackbelt is confident to the point of cocky that no one will best it. "To win you must break into one of four AntiTheft-installed virtual devices and recover several pieces of information in order to prove that you have ‘cracked’ the lock. We’re so confident that you won’t be able to retrieve the necessary information that if and when your attempts fail we'll then offer you the chance to win by simply entering your details," Blackbelt says.
In the meantime, Coverity disclosed the bugs to HTC and figures 30 days is enough time for HTC to fix all the problems it found. At that point, it will make the bugs public, and we'll see what kinds of proof-of-code exploits emerge from there.