An independent security firm has analyzed the kernel of Google’s mobile operating system, Android, and found over 350 defects, with 88 of them classified as serious.
Oddly enough, this is good news for Google.
The security team from Coverity ran automated code through Google’s mobile Android operating system. (They used an HTC Incredible phone as a test unit, but since Android is embedded in a host of very similar phones, they deduced the results are representative for the entire OS.) There was an error rate of about 1 every 2,000 lines of code, tallying
to a grand total of 359 errors. 88 of these were classified as serious,
potentially leading to memory leaks, memory corruption, uninitialized
variables and so on. The results sound damning, especially since there are so many Android handsets in use, each laden with personal and valuable data about their users, and the OS is rapidly seizing the majority of the smartphone market.
There’s good news for Google here: That code flaw rate is,
according to Coverity, about half as bad as the industry standard of one
defect per 1,000 lines of code. And thanks to Android’s open
source nature, the community itself can discover these bugs and
then alert Google. This bodes extremely well for Google’s other OS
project, Chrome, which is now rumored to be arriving soon on
sub-notebook PCs, as well as a Google-branded notebook PC–Chrome is also
open source, meaning its weaknesses can quickly be discovered, turning it
into a strength.
And finding flaws in an operating system is different than exploiting them–a task that’s not necessarily straightforward. A malicious coder may have to write some neat lines of software to cause a memory leak to give an app the power to damage your phone, steal your data, or do other things like racking up your phone bill without your knowledge. The free and open apps system that Android is supposed to embody could allow a malicious app that exploits one or many of the 88 defects to freely circulate, but again that would be a feat that’d have to be cleverly pulled off.
Coverity is withholding the precise nature of the flaws it’s discovered from the public domain until it’s shared them with Android OEMs, security experts, and the Android security team itself. Which means Google should have time to tackle the most serious security flaws before they become a threat.
Follow me, Kit Eaton, on Twitter.