Security researchers found dozens of high risk security holes in the software used to run specific Android mobile devices, but that’s still a lot better than industry averages, according to a new report.
Coverity, an application code testing firm, analyzed the source code for HTC’s Droid Incredible and found 359 defects, 88 of which it classified as high risk. The company said it will give Google and HTC time to fix the holes before revealing them. Although the version of Android that Coverity tested only runs on the HTC Incredible handset, the other versions of the OS are similar and derived from the same Linux code.
The analysis of the Android kernel code was conducted as part of Coverity’s Open Source Integrity Report and was based on an analysis of a copy of the kernel downloaded from HTC’s developer site using Coverity’s Intergrity Manager software. That analysis turned up hundreds of flaws and 88 considered “high risk,” including 20 memory corruption holes, 29 illegal memory accesses (i.e. buffer overflows), resource leaks (11) and uninitialized variables (28).
Coverity said in its report that it found an average defect density–a common measure of software quality–of 0.47 defects per 1,000 lines of code. The company said that’s less than half of what the industry average for defect density is, and added that the Android-specific portion of the kernel had a much higher density–0.78–than the rest of the kernel does.
The Android OS is based on a version of the Linux kernel, and while there are a number of other Android-based handsets besides the HTC Incredible, each manufacturer uses its own specific version of the OS.
“Accountability for Android software integrity is fragmented. The problem is no different with Android than what we see across open source. Android is based on Linux, which has thousands of contributors. Compound that with the Android developers from Google, the contributors to Android from the larger development community, and OEMs that supply components for specific configurations of Android to support different types of devices, and the lines of accountability are quickly blurred. It’s not clear who is ultimately accountable, but it is clear that a new level of visibility is needed to provide the OEMs that incorporate Android in their software supply chain with an objective measurement of Android software integrity,” Coverity said in its report.
Coverity said it is not revealing the specifics of the Android bugs yet, but that it has notified HTC, the handset manufacturer, and Google of the vulnerabilities and is giving them 60 days to fix them before it discloses the technical details.