Everyone is paying attention to the Android buzz, especially Apple and RIM. With the recent news about some of the offerings coming to the table featuring Google’s Android OS how can anyone ignore it? Android’s biggest and best feature is that it is open and free to run on various platforms, including various phone manufacturers, tablets, and more. Recently, a study has revealed that Android suffers from its own best feature.
A recent study has shown that the Verizon dubbed Incredible by HTC has some flaws and programming errors that can allow hackers to access user’s email, contacts, or other sensitive data. This study has not limited the findings to the HTC and claims that other Android phones could potentially suffer from the same programming flaws.
Programming flaws and security holes have been found in just about every phone manufacturer’s offerings but what sets the Android system apart is that there isn’t just one company customizing the code. RIM and Apple have had numerous vulnerabilities patched but they are a single manufacturer patching their own software.
The study by Coverity turned up 88 “High-risk defects” in the android kernel that include improper memory access, memory corruption, security vulnerabilities, data loss, and quality problems like crashing.
We found 88 high-risk defects in Android: 25% of the Android defects discovered, including memory corruptions, memory illegal accesses, and resource leaks, are considered high-risk with significant potential to cause security vulnerabilities, data loss, or quality problems such as system crashes. These are traditionally defect types that many of our customers fix and eliminate completely prior to shipping a product.
So now you ask, how is Android’s Open Platform its biggest flaw? Who is accountable to make the fixes? Google or the Vendors that customize the OS?
Accountability for Android software integrity is fragmented. The problem is no different with Android than what we see across open source. Android is based on Linux, which has thousands of contributors. Compound that with the Android developers from Google, the contributors to Android from the larger development community, and OEMs that supply components for specific configurations of Android to support different types of devices, and the lines of accountability are quickly blurred. It’s not clear who is ultimately accountable, but it is clear that a new level of visibility is needed to provide the OEMs that incorporate Android in their software supply chain with an objective measurement of Android software integrity.
High-risk defects include four categories that we have found, through experience and consultation with our customers, to be ones that can cause the most damage and are most likely to be fixed first by developers. These include memory corruptions, illegal memory accesses (e.g., reading beyond the bounds of a memory buffer), resource leaks, and uninitialized variables. The Integrity Report breaks out the high-risk defects by these categories to show the main areas of risk
Medium-risk defects include several categories of defects that can still cause severe consequences such as program crashes, but are often deemed less high priority by developers to fix compared with high-risk defects.
Apple and RIM can rejoice as the storm that seems to be taking them over may now be realizing some issues. The bad news is that many users will never become aware that these vulnerabilities exist until it is too late. With the distribution of the Android OS it is hard to see where this will end up going. My heart says that these things will be patched quickly and that it will eventually be remembered as a hiccup, but my brain says these things will get worse. Look what happened to Microsoft’s OS… if you have the market share, you have the target too (as demonstrated by the sea of viri and malware).
If you are interested in reading the full report please visit Coverity’s website: Press Release