Android Froyo is security soft
United States-based security firm Coverity has uncovered 88 "high risk" defects in the latest version of Android, which is used by more than a third of the operating system's users.
(Detachable arms and legs image by
Laihiuyeung Ryanne, CC2.0)
The Android 2.2 platform, dubbed Froyo (short for Frozen Yoghurt), was released in May and has gained popularity since August. Google reports that 36.2 per cent of users are running Froyo. Its predecessor, version 2.1, has a 40.8 per cent share.
Research into open-source security by Coverity (PDF) has revealed that a quarter of the 359 defects found in Froyo were considered high risk and included memory corruptions, memory illegal accesses, and resource leaks.
"[They] are considered high risk with significant potential to cause security vulnerabilities, data loss or quality problems such as system crashes," stated the report.
"These are traditionally defect types that many of our customers fix and eliminate completely prior to shipping a product."
The company did not elaborate further on the defects, but chief scientist and co-founder Andy Chou said in a blog post that the company plans to release further details in two months.
"We plan on working closely with the vendors involved to ensure that our release of the technical details do not put users at risk," Chou said.
"We are not in the business of building exploits, so we cannot comment on the amount of effort required [to exploit the vulnerabilities], or even if it is possible for any given defect."
Coverity is working with Google, which oversees the development of the platform, and other open-source vendors to analyse the defects.
But Froyo is still more secure than the average piece of software. Coverity said it has about half the defects expected for average software of its size — one per 1000 lines of code.
More broadly, the report found that 45 per cent of defects discovered in open-source platforms, including Android, Samba, Linux and Apache, are considered high risk. The results have remained virtually unchanged over two years, which the company said indicates that software development testing has not reacted to problems.
"It also demonstrates how easy it is to make these types of coding errors when the human factor comes into play. But both results emphasise the need for more maturity in the process by incorporating automated code testing in development," the report stated.
Froyo is the first release to include enterprise features such as password and policy enforcement and the ability to remote wipe devices.
Coverity stated that it gathered its findings using some 61 million lines of code from 291 of the most popular open-source projects.