88 'High Risk' vulnerabilities discovered in Android 2.2 'Froyo'

88 'High Risk' vulnerabilities discovered in Android 2.2 'Froyo'

Summary: Open source may offer many advantages over closed source code, and one of these advantages is that the code is open for anyone to examine. But don't let that lead you to believe that open source code is invulnerable to hackers.

SHARE:

Open source may offer many advantages over closed source code, and one of these advantages is that the code is open for anyone to examine. But don't let that lead you to believe that open source code is invulnerable to hackers.

Security researchers at Coverity examined some 61 million lines of code from 291 open source projects and compared the results to those for the Android kernel. The researchers picked up on 359 bugs in the Android 2.2 source code, some 25% of which were ranked as 'high risk' vulnerabilities that could endanger user privacy.

These 88 vulnerabilities break down as follows:

  • Memory - Corruptions: 20
  • Memory - Illegal access: 29
  • Resource leaks: 11
  • Uninitialized variables: 28

So, how does Android stack up? Well, according to the report, the Android kernel has around half the bugs that would be expected for a project of its size, and has a better than industry average of defects per lines of code, with roughly one defect per 1,000 lines of code.

However, the researchers also noted that the Android-specific code has about twice the defect density of the code Linux kernel. This is put down to the fact that the Android code is newer code and hasn't seen the same level of scrutiny that the Linux kernel has seen.

Overall, not a bad scorecard for Android 2.2. Probably a B-, good, but could do better.

Topics: Operating Systems, Android, Google, Linux, Open Source, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • RE: 88 'High Risk' vulnerabilities discovered in Android 2.2 'Froyo'

    I would be curious to see how the Apple and RIM Stack up
    zapthepunctual@...
    • CrApple RDF is at an all time high!

      @zapthepunctual@... Adrian is getting a bonus in his Christmas stocking from CrApple as a Bona Fide iCrAppleholic for posting of these stories. haha.... Notice they don't say anything about how any iCrApple device can be hacked in seconds to give up all the users information! lol..... talk about a SECURITY FLAW..... What's that about?!?! :O

      haha.... but people are lame enough to believe these fools come up with this stuff on their own!!! :D
      i2fun@...
      • RE: 88 'High Risk' vulnerabilities discovered in Android 2.2 'Froyo'

        @i2fun@... Dude you are seriously the biggest Anti-Apple troll around - just like a one trick pony. Have you ever EVER posted something that did not even mention Apple?
        athynz
    • RE: 88 'High Risk' vulnerabilities discovered in Android 2.2 'Froyo'

      @zapthepunctual@... Indeed - I'd also like to see a similar report on Windows Phone 7 as well. This bit: [i]the Android kernel has around half the bugs that would be expected for a project of its size, and has a better than industry average of defects per lines of code, with roughly one defect per 1,000 lines of code.[/i] really doesn't say much...
      athynz
      • You Can Read.... but you don't understand anything unless...!

        @athynz ......it's something good about CrApple! haha....<br><br>"So, how does Android stack up? Well, according to the report, the Android kernel has around half the bugs that would be expected for a project of its size, and has a better than industry average of defects per lines of code, with roughly one defect per 1,000 lines of code."<br><br><br><br>Note: Google Android uses "Clean Room" code development and Andy Rubin has stated that on average Android OS can be considered one of the Cleanest Coding Environments he's ever been in!<br><br>Since Adrian obviously manipulated his statement based on their report to go two ways. #1 First way so you morons could feel good about beating up on Android as if there was anything to complain about and #2 the positive REALITY that was in this REPORT, that he intentionally slanted to get page hits!<br><br>If you had the sense enough to actually get the report, you'd see that "better than industry average of defects per lines of code" (as in around 1 per 1,000 lines) is in fact outstanding.<br><br>That's the reality and I'll bet even iOS wouldn't fare any better (most likely far worse). But we'll never know that, will we? Because it's closed source proprietary like Microsoft's. Who originally were putting out some of the dirtiest code on the planet from Quick and Dirty Operating System (QDOS) and PCDOS (MSDOS was better on purpose btw)! CrApple wasn't much better than MS, using college Code Slaves themselves. Instead of Code Warriors to develop their early code!<br><br>btw.... this is one very big reason Open Source is much cleaner than any proprietary code. It's a known fact that proprietary software hides their defects by using Closed Source as an excuse!<br><br>Linux is much cleaner than any other Operating System Code!<br><a href="http://lwn.net/Articles/22623/" target="_blank" rel="nofollow">http://lwn.net/Articles/22623/</a><br><br><a href="http://lwn.net/Articles/115530/" target="_blank" rel="nofollow">http://lwn.net/Articles/115530/</a><br><br>"(a) Industry Average: "about 15 - 50 errors per 1000 lines of delivered code." He further says this is usually representative of code that has some level of structured programming behind it, but probably includes a mix of coding techniques."<br><br>Quote taken from book "Code Complete" by Steve McConnell<br><a href="http://stackoverflow.com/questions/862277/what-is-the-industry-standard-for-bugs-per-1000-lines-of-code" target="_blank" rel="nofollow">http://stackoverflow.com/questions/862277/what-is-the-industry-standard-for-bugs-per-1000-lines-of-code</a><br><br>So take that you iCrAppleholic!!! ;)
        i2fun@...
      • RE: 88 'High Risk' vulnerabilities discovered in Android 2.2 'Froyo'

        @athynz & especially @i2fun, to whom I can't reply, perhaps because his post is flagged.<br><br>It's amazing how easy it is to take a few facts, apply dogma, and get crap.<br><br>Any dogma, not just yours (or mine, whatever that is!).<br><br>First, to say that Open Source is better (or worse) than X, because... misses the critical fact that Open Source projects are all over the map -- ranging from outstanding, with a high degree of organization and discipline, well-coordinated QA efforts, both as individual efforts or large distributed groups, all the way to utter chaos stuff you use at considerable risk. The quality of the software development process, and the skills of the participants, far outweigh any benefits or drawbacks that Open Source itself conveys, in determining the final quality.<br><br>One could make a much more nuanced, and much more interesting, argument about how the openness can be a benefit, and how best to make use of that to a project's advantage, rather than disadvantage.<br><br>Similar points apply to the generalizations about various corporate projects.<br><br>I also regard as garbage any metric of "defects per 1,000 lines of code". From anyone, for any purpose. It rests on not one, but two flawed basic premises -- that lines of code are somehow roughly equivalent for comparison purposes, and that defects are all the same for comparison purposes.<br><br>A single defect that causes a single crash with data loss, in my mind, should outweigh 10,000 defects that annoy and frustrate but just not quite enough to keep you from getting your work done.<br><br>Likewise, a defect in code which is never reached, or only in the most unusual of circumstances, should hardly count at all. But a defect that, say, prevents you from submitting your tax return at the final stage, uncovered at the last minute -- that one really hurts. (Thank you, Intuit!)<br><br>Finally -- if you work hard enough, you can get zero defects. The question is -- will have have enough functionality to be useful, in time that your target platform, customers, and market still exist?<br><br>I propose we consider "defects per day" as a more useful metric. (Have fun with the flaws in that! :=)<br><br>Code Complete was published 6 years ago.<br><br>Finally, it's really entertaining to see how people judge these articles as pro- or anti- this. Pro-Apple? I took it as far more of a pro-android apologist stance! "Hmm, lots of defects, but say, not so bad when you consider..." In reality, I think he was just trying to present some interesting information, and put it into context. I wasn't entirely happy with the article, but I think your allegation (which I do presume and hope to be satiric rather than literal) was rather over-the-top.<br><br>So, athynz, since I'm reduced to replying to your post as proxy for my intended target -- well, agreed, he seems sufficiently obsessed with Apple to label an article which doesn't even mention Apple, talking about defects in a competitor, as being pro-Apple. But troll? That seems a mite generous.<br><br>[Edit: Hmm, my message got reported as spam when i tried to disclose what products I develop for???? Automated idiocy, or the manual variety?]

        [Looks automated. OK, I won't tell you then! Sheesh!]
        Bob.Kerns
      • RE: 88 'High Risk' vulnerabilities discovered in Android 2.2 'Froyo'

        @Bob.Kerns<br>Only in America is one company worshiped so readily that it makes it's leader (micromanaging despot in this case) out to be like GOD!<br><br>This is precisely why I attack CrApple. Not so much that they are a bad or good corporation, but that it's fans see it as a religion (like athynz) and follow it religiously as a Idol, not as a fallible business.<br><br>That a company with no factories in the US itself and fewer investments or employees here, in order to make parts, assemble their products or sell them and still call themselves American is a crying shame (they pay less tax than any other company of their size too). Their goal is not to produce the best products (or they wouldn't have such a cheap parts budget), but being in business solely to make money for owners and shareholders. Customer's actually come second if at all. At some point the customers will realize (wake up from Apple's RDF effects) they are being bamboozled into thinking something is worth more than it actually is! ....and there in lies the rub!<br><br>Apple is a paper tiger, built on the illusion that it's the real wizard, not just the fool or investor behind the "Magical and Revolutionary" curtain. How in the World can you CrAppleholics fall for Steve Jobs's charades time after time? It's a company that only promises to deliver quality products made by someone else, somewhere else. Their net assets are all on paper (cash, ideas, patents) that can go up in flames the moment suppliers decide to cut them off (remember iPad sales were less because of parts supplies from Samsung and LG. How can a company with such low asset value (cash haha.. that's laughable w/ low returns) have a Market Cap that exceeds by 4 times it's Net Assets? It's called "Magical and Revolutionary" illusions of real product production and value through RDF Chicanery!<br><br>Lastly (and I know YOU.... like the daves, athynz, etc) are bona fide dyed in the wool CrAppleholics. That's really the only reason I bother to respond to you guys..... to get your goat. But here I'm going to leave one link to a story that puts this whole errors per lines of code in Android in a better, truer perspective and hope you read it:<br><a href="http://www.computerworlduk.com/in-depth/open-source/3246951/88-high-risk-defects-found-in-android-kernel/" target="_blank" rel="nofollow"><a href="http://www.computerworlduk.com/in-depth/open-source/3246951/88-high-risk-defects-found-in-android-kernel/" target="_blank" rel="nofollow"><a href="http://www.computerworlduk.com/in-depth/open-source/3246951/88-high-risk-defects-found-in-android-kernel/" target="_blank" rel="nofollow">http://www.computerworlduk.com/in-depth/open-source/3246951/88-high-risk-defects-found-in-android-kernel/</a></a></a><br><br>It's all so simple when you take away CrApple's RDF Hyperbole. Then you can see what's actually going on. That Android can actually be fixed easier now. Because it's Open Source and not written by iCrApple or Microcrud's software development teams alone, that turns it into GOLD! ....that's why Android is beating up on it's competition at the rate of 800% now and well into it's future! ;)
        i2fun@...
  • Way to go Coverity

    What is that 88 defects per 10,000,000 lines of code?<br>That's actually not bad but bloggers will be picking at this like a scab for a while. Whatevah.

    P.S. 'Transparency' is a good thing.
    Try nitpicking Microsofty source code. What? Oh, you can't!
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • RE: 88 'High Risk' vulnerabilities discovered in Android 2.2 'Froyo'

      @Dietrich T. Schmitz, Your Linux Advocate - I wonder if you'd be saying the same thing if 88 high risk vulns were found in Windows.

      Somehow I doubt it.
      bitcrazed
      • You'll never know! And MS relies on that.

        @bitcraed

        Transparency: no such thing with Microsoft.
        Dietrich T. Schmitz, ~ Your Linux Advocate
      • Because it's been found, it can be fixed! haha....

        @bitcraed ....and in Windows it takes years and hopefully they aren't found by hackers who can ruin your reputation faster than you can fix it! ....in Open Source, there is no such problem and yes it's called Transparency. Which no proprietary company has the benefit of!!! ;)
        i2fun@...
  • RE: 88 'High Risk' vulnerabilities discovered in Android 2.2 'Froyo'

    Once again the "many eyes" prophecy has been proven to be nothing but hot air.

    The reality is that operating systems are very complex, very difficult to write and that few people have the skills to work effectively on ANY OS' innards.
    bitcrazed
    • RE: 88 'High Risk' vulnerabilities discovered in Android 2.2 'Froyo'

      @bitcraed Hmmm..
      Exactly who discovered these 88 potential vulnerabilities? The developers of android, or someone else... Someone else was ABLE to review the source code besides the creators. Why? Because the source code is available for peer review - you know, that "many eyes" idea you don't quite grasp yet.
      SpikeyMike
      • So where were these "many eyes"

        ... before they submitted the code then? Nice spin, but no cigar.
        LBiege
      • RE: 88 'High Risk' vulnerabilities discovered in Android 2.2 'Froyo'

        @LBiege

        Nice Spin? Lets use logic - How are the many eyes supposed to get access to the code before it is submitted? Do you see it clearly now?
        SpikeyMike
  • RE: 88 'High Risk' vulnerabilities discovered in Android 2.2 'Froyo'

    88 high risk flaws in linux which is why I would never use it.
    Loverock Davidson
    • You may have a point.

      @Loverock Davidson <br><br>But then I said, <i>"Nah, LD's chugging DayQuil again."</i>

      Besides, supposing your hair catches on fire?
      Dietrich T. Schmitz, ~ Your Linux Advocate
    • You must be fscking joking.....

      @Loverock Davidson

      Where have you been the last couple of decades? M$ product is riddled with gaping wide security holes, which are probably, but only slightly, bigger than the than the vacuum you call your "brain". *nix was and is built with security and stability as its bedrock. Redmond finally came around to this way of thinking after about a gazzilion different versions of winturd.

      You stick with Windows, you deserve each other.

      Peace & Love
      ragingpanda
  • Only part of the story...

    It should be noted that Coverity is a form of "static analysis" for code. It identifies potential issues with the code itself. Some of these issues are valid concerns while others can safely be ignored. Most of the rules for Coverity have come from the "we've been burned by this before" mantra. For example, it whines about dereferencing a pointer without checking for null first. Granted, this can be a serious problem, but there are definitely scenarios where it's impossible for a pointer to be null, yet Coverity will flag it as a "defect" anyways. All this to say that running one static analysis tool and reporting its output is not a fair assessment of the quality of the code. It's more complex than that.
    lawisnie
    • RE: 88 'High Risk' vulnerabilities discovered in Android 2.2 'Froyo'

      @lawisnie - As a former programmer/analyst I could not agree more.
      gwthornt