88 'High Risk' vulnerabilities discovered in Android 2.2 'Froyo'
Open source may offer many advantages over closed source code, and one of these advantages is that the code is open for anyone to examine. But don't let that lead you to believe that open source code is invulnerable to hackers.
Security researchers at Coverity examined some 61 million lines of code from 291 open source projects and compared the results to those for the Android kernel. The researchers picked up on 359 bugs in the Android 2.2 source code, some 25% of which were ranked as 'high risk' vulnerabilities that could endanger user privacy.
These 88 vulnerabilities break down as follows:
- Memory - Corruptions: 20
- Memory - Illegal access: 29
- Resource leaks: 11
- Uninitialized variables: 28
So, how does Android stack up? Well, according to the report, the Android kernel has around half the bugs that would be expected for a project of its size, and has a better than industry average of defects per lines of code, with roughly one defect per 1,000 lines of code.
However, the researchers also noted that the Android-specific code has about twice the defect density of the code Linux kernel. This is put down to the fact that the Android code is newer code and hasn't seen the same level of scrutiny that the Linux kernel has seen.
Overall, not a bad scorecard for Android 2.2. Probably a B-, good, but could do better.