backtop

Print 30 comment(s) - last by Lazarus Dark.. on Nov 5 at 6:54 PM

Froyo has a few bugs in it.  (Source: rainab on Flickr)
Many of these bugs could expose private user info, much like recent Apple iPhone bug

Android may be open source, but that doesn't make the popular smartphone operating system invincible to security problems.  Hot on the heels of a recently discovered iOS 4.1 vulnerability that could give malicious users access to a locked iPhone's phone app, messaging app, and more, a plethora of Android vulnerabilities have been identified.

The new Android vulnerabilities were discovered by researchers at security firm Coverity.  In their Coverity Scan Open Source Integrity Report the researchers scoured 61 million lines of open source code, including the Android OS source used in the popular HTC Droid Incredible.  Code from Apache, other Linux kernels, PHP, and Samba were among the 291 open source projects examined and compared to the Android kernel.

The team identified 359 bugs in the code.  Of these, 88 of them (roughly 25 percent) were categorized as "high risk" -- bugs that could endanger users' privacy.

Coverity gave Android mixed praise for the quality of its code.  It said that Android had a lower density of bugs per thousand lines of code than average open source software.  But it said it had a higher bug density than the highly scrutinized Linux kernel and that some of the critical bugs should have been caught before release.

While every Android distribution is slightly different, even for the same operating system number, it is thought that these vulnerabilities likely appear in most Froyo-equipped Android phones.

Google has responded quickly to Coverity, reportedly preparing over-the-air fixes that will be delivered by January at the latest.  Coverity is holding off on releasing details of the vulnerabilities until those fixes are delivered.  Over-the-air fixes are one reason some security experts say Android's security is superior to that of the Apple iPhone (iOS does not have over-the-air OS updates).

Google now has something in common with Microsoft -- as the market leader in a major OS segment, it is the highest profile target for exploitation.  Google owns nearly half of the U.S. smartphone market, while RIM and Apple each have roughly a quarter of the market.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
Not really open source
By bug77 on 11/3/2010 10:39:01 AM , Rating: 1
Android is not really open source. And by that I mean the "community" is not involved in the development process. Google releases the source code only after releasing a new Android version. This effectively limits the input from community to bug fixing. As a developer, I don't see myself getting involved into something like this.

Bottom-line, the comparison to open source is a bit misleading. But still, the study shows the smart guys at Google have fewer bugs than the smart guys in other open source projects.




RE: Not really open source
By Orpheus333 on 11/3/10, Rating: 0
RE: Not really open source
By Alexstarfire on 11/3/2010 10:53:46 AM , Rating: 2
You do realize that those mods only came out AFTER the source code for that version of Android was released into the wild? Hell, it's why I'm still waiting for a modified Froyo ROM for my Captivate. Samsung hasn't released as official version yet for people to start modifying. Once they do the mods come out pretty quickly though.


RE: Not really open source
By ninjaquick on 11/3/2010 12:29:41 PM , Rating: 2
All a mod team has to do is write the drivers. if the source code is opened up that makes it easier but the fact remains that Android is completely open source meaning you can do whatever you want to is from Google's source. Anything closed source (aside from GAPPS) would be due to manufacturer or carrier's being d1cks.


RE: Not really open source
By Klober on 11/3/2010 5:09:46 PM , Rating: 2
Hey Alexstarfire,

Just FYI, I'm already running a Froyo ROM on my Captivate and have been since the beginning of October (started with Cognition v2.2 BETA3). I'm currently running Cognition v2.2 BETA9.1.3 (based on JI6 Froyo leaked ROM) and it's working great.

My phone sips battery juice now - one day last week when I was paying attention I was 4 hours off the charger and still at 100%, and at the end of my work day (over 10 hours off the charger) with some email and 3G web browsing I was still around 83%. Right now I've been off the charger for 8 1/2 hours with browsing, updating apps, email, texts and browsing the market and I'm still at 73%.

I'm pretty happy so far, but tonight or tomorrow I'll probably do a full backup and try out the newest Cognition ROM (v2.3b1) to see the differences and see how it fares since it's based on JJ4 which is the newest Froyo leak.

I don't know if that's what you meant by a modified Froyo ROM, but if it is and you want more info let me know.


RE: Not really open source
By Alexstarfire on 11/3/2010 11:28:43 PM , Rating: 2
I know about it. I haven't gotten it since there are supposed to be several bugs. Been waiting for the official ROM. Could have changed since they are on version 2.3 beta now.


RE: Not really open source
By Flunk on 11/3/2010 11:20:33 AM , Rating: 4
It all depends on your definition of open source. By the loosest definition open source only means that the software is provided with the source at the time of release, which Android is.


RE: Not really open source
By Aloonatic on 11/3/2010 11:47:37 AM , Rating: 1
and who it is open too.

Isn't Android open to manufactures to tinker with, but not for end users/the general public etc.


RE: Not really open source
By SkullOne on 11/3/2010 1:19:27 PM , Rating: 2
Go Google CyanogenMod


RE: Not really open source
By foolsgambit11 on 11/3/2010 5:31:07 PM , Rating: 2
Android is made available under the Apache Software License (except the kernel, which is GPL), which allows us to distribute modified versions of the software. As I understand it, they chose the Apache license so that handset makers wouldn't be obliged to release any modifications they make to the code. However, I have heard complaints that Google takes a while to update its code repository to the currently released version. It's not that you can't tinker with Android, it's that it's hard to get it working on an actual handset because the drivers for phone hardware are proprietary and not publicly released. Still people manage, like those who have managed to get higher versions of Android running on their phones while waiting for their carriers to put out an upgrade.


RE: Not really open source
By Aloonatic on 11/4/2010 3:22:49 AM , Rating: 2
Thanks for the replies :o)

I'm not sure why I got rated down for simply asking a question, though maybe it was as my wording changed in edit and I forgot to add a question mark maybe? So many petty, sad little people on here.

Wouldn't be the same without you tho guys :o)


RE: Not really open source
By Lazarus Dark on 11/5/2010 6:54:12 PM , Rating: 2
That is exactly the issue. While you could do whatever on say... an arm-based motherboard with all standard components, there is NO standard for phone hardware, therefore no standard drivers, you have to create drivers for each phone as it is now. I would hope that with say, arm-based nettops (like google tv) or netbooks, there may hopefully be more standardized components. But I understand the current phone-hardware climate just wont allow this for probably a few more years.


RE: Not really open source
By bug77 on 11/3/2010 12:47:04 PM , Rating: 2
True. I was just trying to point to the fact that while Android is compared (in this study) to other open source projects, it doesn't reap most of the benefits of being open source. So it's not really comparing apples to apples. But in the end, who cares?


RE: Not really open source
By omnicronx on 11/3/2010 12:53:37 PM , Rating: 2
Is that not more of a GPL restriction than an 'open source' restriction? I.e it is not specifically tied to a release.

As long as the source code is made public (whenever that may be), enabling anyone to copy, change, and/or redistribute said code without paying any fee's or royalties, it can be considered open source...

Although the definition can be construed in a broad verity of ways ;)


RE: Not really open source
By msheredy on 11/3/10, Rating: -1
Kernel bugs are bad
By Gio6518 on 11/3/2010 10:44:30 AM , Rating: 2
Kernel bugs are bad, but they certainly don't equal any type of real world exploit, and unless you hand your phone over to someone with a development computer and a USB cable, you're probably safe.




RE: Kernel bugs are bad
By TheDoc9 on 11/3/2010 10:59:33 AM , Rating: 2
Yeah, the timing of this is interesting too, I wonder who sits on the board and/or funds Coverty. Perhaps it's steve jobs?

In any case every major piece of software in the world has crap tons of the type of bugs they're describing. Software is never really finished, that's why there are always updates and new versions that look exactly the same to the user - but have huge changes under the hood.


RE: Kernel bugs are bad
By kmmatney on 11/3/2010 12:28:42 PM , Rating: 2
So, if you root (or whatever it is) your phone, can you still apply updates to fix security holes? Can it be done over the air as well? I can apply fixes over the air on my jailbroken 3GS - even fixing the flaw that allowed it to be jailbroken. Would want to be able to do this with an Android phone as well, if I was to switch (I have 8 months before I can geta new phone, though).


RE: Kernel bugs are bad
By Alexstarfire on 11/3/2010 12:45:00 PM , Rating: 2
Depends on mods you may do. If you only root it then yes, you can still get OTA updates. I have mods that prevent me from doing OTA updates, but once 2.2 comes to my phone I won't have much need for those mods anymore.


Why didn't DT cover iPhone DST alarm bug?
By micksh on 11/3/2010 12:42:22 PM , Rating: 2
It was in the news 3 days ago when it hit Europe. I think being late for work creates more problems than security bugs that nobody exploited so far.




By teng029 on 11/3/2010 1:29:30 PM , Rating: 1
and there it is. i was waiting for the inevitable "apple is still worse" response..


By lewisc on 11/3/2010 3:19:15 PM , Rating: 2
So that's why this week my alarm has been going off when I'm already in work!

Genuinely, I had no idea that there was a bug, though fortunately I usually wake before my alarm, but this does explain a small mystery. Perhaps some of the 'magic' leaks out of the phone and realises at what time I need to wake up, irrespective of the time set...!

Pleased you posted this, despite, as the previous respondent said, it being somewhat off topic.


Making a monster from a bug
By drycrust3 on 11/3/2010 12:36:07 PM , Rating: 3
I think a lot of this is just a drama over very little. Not that the bugs themselves aren't important, but that the issue with most bugs isn't that they have been discovered, rather, it is the whether there are exploits to the bug in the wild and the time taken to fix them.
As I understand the normal process, when a bug is discovered the discoverer is asked to contact the OS company and notify them, keep quiet for a reasonable period of time so the supplier can fix the problem, and then release the discovery. But no, this doesn't happen here. Sure, they didn't release the exact nature of the exploits, but Google are expected to suddenly have their PR department making claims about fixing something that has just landed on their plate.
Since there is nothing about exploits in the wild in this article, one has to guess that there aren't.
quote:
researchers scoured 61 million lines of open source code

I can't help but think a hint of jealousy is involved.




Endless Beta Syndrom
By NanoTube1 on 11/3/10, Rating: -1
RE: Endless Beta Syndrom
By uhgotnegum on 11/3/2010 12:46:12 PM , Rating: 4
Apple appreciates your comment. Apple would also like for you to continue thinking that Apple's products are always delivered complete....on an annual cycle....as software updates.

This is, of course, done for your benefit. That way, you can easily consider what Apple delivers to you "complete" and "really there." More than once a year would be confusing to our users, and if it were an app, we'd have to reject it.


RE: Endless Beta Syndrom
By NanoTube1 on 11/3/2010 6:21:24 PM , Rating: 2
I trust steve jobs with my iLife!

Ok ok... I'm just screwing around. A troll trap kind of comment.

Honestly, I love Android, it's a hell of an OS and the top tier phones are really good. But some of what I said is true, Google has this annoying tendency to release beta quality software and keep it that way for months on end - a tendency Apple is adopting for some reason. I am also surprised they found so many security bugs in Froyo - that is NOT characteristic of Google! 88 security related bugs!! Meh... kind of disappointing to be honest.


RE: Endless Beta Syndrom
By jithvk on 11/3/2010 8:12:25 PM , Rating: 2
quote:
I trust steve jobs with my wife!


Fixed it for ya...


RE: Endless Beta Syndrom
By NanoTube1 on 11/4/2010 11:46:54 AM , Rating: 2
xD


RE: Endless Beta Syndrom
By uhgotnegum on 11/4/2010 6:37:49 PM , Rating: 2
Not one to post a sarcastic, attention-seeking (oh, and "primarily substanceless")comment and never return to see whether the DailyTech public likes me, I am back! I'm switching gears, though, and posting a real comment...now that nobody will ever come back to this article.

I understand and agree with your "beta quality" point re early Android, but I really can't think of other examples. As someone who uses a majority of Google's web, software, and recent Android offerings, I have not really had any "beta quality" experiences. I have had some glitches and "oh, they should've included that"s, but no more than I would expect from any other software or web service.

I'm curious, what experience(s) got you to your opinion?

The only (meaningful) point of my original comment is that I think Apple and Google have very different ideas as to how "beta" is defined and how that phase is implemented in their business models. Personally, I prefer Google's, which seems more agile...more able to address issues that arise in reports like the one from this article. Apple seems to rely on itself, internally, to identify and resolve problems, and a report like this would be reviewed, worked on internally, and then released as part of a "big" update.

If I'm right, it makes sense, b/c part of Apple's revenue is based on selling their new software, whereas Google's revenue is based on your use of the software.

...ok, enough of me.


RE: Endless Beta Syndrom
By NanoTube1 on 11/4/2010 8:01:44 PM , Rating: 2
quote:
Not one to post a sarcastic, attention-seeking (oh, and "primarily substanceless")comment and never return to see whether the DailyTech public likes me, I am back! I'm switching gears, though, and posting a real comment...now that nobody will ever come back to this article.


My my, you built yourself a small conspiracy story over there! Awww... how sweet.

As for Google and their beta software, well, I had many issues with GMail when it was beta, first versions of Android were pretty rough (88 high risk security issues in v2.2 is not exactly nice either), Mmmmmm let's see.... Wave? Buzz?... beta is not only bugs, beta is also when you don't think through the UI or Privacy or any other issue that influences the user.

I think it was one of their founders that said something like "we throw a lot of thing at the wall and see if it sticks"... well, how good is version 1.x of such software can be? inherently beta grade, which it is.


"Well, there may be a reason why they call them 'Mac' trucks! Windows machines will not be trucks." -- Microsoft CEO Steve Ballmer











botimage
Copyright 2012 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki