backtop


Print 30 comment(s) - last by Lazarus Dark.. on Nov 5 at 6:54 PM


Froyo has a few bugs in it.  (Source: rainab on Flickr)
Many of these bugs could expose private user info, much like recent Apple iPhone bug

Android may be open source, but that doesn't make the popular smartphone operating system invincible to security problems.  Hot on the heels of a recently discovered iOS 4.1 vulnerability that could give malicious users access to a locked iPhone's phone app, messaging app, and more, a plethora of Android vulnerabilities have been identified.

The new Android vulnerabilities were discovered by researchers at security firm Coverity.  In their Coverity Scan Open Source Integrity Report the researchers scoured 61 million lines of open source code, including the Android OS source used in the popular HTC Droid Incredible.  Code from Apache, other Linux kernels, PHP, and Samba were among the 291 open source projects examined and compared to the Android kernel.

The team identified 359 bugs in the code.  Of these, 88 of them (roughly 25 percent) were categorized as "high risk" -- bugs that could endanger users' privacy.

Coverity gave Android mixed praise for the quality of its code.  It said that Android had a lower density of bugs per thousand lines of code than average open source software.  But it said it had a higher bug density than the highly scrutinized Linux kernel and that some of the critical bugs should have been caught before release.

While every Android distribution is slightly different, even for the same operating system number, it is thought that these vulnerabilities likely appear in most Froyo-equipped Android phones.

Google has responded quickly to Coverity, reportedly preparing over-the-air fixes that will be delivered by January at the latest.  Coverity is holding off on releasing details of the vulnerabilities until those fixes are delivered.  Over-the-air fixes are one reason some security experts say Android's security is superior to that of the Apple iPhone (iOS does not have over-the-air OS updates).

Google now has something in common with Microsoft -- as the market leader in a major OS segment, it is the highest profile target for exploitation.  Google owns nearly half of the U.S. smartphone market, while RIM and Apple each have roughly a quarter of the market.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Kernel bugs are bad
By Gio6518 on 11/3/2010 10:44:30 AM , Rating: 2
Kernel bugs are bad, but they certainly don't equal any type of real world exploit, and unless you hand your phone over to someone with a development computer and a USB cable, you're probably safe.




RE: Kernel bugs are bad
By TheDoc9 on 11/3/2010 10:59:33 AM , Rating: 2
Yeah, the timing of this is interesting too, I wonder who sits on the board and/or funds Coverty. Perhaps it's steve jobs?

In any case every major piece of software in the world has crap tons of the type of bugs they're describing. Software is never really finished, that's why there are always updates and new versions that look exactly the same to the user - but have huge changes under the hood.


RE: Kernel bugs are bad
By kmmatney on 11/3/2010 12:28:42 PM , Rating: 2
So, if you root (or whatever it is) your phone, can you still apply updates to fix security holes? Can it be done over the air as well? I can apply fixes over the air on my jailbroken 3GS - even fixing the flaw that allowed it to be jailbroken. Would want to be able to do this with an Android phone as well, if I was to switch (I have 8 months before I can geta new phone, though).


RE: Kernel bugs are bad
By Alexstarfire on 11/3/2010 12:45:00 PM , Rating: 2
Depends on mods you may do. If you only root it then yes, you can still get OTA updates. I have mods that prevent me from doing OTA updates, but once 2.2 comes to my phone I won't have much need for those mods anymore.


"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town." -- Charlie Miller














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki