Study: 359 Android code flaws pose security risks

The bad news from Coverity's research: there are plenty of problems in Android. Good news: it's less than the going rate.

Coverity tallied various flaws in Android 2.2 that can lead to security vulnerabilities.
Coverity tallied various flaws in Android 2.2 that can lead to security vulnerabilities. Coverity

Coverity, a company with tools to check for programming problems that pose security risks, has found 359 of them in a scan of the Android source code.

There are 88 high-risk problems and 271 medium-risk problems in the source code underlying the Android kernel used in HTC's Incredible phone, the company said Tuesday. Android uses the Linux kernel, but the Android-specific components have a higher defect rate than mainstream Linux, Coverity said.

Some good news for Google, though, is that the defect rate is still lower than the industry average of one defect per 1,000 lines of code. Specifically, Android's kernel was less than half of that--0.47 defects per 1,000 lines, Coverity said.

Some bad news is that the Android-specific code had more problems.

"We found that the Android-specific files had a higher defect density (0.78 defects/kloc) than any other component in the system (the other components consist mostly of files unmodified from a Linux kernel). In addition, the Android-specific files had more high-risk defects than any other component," Coverity said in the report.

The number and proportion of defects are higher in Android-specific areas of the Linux kernel, according to Coverity.
The number and proportion of defects are higher in Android-specific areas of the Linux kernel, according to Coverity. Coverity

One issue with Android, along with many other open-source projects with dispersed participation, is pinning down just whose job it is to fix a problem.

"Accountability for Android software integrity is fragmented," Coverity said in its report. "The problem is no different with Android than what we see across open source. Android is based on Linux, which has thousands of contributors. Compound that with the Android developers from Google, the contributors to Android from the larger development community, and OEMs [original equipment manufacturers such as phone makers] that supply components for specific configurations of Android to support different types of devices and the lines of accountability are quickly blurred."

 

ARTICLE DISCUSSION

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

Hot on CNET

The Next Big Thing

Consoles go wide and far beyond gaming with power and realism.