X

Study: 359 Android code flaws pose security risks

The bad news from Coverity's research: there are plenty of problems in Android. Good news: it's less than the going rate.

Stephen Shankland Former Principal Writer
Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise Processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science. Credentials
  • Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
See full bio
Stephen Shankland
2 min read
Coverity tallied various flaws in Android 2.2 that can lead to security vulnerabilities.
Coverity tallied various flaws in Android 2.2 that can lead to security vulnerabilities. Coverity

Coverity, a company with tools to check for programming problems that pose security risks, has found 359 of them in a scan of the Android source code.

There are 88 high-risk problems and 271 medium-risk problems in the source code underlying the Android kernel used in HTC's Incredible phone, the company said Tuesday. Android uses the Linux kernel, but the Android-specific components have a higher defect rate than mainstream Linux, Coverity said.

Some good news for Google, though, is that the defect rate is still lower than the industry average of one defect per 1,000 lines of code. Specifically, Android's kernel was less than half of that--0.47 defects per 1,000 lines, Coverity said.

Some bad news is that the Android-specific code had more problems.

"We found that the Android-specific files had a higher defect density (0.78 defects/kloc) than any other component in the system (the other components consist mostly of files unmodified from a Linux kernel). In addition, the Android-specific files had more high-risk defects than any other component," Coverity said in the report.

The number and proportion of defects are higher in Android-specific areas of the Linux kernel, according to Coverity.
The number and proportion of defects are higher in Android-specific areas of the Linux kernel, according to Coverity. Coverity

One issue with Android, along with many other open-source projects with dispersed participation, is pinning down just whose job it is to fix a problem.

"Accountability for Android software integrity is fragmented," Coverity said in its report. "The problem is no different with Android than what we see across open source. Android is based on Linux, which has thousands of contributors. Compound that with the Android developers from Google, the contributors to Android from the larger development community, and OEMs [original equipment manufacturers such as phone makers] that supply components for specific configurations of Android to support different types of devices and the lines of accountability are quickly blurred."