Android Code at Risk?
New report from static analysis vendor Coverity scans the Android code base and finds a pile of common software defects, though the defect density is lower than with other software.
Google's Android mobile operating system may include a number of high-risk software flaws, according to a new report from static code analysis vendor Coverity.
Coverity detected 359 software defects in the Android Froyo kernel that is used in the HTC Droid Incredible smartphone. Of those defects, Coverity has identified 88 defects or about 25 percent of the total flaw count, as being high-risk and potentially leading to security risk for Android users.
According to Coverity, the defect density in Android isn't actually all that bad compared to other codebases that they've scanned. Coverity is a commercial code analysis vendor and has also been running the Coverity Scan effort since 2006, analyzing open source code for software defects.
"We found that the Android kernel had about half the defect density that you would expect, compared to other industry average codebases of the same size," Andy Chou, Chief Scientist and co-founder of Coverity told InternetNews.com."What that means is that a defect density of one defect per approximately one thousand lines of code is industry average, according to our measurements for the Android kernel, the defect density was about 0.47."
The defect density findings however change when Android's Linux heritage is taken out of the equation. Chou noted that the Android kernel is derived from the Linux kernel and when the parts that are Android-kernel-specific are taken out, the defect density goes up. According to Chou the defect density of Android specific kernel code was 0.7.
"Android-specific code in the kernel tended to be buggier," Chou said.
Android and the Linux kernel code have a somewhat controversial co-existence. The Android kernel includes changes to the Linux kernel that the mainline Linux kernel has not adopted. Among the most contentious items are Wakelocks, which are used for mobile power management. It's not clear from Coverity's study if Google's Wakelock code is contributing to more or fewer bugs in Android.
"We did scan code that included the use of Wakelocks, however we didnt configure our analysis to do something special just for Wakelocks," Chou said. "The way we configured our analysis, is we took the source code from HTC's development site for the Droid Incredible that includes the Android kernel from Google, as well as changes that HTC has made."
In terms of potential security risks to Android, Chou noted that of the 88 high-risk flaws flagged by Coverity, it's also not 100 percent clear if the flaws can actually be exploited. High-risk issues identified by Coverity include memory corruption, un-initialized variable usage and resource leaks.
"These could in theory potentially be exploitable," Chou said. "We don't know. We are working with some security researchers to see if the flaws are actually exploitable."
From a full disclosure perspective, Chou said that Coverity has been in contact with both Google and HTC and have provided them with early access to the findings. A Google spokesperson was not immediately available for comment.
Keep up with mobile security news; follow eSecurityPlanet on Twitter @eSecurityP.