Feeds

Android kernel leaks like a colander

359 defects, 88 high risk

5 things you didn’t know about cloud backup

Security analysts at Coverity reckon the Android kernel is riddled with security holes, though they still rate it as twice as good as most open-source projects.

Taking the source code from the HTC Incredible, Coverity found .47 defects per 1,000 lines of code, compared with an industry average of 1 per 1,000. That totalled 359 defects, with 88 of those being high-risk items such as memory corruption, memory leaks and uninitialised variables. Buut Coverity won't be providing any details until the end of the year.

The company discovered the flaws though automated analysis of the source code, and will, in the name of responsible disclosure, provide early access to "the Android security team, OEMs, and security researchers" so they can apply fixes, or create proof-of-concept attacks, before the details go public in 60 days.

Until then, we're left to speculate what proportion of those bugs exist across Android kernel implementations – and how many could be usefully exploited for fun and profit. Manufacturers tweak the Android kernel to suit their hardware. The team only picked the HTC Incredible because they happened to have one handy, but the commonality of chip sets in Android handsets makes it likely the majority of flaws are common too.

Exploiting those flaws is another matter entirely. One can imagine a stack overflow allowing an application to break out of the sandbox security, but such an application would likely be quickly identified and (if distributed via the Marketplace) subsequently removed. It's possible that more-easily-exploited flaws exist too, but hopefully they'll be fixed before Coverity goes public.

Being open to scrutiny is one of the advantages of being open source, so this is no reason to trust your Android handset any less, and if you fancy yourself as a security researcher then drop Coverity a line to get more details. ®

The essential guide to IT transformation

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
So, Apple won't sell cheap kit? Prepare the iOS garden wall WRECKING BALL
It can throw the low cost race if it looks to the cloud
Time Warner Cable customers SQUEAL as US network goes offline
A rude awakening: North Americans greeted with outage drama
We need less U.S. in our WWW – Euro digital chief Steelie Neelie
EC moves to shift status quo at Internet Governance Forum
EE fails to apologise for HUGE T-Mobile outage that hit Brits on Friday
Customer: 'Please change your name to occasionally somewhere'
EE plonks 4G in UK Prime Minister's backyard
OK, his constituency. Brace yourself for EXTRA #selfies
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?