Android security flaws uncovered
Nov 4, 2010 — by Eric Brown — from the LinuxDevices Archive — 2 viewsCoverity found 88 “high-risk” defects in Android 2.2's kernel, but noted that Android's defect density is lower than the industry average for mobile OSes. Meanwhile, Lookout Mobile Security announced Lookout Premium for Android, featuring advanced security and privacy features, says eWEEK.
Software integrity firm Coverity discovered 359 security defects, including 88 high-risk defects, in the source code for the Android 2.2 kernel. Coverity tested only the kernel used in HTC's Droid Incredible (pictured), sold by Verizon Wireless. However, the tests provide a good indication of the general state of Android security, says the company.
"There are many more vendors than Google and HTC that contributed code into the kernel," stated Coverity co-founder Andy Chou. Coverity did not publicly list specific defects, but informed HTC of the details.
Cited issues in the Android kernel, which is a custom version of the Linux kernel, include problems such as memory corruptions, NULL pointer dereferences, and resource leaks. All these could potentially lead to security vulnerabilities or system crashes, said the company.
The company notes, however, that the Android kernel has a defect density of 0.47 defects per 1,000 lines of code, said to be better than the industry average for similar operating systems of one defect per l,000 lines of code.
"The Coverity Scan results for the Android kernel we tested show a better than average defect density, meaning this specific kernel is shipping with fewer defects than the industry average for software of this size," stated Chou. "However, a significant number of these defects are the high risk types that our customers typically fix before shipping their products to market."
The finding was released as part of the "2010 Coverity Scan Open Source Integrity Report," which was originally initiated between Coverity and the U.S. Department of Homeland Security in 2006. The study includes analysis of more than 60 million lines of code from 291 widely used open source projects, including Firefox and Apache. All told, some 15,278 defects were found in these open source kernels, says Coverity.
"We are hoping that this report will shed some light on this issue and show that ultimately, for consumers, defects are defects, no matter where the code comes from," Chou said.
Lookout Premium for Android
Lookout Mobile Security announced Lookout Premium for Android, an app that is said to offer advanced security and privacy features for Android devices, according to a Nathan Eddy story in our sister publication, eWEEK.
The Android version debuts a new "Privacy Advisor" feature that lets users scan every app they download, said the story. Users can also view a list of apps that can access their private data, including identity information, location, and messages, says the story. In addition, users can view app reports on the capabilities of these applications on their phone, says eWEEK.
A recent Lookout research study was said to have found that on average, smartphone users have 31 apps on their phones that can access their identity information, plus 19 apps that access their location, and five apps that can tap their SMS and MMS messages.
Lookout Premium (pictured here on a Motorola Droid) includes all the features available in Lookout Free, a no-cost version of the app that is already available for Android, as well as for BlackBerry and Windows Mobile.
The Premium version adds more security and privacy protection with the Privacy Adviser, as well as more comprehensive tech support. Other Premium features are said to include remote wipe and remote lock, as well as enhanced backup and restore of photos call history, and contacts.
Recently, Symantec ported its Symatnec Mobile Management 7.0 security app to Android, as well as to Apple iOS, building upon its BlackBerry and Windows Mobile base, says eWEEK. In addition, the company offers a more consumer oriented Norton Mobile Security for Android app, still in beta, and expected to be generally available in the coming months.
Availability
The free "Coverity Scan 2010 Open Source Integrity Report" on the Android kernel may be found here.
Lookout Premium will be available for Android users via Android Market or Lookout's website on Nov. 16 for $3 per month or $30 annually, with a 30-day free trial. Lookout Mobile Security may be found here.
The eWEEK story on Lookout Premium may be found here.
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.