Clean Up HTC's Droid But Don't Panic - InformationWeek
06:39 PM
Charles Babcock
Charles Babcock
Connect Directly

Clean Up HTC's Droid But Don't Panic

Android is yielding solid code, but developers probably need to spend more time debugging.

We should be wary about the "high risk defects" recently found in an Android kernel by a code scanner: wary as in aware of and concerned about them, and wary also as in avoiding too much false alarm.

There are no specific security-threatening exploits that take advantage of the Android defects that anyone knows of. The defects are not widely known because they are part of recently drafted code added to a vendor-sponsored version of the Android kernel. The party responsible for the defective code is phone producer HTC, not Google, although other versions of Android are in use by other device manufacturers, and their mobile operating systems will be subject to future scans.

Why was HTC scanned first? Because it sponsors its Droid Incredible operating system as an open source project and recently posted the open source code to its website. Coverity downloaded it and ran its rigorous scan. It expects to find one defect per 1,000 lines of code on average, whether that code is commercial or open source code. The defect rate in HTC's kernel was .47 defects per 1,000 lines, or slightly less than one per 2,000 lines of code. That's still too high for code that is going into devices depended upon daily by thousands or more likely, hundreds of thousands, of users.

It will also be too many once Coverity publishes its findings 3-4 months out. It's giving both the manufacturer and open source project a chance to close the holes before its scan results are aired and the code is tested again.

Open source projects such as the Linux kernel development process and Samba have achieved incredibly low defect rates, not by writing perfect code, but in a disciplined approach to going back and eliminating defects. The fact that open source code is open to an inspector such as Coverity means you, a member of the public, have a chance to learn about its defect rate. Unlike open source code projects, commercial code vendors pay Coverity to scan their code and neither party airs the results.

The fact that open source defects will be publicized provides an incentive to the project's developers to not let them slide. Rather, they know re-inspection is coming, along with chagrin if they are exposed as not caring about or fixing known defects.

But the main point here is the nature of the defects. Though labeled "high risk," they are not the same as operating system or browser exposures that are inviting a visit by known exploits already in circulation. They are risky more for program integrity and continuous operation than security, although at some point, there is a security exposure as well.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll