Software
Commentary
11/3/2010
06:39 PM
Charles Babcock
Charles Babcock
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Clean Up HTC's Droid But Don't Panic

Android is yielding solid code, but developers probably need to spend more time debugging.

We should be wary about the "high risk defects" recently found in an Android kernel by a code scanner: wary as in aware of and concerned about them, and wary also as in avoiding too much false alarm.

There are no specific security-threatening exploits that take advantage of the Android defects that anyone knows of. The defects are not widely known because they are part of recently drafted code added to a vendor-sponsored version of the Android kernel. The party responsible for the defective code is phone producer HTC, not Google, although other versions of Android are in use by other device manufacturers, and their mobile operating systems will be subject to future scans.

Why was HTC scanned first? Because it sponsors its Droid Incredible operating system as an open source project and recently posted the open source code to its website. Coverity downloaded it and ran its rigorous scan. It expects to find one defect per 1,000 lines of code on average, whether that code is commercial or open source code. The defect rate in HTC's kernel was .47 defects per 1,000 lines, or slightly less than one per 2,000 lines of code. That's still too high for code that is going into devices depended upon daily by thousands or more likely, hundreds of thousands, of users.

It will also be too many once Coverity publishes its findings 3-4 months out. It's giving both the manufacturer and open source project a chance to close the holes before its scan results are aired and the code is tested again.

Open source projects such as the Linux kernel development process and Samba have achieved incredibly low defect rates, not by writing perfect code, but in a disciplined approach to going back and eliminating defects. The fact that open source code is open to an inspector such as Coverity means you, a member of the public, have a chance to learn about its defect rate. Unlike open source code projects, commercial code vendors pay Coverity to scan their code and neither party airs the results.

The fact that open source defects will be publicized provides an incentive to the project's developers to not let them slide. Rather, they know re-inspection is coming, along with chagrin if they are exposed as not caring about or fixing known defects.

But the main point here is the nature of the defects. Though labeled "high risk," they are not the same as operating system or browser exposures that are inviting a visit by known exploits already in circulation. They are risky more for program integrity and continuous operation than security, although at some point, there is a security exposure as well.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Google in the Enterprise Survey
Google in the Enterprise Survey
There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.