Android Kernel Security Above Average, Below Linux

An analysis of Android on an HTC Droid Incredible identified 359 code defects.

Thomas Claburn, Editor at Large, Enterprise Mobility

November 2, 2010

2 Min Read

Best Mobile Apps For Busy Professionals

Best Mobile Apps For Busy Professionals

(click image for larger view)
Best Mobile Apps For Busy Professionals

Android devices may be viewed with more suspicion than rival smartphones because the more relaxed policing of Android Market apps suggests greater potential risk. But the openness of Android code turns out to be a benefit rather than a liability, at least from a security standpoint.

An analysis of the Android kernel on an HTC Droid Incredible reveals about half as many software defects as expected, according to a report released by software security firm Coverity on Monday.

The Android kernel was found to have 0.47 defects per thousand lines of code, compared to an average of 1 defect per thousand lines of code.

But if Android is twice as good as the industry average, it's half as good as the Linux kernel in terms of defect density. The Android operating system is based upon Linux.

Coverity says this is to be expected given that Android-specific components have been written more recently and newer code tends to have a higher defect density than code that has endured years of static analysis, like the Linux kernel.

Coverity's analysis found 359 defects in the shipping version of Android on an HTC Droid Incredible, 88 of which it classifies as high-risk defects. These flaws include memory corruption bugs, illegal memory access bugs, and resource leaks.

It should be stressed that defects identified in this manner are not necessarily exploitable.

The firm concludes that Android's core platform is sold and that the Android-specific components need further attention to match the standards of Linux.

"We hope that by raising the visibility of the code across the supply chain for Android that the multiple software and device vendors that make Android devices can gain better visibility into the quality of the software components they are using and help hold each other accountable for delivering a high quality end product," Coverity's report says.

Google did not immediately respond to a request for comment.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights