Software Testing Blog

Deluge of buggy mobile devices

As the mobile phones released recently have boasted more sophisticated features and operating systems, they have seemed more plagued than ever with software bugs, usually discovered just hours after their release.  This trend of go-to-market, fix-it-later has become more normal than not in the race of competitors to one-up each other.

In September, when Apple released its newest IOS 4.1, it was found to have 24 security holes. 80% of those holes came from WebKit, an open source web browser engine also seen on Android OS and Chrome – which means these defects could be found in the other platforms.

These bugs open the door to hackers and leave the OS vulnerable to breaches.  Hackers can take advantage of these holes to break into a phone just by having the user visit a bad site on the browser. Mobile devices are the next frontier for hackers.

But the software bugs exposed in the recent mobile device releases are nothing new. These bugs are well-known and well-understood in the development community – the same “use after free” and buffer overflow defects we’ve seen for decades. If you look back to the 80s and 90s when Windows was the dominant operating system, its security woes were caused by the same kind of defects.  Now we’re dealing with a new generation of software, but we’re learning the same lessons all over again.

One of the reasons for the uptick in bugs is growing time-to-market pressure. With the rush to get out the latest and greatest product, manufacturers and developers are forced to cut corners. They’re not using enough testing techniques before the product is out the door to the customer.

Another factor driving integrity problems in mobile devices is the complexity of multiple system integrations. Each device has software at the chip, driver, OS, and application layer. All of these software components and their integrations with each other need to be tested at the code level to prevent costly product delays, or even worse, recalls.

It’s also worth noting why hackers are targeting mobile devices. As the famous Willie Sutton quote says, “I rob banks because that is where the money is.” Hackers attack your phone and smart devices because that is where the transactions are happening. It used to be bad enough when a thief would steal your credit card number. Now they can steal your life in your phone, by accessing and selling all your personal data. Who you call, what you email and text, where you browse, where you are at this very moment can be accessed on your phone. Code testing to protect the integrity of these devices will soon be a mandate.

  1. Hi, i have a question about few technical things. Linux kernel will drop Big Kernel Lock. I guess zero-BKL kernel has benefit for Coverity. Is this true? Secondly, Linux kernel was recently found some Local Privilege Escalations (CVE-2009-1527, CVE-2010-3904, etc..). Is Coverity able to prevent this type bugs?

Leave a Reply

Your email address will not be published. Required fields are marked *