Today we’re launching the Coverity Scan 2010 Open Source Integrity Report, and this year we’re focusing on a particular project: the Android kernel. Actually, there’s really no such thing as “the” Android kernel, since each OEM takes the code and customizes it by adding in device drivers and customizations for specific phones. So we picked one: the HTC Droid Incredible. Why the Incredible? Well, one of our sales engineers has one and he wanted to know what bugs are in it. Turns out, there are quite a few.
The highlights of the findings can be found in our report, which I’ll summarize here:
- The average defect density for the Android kernel was 0.47 defects per 1000 lines of code. This is actually pretty good – half of what you’d expect compared to the industry average of 1 defect per 1000 lines of code.
- We found 359 defects in total and of these, 88 of the defects were “high risk”, which includes memory corruption, resource and memory leaks, and uninitialized variables.
- The Android-specific portions of the kernel (which is largely derived from Linux) have a higher defect density (0.78 defects / 1000 loc) than the rest of the kernel (0.47).
We downloaded the code from HTC’s developer site (http://developer.htc.com), configured, built, and analyzed it, and put the results on a server running our Coverity Integrity Manager web UI. Where is that server, you ask? We’re not handing that out – yet. We’d like to give the Android security team, OEMs, and security researchers roughly 60 days to review the results and fix (or build proof of concept exploits for) anything that might be a security problem. If you fit this description and would like early access to the results, please contact email@example.com.
After the waiting period, we’re going to go public with the full technical details of the results. It’s responsible disclosure, of a sort, updated for a world with powerful automated code testing tools.