Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Serious Security Bugs Found In Android Kernel

timothy posted more than 3 years ago | from the dang-thought-we-had-those dept.

Bug 230

geek4 writes with this excerpt from eWeek Europe: "An analysis of Google Android Froyo's open source kernel has uncovered 88 critical flaws that could expose users' personal information. An analysis of the kernel used in Google's Android smartphone software has turned up 88 high-risk security flaws that could be used to expose users' personal information, security firm Coverity said in a report published on Tuesday. The results, published in the 2010 edition of the Coverity Scan Open Source Integrity Report, are based on an analysis of the Froyo kernel used in HTC's Droid Incredible handset. ... While Android implementations vary from device to device, Coverity said the same flaws were likely to exist in other handsets as well. Coverity uncovered a total of 359 bugs, about one-quarter of which were classified as high-risk."

Sorry! There are no comments related to the filter you selected.

Serious first post (-1)

Anonymous Coward | more than 3 years ago | (#34106658)

Is serious

Re:Serious first post (-1, Flamebait)

Jeremiah Cornelius (137) | more than 3 years ago | (#34107656)

This is Google, you know: a privacy flaw exposed in the kernel of their device isn't a FLAW! It's a business-enabling FEATURE. If your business is Google's...

Why are Google treated as the great, open alternative and god's gift to geekdom? They really suck eggs. I mean after search, what have they delivered besides betas and hype? Collapsible threads in webmail? It may take someone 11 interviews to be hired at GOOG. That doesn't mean they get the best and brightest.

Someday, we will really regret putting the Google panopticon at the center of the Internet.

The most interesting thing about that article... (0, Flamebait)

metrix007 (200091) | more than 3 years ago | (#34106674)

Is that Android now dominates the Smartphone market. Thank fuck. The less dominance Apple have with their fucked up control everything for you polices only a good thing.

I don't know much about these platforms, but Android is based on Linux yes? SO would many of these vulns still be in Linux?

Re:The most interesting thing about that article.. (0, Troll)

cinderellamanson (1850702) | more than 3 years ago | (#34106722)

no probs man, if it's linux then it has MAC so no fucking worries man!

Re:The most interesting thing about that article.. (1)

metrix007 (200091) | more than 3 years ago | (#34106958)

I understand you don't have a great understanding of security practicies, so let me enlighten you. MAC is great as an additional layer of protection and enforce least privilege. That doesn't mean we should ignore security vulnerabilities. Got it? Great.

Re:The most interesting thing about that article.. (0, Troll)

cinderellamanson (1850702) | more than 3 years ago | (#34107032)

you mean it would have been better if the 88 bugs hadn't been there in the first place, even with MAC as implemented by the GOOG?

Re:The most interesting thing about that article.. (1)

metrix007 (200091) | more than 3 years ago | (#34107140)

I should have known from your original response you were just a troll.

Re:The most interesting thing about that article.. (0)

Anonymous Coward | more than 3 years ago | (#34107198)

Give him a break. He could just be clueless.

Re:The most interesting thing about that article.. (-1, Flamebait)

cinderellamanson (1850702) | more than 3 years ago | (#34107202)

Nah, bud, I'm not a troll. I just thought the irony, considering what your response to me this morning, was absolutely fucking hilarious. And I think you're full of shit.

Re:The most interesting thing about that article.. (1)

metrix007 (200091) | more than 3 years ago | (#34107566)

See, you are a troll. Your argument in the OBSD post was simple zealotism without understanding what you are saying, as evidenced by your lack of a reply. Then you couldn't let go and troll with the same shit in a completely different thread. Funny :)

Re:The most interesting thing about that article.. (0, Offtopic)

cinderellamanson (1850702) | more than 3 years ago | (#34107580)

Offtopic sorry. I will repost shortly back in the thread and you are not exactly full of shit.

Re:The most interesting thing about that article.. (-1, Redundant)

Anonymous Coward | more than 3 years ago | (#34106742)

"I don't know much about these platforms" - Thanks for your input mr obvious.

Re:The most interesting thing about that article.. (4, Informative)

AuMatar (183847) | more than 3 years ago | (#34106744)

Probably not many. Android has a rather large application framework running on top of Linux. The flaws are most likely in it, and most likely allow you to get access to data that you don't have permission to (permissions are implemented in the same code layer). When people talk about android, android isn't really an OS- it's more like Gnome or KDE with a basic permission system hacked on (and a totally Android only API).

Re:The most interesting thing about that article.. (2, Interesting)

dragonturtle69 (1002892) | more than 3 years ago | (#34107056)

I must be missing the link to the study results. Oh, won't be out until next year, to allow for patching.

So, maybe something, maybe nothing.

There are better release from Coverity's site, http://coverity.com/ [coverity.com]

Re:The most interesting thing about that article.. (1)

the_humeister (922869) | more than 3 years ago | (#34107392)

I don't see how Android isn't an OS. Sure, it runs on top of the Linux kernel, but that's like saying Mac OS X isn't really an OS because it's just a window/desktop manager and accompanying API running on top of the XNU kernel (and theoretically, Apple could have forked their own Linux kernel and used that instead of XNU).

Re:The most interesting thing about that article.. (4, Interesting)

AuMatar (183847) | more than 3 years ago | (#34107456)

Depends on your definition of OS. There's more than 1 definition, one of which translates to "the kernel" and another translates to "everything that comes with a computer", and a couple in between. When most technical people say OS, they mean the program that controls access to the hardware and provides system services- the kernel. By that definition Android is a framework on top of the OS. And in functionality it's far closer to a window manager than a kernel.

Re:The most interesting thing about that article.. (1)

the_humeister (922869) | more than 3 years ago | (#34107612)

Who exactly are these "technical people" you speak of? I know of no technical person who refers to Mac OS X as XNU. I know of no technical person who refers to Windows 7 as whatever the Windows 7 kernel is called.

Re:The most interesting thing about that article.. (3, Insightful)

exomondo (1725132) | more than 3 years ago | (#34107596)

Probably not many.

Well 88 were found in the kernel, which is a linux kernel. But who knows how many of those are in the actual linux kernel mainline.

Re:The most interesting thing about that article.. (1, Informative)

Anonymous Coward | more than 3 years ago | (#34106782)

I don't know much about these platforms, but Android is based on Linux yes? SO would many of these vulns still be in Linux?

No. Android is a Java-like virtual machine, some libraries implementing an API, a user interface and a standard set of user-level tools, all of which runs on top of a Linux kernel. The story refers to Android issues, not Linux issues.

Re:The most interesting thing about that article.. (2, Informative)

AndrewNeo (979708) | more than 3 years ago | (#34107222)

Huh? Dalvik is a Java-like virtual machine. Android is the API, UI and user tools, running on top of Linux.

Re:The most interesting thing about that article.. (3, Insightful)

vakuona (788200) | more than 3 years ago | (#34106794)

I don't think Apple was going for domination of the smartphone. Apple wants to sell lots of expensive smartphones, and they are not going to sell 100m of those year to year.

Re:The most interesting thing about that article.. (1)

dimeglio (456244) | more than 3 years ago | (#34106930)

It will be soon time to upgrade. What do you think iPhone users will upgrade to? Apple just needs to stay slightly ahead of Android, Phone 7 and others, then throw-in some "wow" factor in order to keep selling millions of smartphones.

Re:The most interesting thing about that article.. (1)

Savage-Rabbit (308260) | more than 3 years ago | (#34107556)

It will be soon time to upgrade. What do you think iPhone users will upgrade to? Apple just needs to stay slightly ahead of Android, Phone 7 and others, then throw-in some "wow" factor in order to keep selling millions of smartphones.

If they really go ahead, turn the Mac into a glorified iPod and turn OS X into a Java free zone I can tell you right now that I'll be upgrading to Ubuntu on my Mac. I'll have no choice since I do a lot of java development. I won't like switching very much but Linux is a damn sight better than Windows 7. Additionally, since Linux is an iTunes free zone I'll probably upgrade to an Android cell-phone.

Re:The most interesting thing about that article.. (2, Informative)

Anonymous Coward | more than 3 years ago | (#34106936)

The only reason Android is selling more phones in the US is because they are on more carriers. Which is about to change. Android will take a big hit when that happens just as happened in Europe.

Whoever the idiot is who thinks OS X uses Linux needs to get a clue. It's the mach Kernel, some BSD subsystems, Darwin, and a UI layer.

Re:The most interesting thing about that article.. (1)

metrix007 (200091) | more than 3 years ago | (#34106970)

No one said anything about OS X using Linux, that I can see.

Re:The most interesting thing about that article.. (0, Redundant)

mweather (1089505) | more than 3 years ago | (#34107078)

Darwin IS the mach kernel, Mr. Redundant.

Re:The most interesting thing about that article.. (1)

the_humeister (922869) | more than 3 years ago | (#34107416)

XNU is the kernel. Darwin is the subsystem without the UI layer. It's almost akin to a Debian base installation.

Re:The most interesting thing about that article.. (-1, Redundant)

Anonymous Coward | more than 3 years ago | (#34107506)

Oh shit, I'm going to have a nerdgasm!!

Re:The most interesting thing about that article.. (2, Informative)

cr_nucleus (518205) | more than 3 years ago | (#34106972)

Apple wants to sell lots of expensive smartphones

The device is only a mean to get people to pay for applications...

Re:The most interesting thing about that article.. (2, Funny)

Dhalka226 (559740) | more than 3 years ago | (#34107094)

hey are not going to sell 100m of those year to year.

Why not? This year's model is EVEN MORE SHINY!!!

Re:The most interesting thing about that article.. (-1, Troll)

Anonymous Coward | more than 3 years ago | (#34106980)

Damn straight! I'm so glad that google -- a company that wants to collect every piece of information about me and resell it -- is dominating the smartphone market. I mean, hey, if I wanted some sort of privacy, I should change my name and move!

Coverity uncovered a total of 359 bugs, but... (-1, Troll)

Smidge207 (1278042) | more than 3 years ago | (#34106676)

...know that God can help you live a better life if you want Him to help you. You can have a personal relationship with God by saying the prayer below. God is our Creator, all-knowing, all-powerful, eternal, holy, love. God loves us and sent us His Son, Jesus Christ, so we can go to heaven if we know and follow Him. Forever means without end -- time on and on without death. Forever is what happens after we die. Either we go to heaven and be with God forever, or we go to hell which is very bad and painful forever. The good people who are saved believers in Jesus Christ go to heaven. The bad people go to hell. We need to know and follow God in this world to get to heaven in the next world. We follow God by loving and obeying Him and loving others for Him. Jesus Christ, God's Son, is our bridge to God. Jesus died on the cross to cancel our sins. We need to accept Jesus into our life as our Lord and Savior forever to receive God's blessing and forgiveness plus go to heaven to be with God forever after we die. This is about being a born-again Christian. Faith in God is a gift from God. You can pray for faith in God. Just speak out and ask God for the faith to believe in Him and to follow Him. Some people find faith in God when they realize the beauty in the world is made by God. Evolution can't explain the world's natural beauty, for example, the parks in the world, animals, flowers, peacocks, sunsets, butterflies, rainbows, etc. After you have your faith on, you can pray a sinner's prayer to be a born-again Christian. This prayer is very important and should be said with a sincere heart and faith in God. This is the prayer: "Dear God, I know that I am a sinner and that Jesus Christ is the sacrifice for our sins. I have done the following sins (state these out) and I pray to discontinue these sins. I pray to receive Jesus Christ into my life as my Lord and Savior forever. In Jesus' name, amen." I'm Lutheran and I like the Baptist churches too. You could check out a Christian church and also see about their weekly Bible study group as a good way to learn about God's will for your life. You can pray to God about your daily life and have a Christian church pray for you.

Re:Coverity uncovered a total of 359 bugs, but... (2, Funny)

WrongSizeGlass (838941) | more than 3 years ago | (#34106996)

There's an app for that ;-)

88 critical flaws (5, Funny)

Anonymous Coward | more than 3 years ago | (#34106680)

88 Critical flaws on the wall... 88 critical flaws... You take one down, pass it around...

Re:88 critical flaws (5, Funny)

icannotthinkofaname (1480543) | more than 3 years ago | (#34106704)

You take one down, pass it around...

...89 critical flaws on the wall! ...shit, wait. My bad. These bugs are harder to fix than I thought they would be.

Re:88 critical flaws (1)

dkleinsc (563838) | more than 3 years ago | (#34107064)

If only bottles of beer worked that way. Maybe if I try and grab 255 at a time ...

Re:88 critical flaws (3, Funny)

blackraven14250 (902843) | more than 3 years ago | (#34107006)

There's more redundancy in the summary than there are flaws in Android kernel.

Re:88 critical flaws (1)

4phun (822581) | more than 3 years ago | (#34107356)

88 Critical flaws on the wall... 88 critical flaws... You take one down, pass it around...

Android: Coverity uncovered "a total of 359 bugs, about one-quarter of which were classified as high-risk".

With Android in your pocket you ARE living on the edge!

Re:88 critical flaws (0, Flamebait)

NatasRevol (731260) | more than 3 years ago | (#34107498)

With Android, Google doesn't care about your personal information (again). Just ask Eric Schmidt. He'll tell you if you don't like it, don't use it.

Bug bounties? (1, Interesting)

Anonymous Coward | more than 3 years ago | (#34106690)

How much are these worth in bug bounty money?

Re:Bug bounties? (3, Insightful)

WrongSizeGlass (838941) | more than 3 years ago | (#34107002)

How much are these worth in bug bounty money?

To Google or to exploit writers? I'm sure they're both offering bounties but I don't think they pay the same.

bounties? it's like tower defense game (1)

whiteboy86 (1930018) | more than 3 years ago | (#34107326)

Too many easy to zap bugs in this wave, just wait for next wave of bugs then make $$ defense upgrades.

Bounty (1)

hellkyng (1920978) | more than 3 years ago | (#34106694)

No wonder google didn't open up the security vulnerability bounty for Android...

I'm so scared (0)

Anonymous Coward | more than 3 years ago | (#34106700)

That's it then, I'm ditching my Android right now and getting a Winders SeVen pHone.

Should have waited (1, Funny)

Anonymous Coward | more than 3 years ago | (#34106702)

Should have waited and purchased a Windows 7 phone...

Re:Should have waited (4, Funny)

TheRaven64 (641858) | more than 3 years ago | (#34106828)

Windows 7 Phones have no security vulnerabilities at all. Not even attackers have worked out how to run code on them...

Re:Should have waited (1)

markdavis (642305) | more than 3 years ago | (#34106904)

...because nobody has one or wants to have one :)

Re:Should have waited (2, Interesting)

Bill_the_Engineer (772575) | more than 3 years ago | (#34107214)

Haven't you seen the commercial. Everyone with a Windows 7 phone have wrecked their cars trying to get it to work.

Re:Should have waited (1)

WrongSizeGlass (838941) | more than 3 years ago | (#34107016)

Should have waited and purchased a Windows 7 phone...

I think you can pick up a Kin on eBay ... I don't think they're too worried about security issues.

Ok... (0, Troll)

al0ha (1262684) | more than 3 years ago | (#34106708)

So what is the story, Tavis Ormandy exposes Windows bugs but does not work on top Google projects?

Re:Ok... (5, Interesting)

taviso (566920) | more than 3 years ago | (#34107090)

Odd, I don't know why you're picking on me, but I assume "Android Kernel" is marketing-speak for "Linux", in which I've reported found and fixes dozens of flaws over the years.

As you're so interested, here are some from the last month or two that you can take a look at.

CVE-2010-3080, A use-after-free in snd_seq_oss_open
CVE-2010-2960, A to-userspace dereference in keyctl_session_to_parent.
CVE-2010-2954, Kernel panic and to-userspace dereference in AF_IRDA sockets.
CVE-2010-3067, Various problems with aio (things like aio_submit())

The coverity results I've seen in the past are generally very low quality with a high density of chaff. I haven't seen the report they're talking about, but would be surprised if there were any noteworthy findings with any significant security impact. The only report I've seen them publish that had any convincing vulnerabilities was in 2006, where they found a verifiable privilege escalation in XFree86 (due to a pretty horrendous typo).

I'm a little saddened that you so readily associate me with Windows security, where as I consider myself primarily a Linux security developer, but I guess I'm flattered that where I spend my time is so important to you.

(perhaps a little creepy, though).

Re:Ok... (0)

Anonymous Coward | more than 3 years ago | (#34107424)

The Android Kernel is actually a lot different from Linux by now.

Does it also cause sentences to duplicate? (5, Funny)

ruiner13 (527499) | more than 3 years ago | (#34106720)

An analysis of Google Android Froyo's open source kernel has uncovered 88 critical flaws that could expose users' personal information. An analysis of the kernel used in Google's Android smartphone software has turned up 88 high-risk security flaws that could be used to expose users' personal information

Does it also cause words in sentences to duplicate? Does it also cause sentences to duplicate? Also, was this submission done on an Android phone?

Re:Does it also cause sentences to duplicate? (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34106832)

No, No... And well sort of, the submission was done using a series of LightBrights using the colours as different values in Hexadecimal, taken from a picture with an Android Phone - and then ran through an image processor to turn those light values into Hex. Then some open source Hex to String converter for the submission - so while the duplicate sentences might have been one of the other 271 bugs they found in the Android phone, there's a lot of other places this bug might have taken place.

*gasp* (1)

bigspring (1791856) | more than 3 years ago | (#34106732)

This number clearly differs from that of equivalent closed source systems! It's a shame that there's no current method for the community at large to help address these issues!

Is it just me? (-1, Flamebait)

hatten (1640681) | more than 3 years ago | (#34106734)

Or is that a shitload amount of bugs? Wtf are the devs doing?

Re:Is it just me? (0)

Anonymous Coward | more than 3 years ago | (#34106974)

Actually, since this is open source - the people finding the bugs should have fixed them and posted the changes to the repository. Since they didn't do that, they must not care about the FLOSS community. For shame.

Re:Is it just me? (3, Interesting)

V!NCENT (1105021) | more than 3 years ago | (#34107300)

Android uses outdated kernels in every release. Those issues are like "Hey grab a bugfix list from the latest kernel and write a study in which you supposedly hunted down these bugs yourself".

It's like an unpatched Vista Service Pack Zero and then reporting about bugs that have already been fixed...

Android or Linux (4, Interesting)

MSG (12810) | more than 3 years ago | (#34106746)

Apparently no word on whether these are flaws in the vanilla kernel which Google has inherited, or flaws in the code that Google wrote.

Re:Android or Linux (0)

Anonymous Coward | more than 3 years ago | (#34107284)

Apparently no word on whether these are flaws in the vanilla kernel which Google has inherited, or flaws in the code that Google wrote.

TFA specifically mentions that the Android kernel has more vulnerabilities than stock Linux kernels in general.

So, it seems that either Android is not benefiting from upstream Linux kernel fixes, or Android kernel devs are introducing vulnerabilities. Either way, not good. Forking Linux has it's risks, this is a major one of them.

Re:Android or Linux (1)

wrook (134116) | more than 3 years ago | (#34107298)

Or flaws in the code that HTC wrote...

score one for open source (2, Insightful)

SoupGuru (723634) | more than 3 years ago | (#34106818)

Vulnerabilities are found and hopefully patched.

As for Windows Phone 7, what we don't know won't hurt us, right?

Re:score one for open source (3, Funny)

cyber-vandal (148830) | more than 3 years ago | (#34106876)

What we don't use surely?

88 bugs... (2, Funny)

MrEricSir (398214) | more than 3 years ago | (#34106830)

...about 44 women?

Re:88 bugs... (1)

drcheap (1897540) | more than 3 years ago | (#34106962)

Congratulations, you just showed your age with that song reference. ...crap, and so did I by replying.

Re:88 bugs... (2)

geekoid (135745) | more than 3 years ago | (#34107204)

Android is an open System, open to the whole wide world.
Window is a bitter pill, security is a joke,
iOS is a controlling freak, locked down app to unfurl.
Linux lays the code right out, guarded by bearded blokes.
 

Re:88 bugs... (1)

zill (1690130) | more than 3 years ago | (#34107466)

Linux lays the code right out, guarded by bearded blokes.

Not just any bearded blokes, but bearded blokes with swords. [xkcd.com]

Re:88 bugs... (1)

zoid.com (311775) | more than 3 years ago | (#34107338)

Very nice "Nails" reference MrEricSir.

coverity's mindless drivel (5, Interesting)

Lead Butthead (321013) | more than 3 years ago | (#34106834)

Those "critical" and "serious" label are largely meaningless; Coverity allows you to configure classes of "problems" as being one of several different severity. It is what the sysadmin of Coverity wants it to be. If so desired, buffer overflow could be configured to the severity of "minor."

Re:coverity's mindless drivel (1)

drcheap (1897540) | more than 3 years ago | (#34106988)

Exactly. Want to guess what percentage my internal bug tracking submissions at work that come in are initially tagged as "critical" before they are even confirmed?

Hint: It's pretty close to the # that are marked "very low" after initial review :)

Re:coverity's mindless drivel (1)

mrawhimskell (1794156) | more than 3 years ago | (#34107604)

"ELOI, ELOI, LAMA SABACHTANI"

My God, my God, why has thou forsaken me - Jesus' words to God when He hung on Calvary's tree dying for the sins of the whole world. phew. twas worth it.

this is a Success for open-source! (1, Insightful)

NuShrike (561140) | more than 3 years ago | (#34106892)

They are outed, and so get fixed even faster.

Good luck with the iOS/Wimpy7s bugs that are never announced/found due to this type of peer-review, and so there's no priority to fix them.

Re:this is a Success for open-source! (5, Interesting)

drcheap (1897540) | more than 3 years ago | (#34107044)

They are outed, and so get fixed even faster.

Well, sort of. Even if they get fixed quickly by developers, the time it takes them to actually get fixes to consumer devices is huge. That deployment process relies on device manufacturers who often customize the OS a bit per-device and cell carriers who have to push out the updates. For them it's just an expense/loss of resources, so unless it's something really serious they don't even seem to put much effort into it.

Re:this is a Success for open-source! (1)

wrook (134116) | more than 3 years ago | (#34107330)

This is an issue I have with this kind of consumer electronics that use open source software as the base. They have to be able to let me patch my own device. Maybe not everyone can do it, but personally I don't want to wait for my phone company to push an update to me (which might be never). It's the reason I won't buy an Android device unless I can get root and can flash my own roms. If I can't do that it might as well be closed, proprietary software.

Re:this is a Success for open-source! (0)

Anonymous Coward | more than 3 years ago | (#34107494)

It's the reason I won't buy an Android device unless I can get root and can flash my own roms.

I don't know why this comment is modded up as it's plain wrong. Sure, many consumers may not know (or want to know) about flashing their device but the process has been simplified time and again to make it more accessible to the userbase.

You've been able to do exactly this since the first Android device. In fact, there is quite a large community of independent developers (who would have thought!?) producing their own custom ROMs for many different Android phones.

Captcha: limited

Re:this is a Success for open-source! (0)

Anonymous Coward | more than 3 years ago | (#34107410)

Pffft, yeah right. Probably 99% of Android phones aren't even running (or even capable of running) the latest version of Android.

Android is a weird thing. Because all the phone manufacturers have custom versions of it running on their phones you always get stuck with some old version and there is no way to upgrade until the manufacturer does a new release (which they generally never do, especially not major upgrades of the OS; often they have moved on to the next new phone and don't bother with upgrades for the old ones).

details? (2, Insightful)

JustFisher (1123293) | more than 3 years ago | (#34106946)

Andoid revision? Which kernel version? What are those 88? Did they found kernel flaws or app platform in general? What are you/they talking about?

Re:details? (1)

ZosX (517789) | more than 3 years ago | (#34107022)

They studied froyo. RTFA already.

Re:details? (1)

SirThe (1927532) | more than 3 years ago | (#34107584)

2.6.32

coverity is a great tool. (4, Interesting)

gonar (78767) | more than 3 years ago | (#34106990)

we use it at .

Coverity is the commercial offshoot of the old Stanford Checker that found something like 2500 critical bugs in the linux kernel back when it (the checker) was just a grad school project. the bugs got fixed very quickly and linux was better for it.

that said, Coverity's definition of serious or critical is not necessarily what most developers could call critical (haven't read the bug list, but from personal experience.....)

in any case, this is a win. these bugs are now known, and google/community will fix them within days if they haven't already been fixed (I hope Coverity had the decency to inform google prior to their press release)

Re:coverity is a great tool. (2, Informative)

Esospopenon (1838392) | more than 3 years ago | (#34107154)

If you had read TFA, you'd have seen that Coverity is not releasing any details until January to allow Google and vendors to fix things.

Re:coverity is a great tool. (1)

RenderSeven (938535) | more than 3 years ago | (#34107668)

...assuming they buy Coverity licenses. Which are very expensive. Nice sales tool to announce a 'secret' list of critical flaws to force Google and AnDev's to buy their software, while getting lots of free press.

Re:coverity is a great tool. (0)

Anonymous Coward | more than 3 years ago | (#34107174)

we use it at .

Is that like Slashdot without the slash?

coverity is a code review tool (1)

pikine (771084) | more than 3 years ago | (#34107314)

Coverity is really a code review tool. From your code, it tries to construct a model that shows your code is correct (static analysis + type inference). If it can't, the code is flagged, and it should be reviewed by a human. The flagged code may or may not be a bug, only that Coverity couldn't prove its correctness. If anything, I would advocate that the code should be rewritten in order to pass Coverity check, in the same spirit that if another competent person doesn't understand your code, you should probably rewrite it to make it more clear.

However, I've not seen any formal soundness proof of Coverity itself. As a result, Coverity may very well accept buggy programs as correct. This would certainly limit the tool's usefulness.

Re:coverity is a great tool. (1)

elashish14 (1302231) | more than 3 years ago | (#34107766)

in any case, this is a win. these bugs are now known, and google/community will fix them within days if they haven't already been fixed (I hope Coverity had the decency to inform google prior to their press release)

But don't the carriers have a history of taking their sweet time before pushing updates down to consumers? Or is that just for major releases... hopefully they are more prompt with security updates.

High False Positive Rate (5, Interesting)

Anonymous Coward | more than 3 years ago | (#34107028)

Coverity uncovered a total of 359 bugs, about one-quarter of which were classified as high-risk.

Based on my experience using Coverity's tools, more than half are actually false positives and less than half of what's left are really as serious as rated.

88 ways to root your phone... (1)

Dwonis (52652) | more than 3 years ago | (#34107176)

...and I'm supposed to be complaining?

88 problems? (4, Funny)

Anonymous Coward | more than 3 years ago | (#34107196)

If you're havin' 'droid problems i feel bad for you son,
I got 88 problems but a bug ain't one

Re:88 problems? (2, Funny)

V!NCENT (1105021) | more than 3 years ago | (#34107332)

If you're having girl problems I feel bad for you son,
I got 88 bugs but a bitch ain't one.

SERIOUS (3, Informative)

SirThe (1927532) | more than 3 years ago | (#34107208)

You could like mention that this is projected to be the least number of vulnerabilities per line of code they found. Oh wait, that would require reading the article.

Where's the accompanying article (0)

Anonymous Coward | more than 3 years ago | (#34107216)

'Serious security flaws most likely exist in iOS and Windows Phone 7, but we'll never know'

And the carriers are too slow to respond... (1)

erroneus (253617) | more than 3 years ago | (#34107224)

That really pisses me off to know that Google or whoever is driving the Android development didn't hire some security testers to find this critical stuff before it was released.

Fortunately, I believe the fixes will come out for me before the carriers get around to do. My Galaxy S is pretty good about being able to load new custom firmwares now. Feel bad for "regular" users who depend on updates from carriers.

ha! who is living in a walled garden now!? (0)

Anonymous Coward | more than 3 years ago | (#34107228)

Oh the sweet irony. You android lovers aren't talking now.

Real Problem is Slow Carrier Updates (4, Informative)

zuperduperman (1206922) | more than 3 years ago | (#34107316)

In truth, this is a strength, not a weakness of Android - this is the "many eyes" of open source in action. No doubt the important fixes among these will be addressed pretty quickly.

The problem, however, is with the carriers who keep insisting on pushing custom firmware on their devices. With many devices never receiving any updates at all they are wide open - how long until we have massive malware issues because of this?

What I hope is that this drives some consumer backlash which forces the carriers to stop the nonsense with customizing the core of android and instead just put their skins on the topmost UI layer. They should realize quick smart that they are not and should never be in the OS business and that updates need to come out within weeks of releases from Google, not years or never.

Re:Real Problem is Slow Carrier Updates (1)

witherstaff (713820) | more than 3 years ago | (#34107768)

Here here. I actually hope there is some sort of widespread malware or a virus just to push this issue. I really like android as a user and developer but I hate the carrier lockdown.

Most of these aren't really going to be an issue (2, Interesting)

SpazmodeusG (1334705) | more than 3 years ago | (#34107352)

There's a function that helps avoid exploitation of the vulnerabilities in the API.
developer.android.com/reference/android/app/ActivityManager.html#isUserAMonkey%28%29

Just ensure that it's returning false and you should be safe.

Re:Most of these aren't really going to be an issu (1)

Dewin (989206) | more than 3 years ago | (#34107496)

Note that the user being a monkey might be a sort of exception that should never happen [android.com] . A definite WTF moment, for sure.

bug in Androids (0)

Anonymous Coward | more than 3 years ago | (#34107562)

It must be Microsoft's fault or Obama's since every other problem in the world is caused by them.. right... not..

Who cares about it when no updates available! (0)

Anonymous Coward | more than 3 years ago | (#34107746)

I bought a Motorola Milestone with Android 2.1 on it. Now, some basic features are not there or simply not working like the VPN for example. So I want to update to Android 2.2 but Motorola is too lazy and they lock down the phone if you try to update yourself.
When I read the comments on the Market, I see that the Galaxy S has a lot of problem with compatibilities with apps...

So how I'm supposed to think about the security issues now? I can't update and when I buy a phone, I can't be sure of anything... (updatability, compatibility, quality of touch screen, ...)

If I buy a second phone, I will reach the price of a iPhone... why I didn't buy a iPhone at first? because it was twice the price...
Now, from what I see, half-price = half-quality, half-secure, twice-headache!

I'm really sorry, but I don't see how Android gonna be a good alternative to the iOS... Android is too young and doesn't grow up without buying a new phone...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?