Slashdot Mirror
Serious Security Bugs Found In Android Kernel
geek4 writes with this excerpt from eWeek Europe: "An analysis of Google Android Froyo's open source kernel has uncovered 88 critical flaws that could expose users' personal information. An analysis of the kernel used in Google's Android smartphone software has turned up 88 high-risk security flaws that could be used to expose users' personal information, security firm Coverity said in a report published on Tuesday. The results, published in the 2010 edition of the Coverity Scan Open Source Integrity Report, are based on an analysis of the Froyo kernel used in HTC's Droid Incredible handset. ... While Android implementations vary from device to device, Coverity said the same flaws were likely to exist in other handsets as well. Coverity uncovered a total of 359 bugs, about one-quarter of which were classified as high-risk."
Is that Android now dominates the Smartphone market. Thank fuck. The less dominance Apple have with their fucked up control everything for you polices only a good thing.
I don't know much about these platforms, but Android is based on Linux yes? SO would many of these vulns still be in Linux?
If you ignore ACs because they are anonymous - you're an idiot.
88 Critical flaws on the wall... 88 critical flaws... You take one down, pass it around...
How much are these worth in bug bounty money?
No wonder google didn't open up the security vulnerability bounty for Android...
That's it then, I'm ditching my Android right now and getting a Winders SeVen pHone.
Should have waited and purchased a Windows 7 phone...
So what is the story, Tavis Ormandy exposes Windows bugs but does not work on top Google projects?
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
An analysis of Google Android Froyo's open source kernel has uncovered 88 critical flaws that could expose users' personal information. An analysis of the kernel used in Google's Android smartphone software has turned up 88 high-risk security flaws that could be used to expose users' personal information
Does it also cause words in sentences to duplicate? Does it also cause sentences to duplicate? Also, was this submission done on an Android phone?
today is spelling optional day.
no probs man, if it's linux then it has MAC so no fucking worries man!
Hey buddy, can i bum a karma? ~}CinderellaManson{~
This number clearly differs from that of equivalent closed source systems! It's a shame that there's no current method for the community at large to help address these issues!
Probably not many. Android has a rather large application framework running on top of Linux. The flaws are most likely in it, and most likely allow you to get access to data that you don't have permission to (permissions are implemented in the same code layer). When people talk about android, android isn't really an OS- it's more like Gnome or KDE with a basic permission system hacked on (and a totally Android only API).
I still have more fans than freaks. WTF is wrong with you people?
Apparently no word on whether these are flaws in the vanilla kernel which Google has inherited, or flaws in the code that Google wrote.
I don't know much about these platforms, but Android is based on Linux yes? SO would many of these vulns still be in Linux?
No. Android is a Java-like virtual machine, some libraries implementing an API, a user interface and a standard set of user-level tools, all of which runs on top of a Linux kernel. The story refers to Android issues, not Linux issues.
I don't think Apple was going for domination of the smartphone. Apple wants to sell lots of expensive smartphones, and they are not going to sell 100m of those year to year.
Vulnerabilities are found and hopefully patched.
As for Windows Phone 7, what we don't know won't hurt us, right?
What doesn't kill you only delays the inevitable
...about 44 women?
There's no -1 for "I don't get it."
Those "critical" and "serious" label are largely meaningless; Coverity allows you to configure classes of "problems" as being one of several different severity. It is what the sysadmin of Coverity wants it to be. If so desired, buffer overflow could be configured to the severity of "minor."
ELOI, ELOI, LAMA SABACHTHANI!?
They are outed, and so get fixed even faster.
Good luck with the iOS/Wimpy7s bugs that are never announced/found due to this type of peer-review, and so there's no priority to fix them.
It will be soon time to upgrade. What do you think iPhone users will upgrade to? Apple just needs to stay slightly ahead of Android, Phone 7 and others, then throw-in some "wow" factor in order to keep selling millions of smartphones.
Views expressed do not necessarily reflect those of the author.
The only reason Android is selling more phones in the US is because they are on more carriers. Which is about to change. Android will take a big hit when that happens just as happened in Europe.
Whoever the idiot is who thinks OS X uses Linux needs to get a clue. It's the mach Kernel, some BSD subsystems, Darwin, and a UI layer.
Andoid revision? Which kernel version? What are those 88? Did they found kernel flaws or app platform in general? What are you/they talking about?
I understand you don't have a great understanding of security practicies, so let me enlighten you. MAC is great as an additional layer of protection and enforce least privilege. That doesn't mean we should ignore security vulnerabilities. Got it? Great.
If you ignore ACs because they are anonymous - you're an idiot.
No one said anything about OS X using Linux, that I can see.
If you ignore ACs because they are anonymous - you're an idiot.
Apple wants to sell lots of expensive smartphones
The device is only a mean to get people to pay for applications...
Actually, since this is open source - the people finding the bugs should have fixed them and posted the changes to the repository. Since they didn't do that, they must not care about the FLOSS community. For shame.
we use it at .
Coverity is the commercial offshoot of the old Stanford Checker that found something like 2500 critical bugs in the linux kernel back when it (the checker) was just a grad school project. the bugs got fixed very quickly and linux was better for it.
that said, Coverity's definition of serious or critical is not necessarily what most developers could call critical (haven't read the bug list, but from personal experience.....)
in any case, this is a win. these bugs are now known, and google/community will fix them within days if they haven't already been fixed (I hope Coverity had the decency to inform google prior to their press release)
The difference between Theory and Practice is greater in Practice than in Theory.
There's an app for that ;-)
Coverity uncovered a total of 359 bugs, about one-quarter of which were classified as high-risk.
Based on my experience using Coverity's tools, more than half are actually false positives and less than half of what's left are really as serious as rated.
you mean it would have been better if the 88 bugs hadn't been there in the first place, even with MAC as implemented by the GOOG?
Hey buddy, can i bum a karma? ~}CinderellaManson{~
I must be missing the link to the study results. Oh, won't be out until next year, to allow for patching.
So, maybe something, maybe nothing.
There are better release from Coverity's site, http://coverity.com/
"What luck for the rulers that men do not think." - Adolph Hitler
Darwin IS the mach kernel, Mr. Redundant.
Why not? This year's model is EVEN MORE SHINY!!!
I should have known from your original response you were just a troll.
If you ignore ACs because they are anonymous - you're an idiot.
http://www.youtube.com/watch?v=JYc05gZFly0
Fix it fix it fix it.
The Kruger Dunning explains most post on
...and I'm supposed to be complaining?
If you're havin' 'droid problems i feel bad for you son,
I got 88 problems but a bug ain't one
Give him a break. He could just be clueless.
You could like mention that this is projected to be the least number of vulnerabilities per line of code they found. Oh wait, that would require reading the article.
'Serious security flaws most likely exist in iOS and Windows Phone 7, but we'll never know'
Huh? Dalvik is a Java-like virtual machine. Android is the API, UI and user tools, running on top of Linux.
That really pisses me off to know that Google or whoever is driving the Android development didn't hire some security testers to find this critical stuff before it was released.
Fortunately, I believe the fixes will come out for me before the carriers get around to do. My Galaxy S is pretty good about being able to load new custom firmwares now. Feel bad for "regular" users who depend on updates from carriers.
Oh the sweet irony. You android lovers aren't talking now.
Android uses outdated kernels in every release. Those issues are like "Hey grab a bugfix list from the latest kernel and write a study in which you supposedly hunted down these bugs yourself".
It's like an unpatched Vista Service Pack Zero and then reporting about bugs that have already been fixed...
Here be signatures
Coverity is really a code review tool. From your code, it tries to construct a model that shows your code is correct (static analysis + type inference). If it can't, the code is flagged, and it should be reviewed by a human. The flagged code may or may not be a bug, only that Coverity couldn't prove its correctness. If anything, I would advocate that the code should be rewritten in order to pass Coverity check, in the same spirit that if another competent person doesn't understand your code, you should probably rewrite it to make it more clear.
However, I've not seen any formal soundness proof of Coverity itself. As a result, Coverity may very well accept buggy programs as correct. This would certainly limit the tool's usefulness.
I once had a signature.
In truth, this is a strength, not a weakness of Android - this is the "many eyes" of open source in action. No doubt the important fixes among these will be addressed pretty quickly.
The problem, however, is with the carriers who keep insisting on pushing custom firmware on their devices. With many devices never receiving any updates at all they are wide open - how long until we have massive malware issues because of this?
What I hope is that this drives some consumer backlash which forces the carriers to stop the nonsense with customizing the core of android and instead just put their skins on the topmost UI layer. They should realize quick smart that they are not and should never be in the OS business and that updates need to come out within weeks of releases from Google, not years or never.
Too many easy to zap bugs in this wave, just wait for next wave of bugs then make $$ defense upgrades.
There's a function that helps avoid exploitation of the vulnerabilities in the API.
developer.android.com/reference/android/app/ActivityManager.html#isUserAMonkey%28%29
Just ensure that it's returning false and you should be safe.
I don't see how Android isn't an OS. Sure, it runs on top of the Linux kernel, but that's like saying Mac OS X isn't really an OS because it's just a window/desktop manager and accompanying API running on top of the XNU kernel (and theoretically, Apple could have forked their own Linux kernel and used that instead of XNU).
XNU is the kernel. Darwin is the subsystem without the UI layer. It's almost akin to a Debian base installation.
Depends on your definition of OS. There's more than 1 definition, one of which translates to "the kernel" and another translates to "everything that comes with a computer", and a couple in between. When most technical people say OS, they mean the program that controls access to the hardware and provides system services- the kernel. By that definition Android is a framework on top of the OS. And in functionality it's far closer to a window manager than a kernel.
I still have more fans than freaks. WTF is wrong with you people?
Note that the user being a monkey might be a sort of exception that should never happen. A definite WTF moment, for sure.
Of course nobody reads the FAQ! If people read the FAQ, the Questions wouldn't be so Frequently Asked.
It will be soon time to upgrade. What do you think iPhone users will upgrade to? Apple just needs to stay slightly ahead of Android, Phone 7 and others, then throw-in some "wow" factor in order to keep selling millions of smartphones.
If they really go ahead, turn the Mac into a glorified iPod and turn OS X into a Java free zone I can tell you right now that I'll be upgrading to Ubuntu on my Mac. I'll have no choice since I do a lot of java development. I won't like switching very much but Linux is a damn sight better than Windows 7. Additionally, since Linux is an iTunes free zone I'll probably upgrade to an Android cell-phone.
Only to idiots, are orders laws.
-- Henning von Tresckow
It must be Microsoft's fault or Obama's since every other problem in the world is caused by them.. right... not..
See, you are a troll. Your argument in the OBSD post was simple zealotism without understanding what you are saying, as evidenced by your lack of a reply. Then you couldn't let go and troll with the same shit in a completely different thread. Funny :)
If you ignore ACs because they are anonymous - you're an idiot.
Offtopic sorry. I will repost shortly back in the thread and you are not exactly full of shit.
Hey buddy, can i bum a karma? ~}CinderellaManson{~
Probably not many.
Well 88 were found in the kernel, which is a linux kernel. But who knows how many of those are in the actual linux kernel mainline.
Who exactly are these "technical people" you speak of? I know of no technical person who refers to Mac OS X as XNU. I know of no technical person who refers to Windows 7 as whatever the Windows 7 kernel is called.
I bought a Motorola Milestone with Android 2.1 on it. Now, some basic features are not there or simply not working like the VPN for example. So I want to update to Android 2.2 but Motorola is too lazy and they lock down the phone if you try to update yourself.
When I read the comments on the Market, I see that the Galaxy S has a lot of problem with compatibilities with apps...
So how I'm supposed to think about the security issues now? I can't update and when I buy a phone, I can't be sure of anything... (updatability, compatibility, quality of touch screen, ...)
If I buy a second phone, I will reach the price of a iPhone... why I didn't buy a iPhone at first? because it was twice the price...
Now, from what I see, half-price = half-quality, half-secure, twice-headache!
I'm really sorry, but I don't see how Android gonna be a good alternative to the iOS... Android is too young and doesn't grow up without buying a new phone...
Then you must really hate Oracle
no it really was irony. - "And I think your full of shit." was humor. :D
I'm really sorry the Mac zealots modded you troll, that was unfortunate, but both funny and ironic.
You know Mac != MAC right?
If you ignore ACs because they are anonymous - you're an idiot.
it's punny.
Hey buddy, can i bum a karma? ~}CinderellaManson{~
Exposes more than, say, a very simple app (game?) that requires Full Network Access, Fine Grained Location, and access to your System Settings?
The biggest threat to personal information leaking on an Android phone are overly permissive apps, and the people who install them.
wait, so you assume google is the only folks with a flaw?
wow.
I'm not saying google is infallible, but neither is, well, every company that exists. I dont' even need to mention names on that.
When people talk about android, android isn't really an OS- it's more like Gnome or KDE with a basic permission system hacked on (and a totally Android only API).
Not quite - Android also includes a set of kernel patches.
Visual IRC: Fast. Powerful. Free.
I don't claim that.
But these BrotherPluckers start with a known Linux sourcecode base, fork it, and introduce this number of exploits in ring-0?
They suck.
"Flyin' in just a sweet place,
Never been known to fail..."
It "dominates" in the same way Windows dominates PCs...a fractured mess controlled by the carriers, with their own unremovable junkware, their own app stores, and their own differing hardware features.
Here's an article you won't see written about the iPhone: How Can I Tell If An Android App Is Malware?
Personally, I'm not too excited about the idea of Google owning search, advertising, email, chat, documents, phones, netbooks, blogs, etc., all while skirting the edge of privacy. I'm not really interested in replacing one Micorosft with another. Apple is more concerned with being the best in a market, not #1 in a market.
Since Android hit the market, there has been a lot of uninformed, suspicious Apple-bashing on Slashdot, often from anonymous posters.
In the world of O/S frameworks Android is pretty much still a toddler and it is trying to run like a 16 year old with a bright future in track so please don't act surprised, bugs happen. Although i gotta say a "use after Free" is pretty bush league.
Hey KID! Yeah you, get the fuck off my lawn!
How much did you pay for the user ID?
Can you go back in time now with the flux capacitor app?
"To prevent this day from getting any worse, I'll just read ERROR as GOOD THING" 1GJU8xLuDKDxEs4KLf8fAGyptoDsqvEsBT
From the article and summary my own conclusion is that this is somewhat of an astroturf for Coverity and more than likely lacks any solid foundation. Certainly there may be bugs, but many are probably of the "Meh" kind.
From the article and summary my own conclusion is that this is somewhat of an astroturf for Coverity and more than likely lacks any solid foundation. Certainly there may be bugs, but many are probably of the "Meh" kind.
I totally agree, the fact that they are announcing 'we found all these security bugs but we aren't going to tell you about them until google has a chance to fix them' rather than just speaking directly to google about them stinks of astroturfing.
now now, give him time...it'll take a while for the cryogenic suspension effects to wear off...
- I'd prefer not to.
How did Apple manage to get these faults into the phone in the first place? They must have spies deeper than we originally thought!
For shame, to stoop to sabotage! Will Jobs stop at NOTHING?
maybe google needs to reach their hand out to the greater community, as they can't do it all, but who can these days?
This is Google, you know: a privacy flaw exposed in the kernel of their device isn't a FLAW! It's a business-enabling FEATURE..
God damn Google for stealing Apple's business practices.
I'm trying to figure out why someone would analyze the source code to an open project, find defects, and NOT fix and commit the defects for code review. I mean, that's how the process is supposed to work. Unless this is just a publicity stunt.
It isn't astroturfing. No one is pretending to be from the "community" or "grass roots" or anything. It's plain marketing.
Coverity provides free code checks to many free software projects, in exchange for being able to make press releases like this one. The mainline Linux kernel has been through it at least a few times, but Coverity seems a bit confused or unhappy about the fact that Linus won't discuss bugs in secret. Many other large free software projects have a group of people who are willing to sign NDA's when dealing with security bugs, so bugs can be patched before being announced.
Finally! A year of moderation! Ready for 2019?
Why not? They're selling lots and lots of iPods, why wouldn't they eventually include phone functionality with lower-end iPods?
Finally! A year of moderation! Ready for 2019?
Obligatory Monty python reference: http://www.youtube.com/watch?v=hSELOCMmw4A
An OS consists of not only the kernel, but also the userland. You need to be able to interface with the kernel at least at some level. Just because GNU/Linux's userland is indistinguishable from third party applications doesn't mean that all operating systems are complete with kernels alone.
http://astutehosting.com/
So then that could be said about Apple too and their OS X with the BSD kernel.
A lot of people - myself included - refer to Darwin when talking about the OS, and Mac OS X when talking about all of the stuff that Apple bundles on the install CD (including Quartz, Cocoa, and so on).
Defining the OS as the kernel is problematic when you have microkernels, because the line between what is the kernel and what is userspace is blurred. With Symbian, for example, device drivers live in the kernel but they don't handle multiplexing between applications. When an application wants to access a hardware resource, it talks to a userspace server. Are these servers part of the OS?
The general working definition of an OS is the stuff that you need to boot the system and launch programs. With a UNIX-like system, this includes the init system (typically including a POSIX-compatible shell), and a set of libraries. Most importantly, it includes libc, because this is the public interface to the kernel's functionality. If you select a target when cross-compiling stuff for OS X, you select the Darwin target, not the OS X or XNU target (there isn't one), because the compiler needs to know things like the object format to use (Mach-O), the calling conventions (not defined by the kernel), and a few other things.
This is why people talk about GNU/Linux as a platform; because it's GNU libc, the GNU shell, and so on that their programs interact with. You can swap out the Linux kernel for something like a FreeBSD kernel much more easily than you can swap out the GNU stuff for BSD equivalents.
Some people use a slightly broader definition for UNIX-like systems, including everything needed for compliance with the Single UNIX Specification. Since this includes things like c99, c++, and vi, I think it's a little bit to broad, because the system can happily function without them.
I am TheRaven on Soylent News
Coverity is not a charitable organization, so the only question I have is: "who paid for the analysis?"
I don't believe Google would have paid an outside firm. After all, people at Google view themselves as "the best of the best."
I suspect Apple might have had something to do with this.
It "dominates" in the same way Windows dominates PCs...a fractured mess controlled by the carriers,
One can always buy sim-free phones. Yuo have to pay up front, but it's your phone.
with their own unremovable junkware, their own app stores, and their own differing hardware features.
Junkware is annoying, but I'd count differing hardware as a fearture rather than a bug. It gives you choice.
Also, all "app stores" suck compared to a proper package manager.
Here's an article you won't see written about the iPhone: How Can I Tell If An Android App Is Malware?
You know there have been iPhone apps with hidden functionality, right? Those could just as easily have been malware.
Personally, I'm not too excited about the idea of Google owning search, advertising, email, chat, documents, phones, netbooks, blogs, etc., all while skirting the edge of privacy.
Yep.
I'm not really interested in replacing one Micorosft with another.
Yep.
Apple is more concerned with being the best in a market, not #1 in a market.
Apple are every bit as bad, given half the chance. And their phones are far too locked down. At lerast with Android, you don't have to use an app store if you do not want to.
Anyway, I want an N900. That looks nice to me than either Android ir the iPhone.
SJW n. One who posts facts.
Technically you are correct : ) I have updated my definition of 'astroturf'
A lot of people - myself included - refer to Darwin when talking about the OS, and Mac OS X when talking about all of the stuff that Apple bundles on the install CD (including Quartz, Cocoa, and so on).
They're you're being inconsistent, and making arbitrary distinctions to support your bias.
The general working definition of an OS is the stuff that you need to boot the system and launch programs.
It is a struggle to see how the full OS X (or Windows) would not meet this definition.
You have, however, demonstrated the one consistency I've seen with "technical people" when defining what an "OS" - they always go out of their way to ensure whatever set of rules they make up excludes any sort of "GUI" from being included. They all seem to suffer from Goldilocks syndrome, since not being able to pop up a bash shell isn't "graphical" _enough_, while drawing windows and using a mouse for input is _too_ "graphical".
"When most technical people say OS, they mean the program that controls access to the hardware and provides system services- the kernel."
So, for example, Linux is an OS when running on bare hardware, but if you're using it in a virtual machine on a Windows host, you're really running Windows as an OS? OK, if you says so.
"National Security is the chief cause of national insecurity." - Celine's First Law
The general working definition of an OS is the stuff that you need to boot the system and launch programs.
It is a struggle to see how the full OS X (or Windows) would not meet this definition.
The full OS X includes a load of apps, such as iCal, Address Book, and a load of frameworks that are not needed to launch apps. It contains a load of stuff that is not required to boot the system. It is a superset of Darwin, just as Darwin is a superset of XNU (but XNU can not boot on its own, while Darwin can). Any Darwin program will run on OS X, but not every OS X program will run on Darwin, because it may use some of the Apple frameworks or applications.
You have, however, demonstrated the one consistency I've seen with "technical people" when defining what an "OS" - they always go out of their way to ensure whatever set of rules they make up excludes any sort of "GUI" from being included
Not at all. The Quartz GUI is a separate process, the WindowServer, which is launched after the init process runs. If you hold down option-S when booting a Mac, it is not loaded, but you can still run programs. If you log in as the >console user from the graphical login screen, the WindowServer exits and you can proceed without it. It is, therefore, a clearly optional part of the system. You can even exit it and run X.org instead on an OS X system, although the X11.app from Apple runs on top of Quartz. There are other Darwin distributions which only include X.org and not Quartz.
In contrast, Windows has a closer integration and does not expose a terminal-emulator interface to programs, so you must load at least part of the GUI if you want to run programs (if you boot NT in the emergency recovery mode, you actually get the the GUI loading and then running cmd.exe in a command prompt window).
You have to include a shell for most UNIX-like systems, because the init system runs shell scripts, and you could not finish system startup without it. You have to include libc, because that provides the programmers' interface to the kernel (the Single UNIX Specification only specifies C interfaces, not system calls). You have to include programs that are run by init scripts, such as ifconfig. You do not have to include X11, because the system will happily boot and run programs without it - you can even run graphical programs on a remote display without having X11 running locally.
I am TheRaven on Soylent News
Pollyanna.
Did you read TFA?
They said that the level of bugs per 1000 lines is very much less than half the "normal" amount. Though yes more than the Linux kernel itself, but some of the bugs were already addressed before release. I'd like to see *YOU* do better with getting the OS on a Mobil Device.
I mean, come on, exactly how is a remote exploit (quite a few of the bugs are this type) going to happen on these phones when these things don't even listen on what is typically expected on the "network" and then even if it does, its typically been "rooted" (and they should get all they have coming to them if they don't know why they rooted and expect it to behave just like a non-rooted one) and even then... at least on Verizon doesn't allow any connection listening services on its "mobile" ip address ranges in any case.
How about Apple let Coverity do the same run down on iOS? Never happen, at least with public results.
Better yet, Windows Phone 7? Hah... never happen period.
Nokia's stuff? better chance of winning the Mega Lottery.
greg, REMEMBER ED CURRY!!!
I mean after search, what have they delivered besides betas and hype? Collapsible threads in webmail?
Google Maps
Google Earth/Moon/Mars
Google Skymaps
Google Translate
Google Docs
Google Calendar
Google Desktop Search
Google Image Search
Google Code
Google Talk
Plus they run/own:
Blogger
Youtube
Picasa
Sketchup
But apart from that, nothing...
I'm not saying they're perfect but saying that they've done nothing but search is just plain wrong.
Brain surgery - it's not rocket science!
I'd refer to myself and a hell of a lot of people I know as 'technical people', and we still refer to the OS as the top level framework. We call the kernel the, wait for it...kernel. It keeps things simple if you don't decide to branch out your own language from what the normal people use.
It's like ping and latency. Yes they are different, but only a right asshat would start complaining if someone says in a video game "Damn I have a high ping". Met one of those guys so far.
To much anime is bad for the brain...desu.
Sorry. Couldn't help it.
But yeah, OS X is Unix based, not Linux, as I recall.
To much anime is bad for the brain...desu.
Sorry. Couldn't help it.
Quick! Call Steve! He needs to increase the power levels!
To much anime is bad for the brain...desu.
Sorry. Couldn't help it.
Here's an article you won't see written about the iPhone: How Can I Tell If An Android App Is Malware?
Sure you will! Researcher warns of risks from rogue iPhone apps
To much anime is bad for the brain...desu.
Sorry. Couldn't help it.
i wonder how many bugs are in closed source handset operating systems...
Who doesn't?
Not very surprising.
That's why you shouldn't let your Developers "Test" their applications. That's why you should hire a team of QA Testers.
http://www.esecurityplanet.com/features/article.php/3910891/Android-Code-at-Risk.htm seems like a better article to me, as it actually gives you information. For instance, to answer one commenter I saw, it mentions that the code from the vanilla linux kernel has fewer flaws than the code that is Android specific. It also mentions this gem: "We found that the Android kernel had about half the defect density that you would expect, compared to other industry average codebases of the same size," Andy Chou, Chief Scientist and co-founder of Coverity told InternetNews.com."What that means is that a defect density of one defect per approximately one thousand lines of code is industry average, according to our measurements – for the Android kernel, the defect density was about 0.47." According to the same source, the defect density if you look at Android only code is .7 per a thousand lines, so still below the industry average. In short, Android is more secure than most other kernels that Coverity has analyzed.
When most technical people say OS, they mean the program that controls access to the hardware and provides system services- the kernel.
These people you call "technical"... They aren't, not if they get confused about such basic terms as "operating system" and "kernel".
It's certainly not as clear cut as you are suggesting. Apple have a good percentage of the market right now, but the majority of growth is in Android (that's largely people moving from non-smart phones to smart phones, so it will be interesting to see how this plays out once that trend levels off), okay that's to be expected since they're starting from simpler roots, but I'd hardly say Android over here are feeling any kind of "hit", and we've had iPhones on other carriers for a good while.
Serious question. Would the discovery of bugs like these be possible on the iPhone due to it's closed nature?
...how many of those allow me to root and own again my 2.2 HTC Desire.
I made the mistake to update to 2.2 and then I got into an area where there is no clear way to root it :(
All done before.
"Flyin' in just a sweet place,
Never been known to fail..."
The bugs were found by static analysis.
All done before.
But how many of them were released at the same price of Free?
so wait, you think that when people add functionality it's not going to reduce security?
do you even know what programming and programatically introducing security means?
It means your choice is : functionality or security. You don't get both.
At least they're using fairly current kernels, if they weren't then I'd say it's different.
With so many different builds of Android, these issues may or may not exist on other phones..
Don't forget:
Voice Search (For Android)
Android OS
Nexus One Smartphone
Chrome OS (coming out soon)
Google Night Sky
Buzz
Ok, so who has made something completely new?
Oh, also Chrome OS (as far as I know, the first net-based OS) and Android (as far as I know, the first Linux phone OS).
Brain surgery - it's not rocket science!
ChromeOS is Linux, with the userland stripped bare and a browser for a shell.
"Flyin' in just a sweet place,
Never been known to fail..."
XNU IS the match kernel. Darwin is the OS, which includes XNU match kernel.
mach, not match. You get the idea.