High Risk Vulnerabilities in Android Kernel

After in-depth analysis of the android OS the security analyst at Coverity claimed that android’s kernel has hundreds of loop holes and security vulnerabilities, they found 359 defects in the code in which 88 are reported as high risk vulnerabilities.

Even after finding so many security holes coverity still rates Android as the best available open source project almost twice as decent as any other open-source projects available today!

coverity used HTC incredible and took Android’s source code from it for analysis, Coverity claimed that there are around 0.47 defects in every 1000 lines of code in comparison with the industry average which is 1 defect in every 1000 lines of code.

coverity is not willing to reveal these vulnerabilities to public until the end of this year. Up till now they have only revealed that among these 359 vulnerabilities coverity has found 88 high risk vulnerabilities such as memory leaks, uninitialized variables and memory corruption etc.

According to Coverity, these flaws are discovered via automated analysis of the android’s source code and for the sake of being responsible, will not make it public for the next 60days and until then early access will be given to the Android’s security team, researchers and OEMs so that they can have some time to fix these security flaws before the details goes public!

At the moment people like us can only speculate about the vastness of those security flaws across Android’s Kernel that can be exploited by hackers for getting profit or just fun. Furthermore, almost every manufacturer tweak/modify the Android’s kernel to perfectly suit their hardware but the Coverity team has only taken Android code from the HTC Incredible so this might can be a issue and other phones may or may not be such vulnerable as this particular handset but the chipsets which are usually used in Android based devices are very much alike so there is a high probability that the security flaws will also be similar between these devices.

On the other hand exploitation of these flaws can entirely be a different matter, because if we imagine that there is a stack overflow vulnerability that allows application to breach the sandbox security but such big vulnerabilities are most likely to be detected very quickly so in my opinion such thing will only be possible if the kernel has several and more easier to exploit flaws; (hopefully if such flaws exists then they will be fixed before Coverty report goes public).

On the positive side, one of the advantages of open source software is that it is always open for scrutiny, so it makes people to trust such software even more (same is the case with Android).