[Update] Security Firm: Android Riddled with Holes


[Note]: Figured I’d put this here instead of cluttering the comments up even more. I did originally make the mistake of saying that Google’s .47 flaws per 1,000 lines of code were well “above” the average of 1.0. I acknowledged it and corrected it. No, I’m not dumb, I’m just human. Also, I omitted the portion of The Register’s report where they stated Android was still the most secure open platform. I chose not to entertain that anecdote considering Android is the only open mobile operating system of noteworthy mention, and it’s not fair to compare it to a distribution for desktop and laptop computers which I imagine are much larger in scope.

These days, it seems there isn’t a month that goes by without a security firm pointing out some potential flaws in Android. This time, Coverity – based out of San Francisco – has gone deep into the Android source code and came up with some interesting numbers. Per every 1,000 lines of code, .47 defects were found. That’s well below the average of 1.0, with the overall number of flaws found totaling 359.


Instead of just releasing their full breakdown, they’re giving Google, OEMs, and carriers 60 days to grab it up and take a look for themselves, after which they’ll release it to the public. The study was only done on a lone HTC Droid Incredible, but the number of bugs probably won’t vary much as kernels from phone to phone tend to be similar.

Until they release the report, it’s hard to tell which of these potential flaws can truly be exploited for malicious reasons, but should anyone attempt to violate the trust of Google and the Android market, we know they have a nice killswitch just waiting to be flipped.

[via The Register]

Quentyn Kennemer
The "Google Phone" sounded too awesome to pass up, so I bought a G1. The rest is history. And yes, I know my name isn't Wilson.

Archos 43 Internet Tablet Now Available, 101 Tablet Delayed?

Previous article

8pen Now Available for Download

Next article

You may also like


  1. In what way is .47 well above 1.0?

  2. Since when is 0.43 greater than 1.0

  3. In what universe is 0.47 well above 1.0?

  4. Ahem…how can be .47 (0.47) be well above 1.0…?

  5. Some new math at work here?

    If the average is 1 defect / 1K lines of code, how is a number less than half that figure “well above the average”?

    “Per every 1,000 lines of code, .47 defects were find. That’s well above the average of 1.0”

  6. Odd…there were two comments here when I first looked at the page, now they are gone. They both pointed out that .47 is lower than 1.0. Just seems odd. Hickup in the system or is DL deleting those who point out typos?

  7. No math scholar

  8. I guess that should be well “below” 1.0 :)

  9. Whoops. A careless oversight on my part. Thanks for the correction(s)! (PS: I assure you all I can count! xD)

  10. Check your source and math again. 0.47 security holes per 1000 is less than half as many as 1 security hole per 1000. Your source link even says “they still rate it as twice as good as most open-source projects.” Basically, it says there are security holes, but there are twice as many in other open-source projects, and android is actually more secure.

  11. @originalme must be a hiccup. I’m showing 8 comments of people pointing out the mistake, and 1 comment of me acknowledging it.

  12. We should be fair and point out that this is just a pointer to an article @ The Register.

    Phandroid should perhaps have proofed a little better before posting the pointer to the Reg article.

  13. The report shows that Android is BETTER, not worse, than the industry average. .47 holes per 1000 lines of code is obviously more desirable than 1.0 holes per 1000 lines of code.

  14. According to their numbers the total source code is 763,829.78723404… lines of code. I sure hope that’s round off error because their numbers are really making any sense.

  15. @MichaelKilpatrick I did read that in the original article, but decided not to emphasize that part considering there are no other open sourced mobile operating systems out right now, at least none that are notable. And comparing it to a Desktop distribution doesn’t make sense considering the tremendous difference in scope.

  16. how I got that number:


  17. Oh noes! They are using a scanf() ! Security hole!



  18. It’s good to know that so many Android fans are math scholars.

  19. C’mon guys, give Quentyn a break. It was obvious what he was trying to state. Pointing out mistakes in this manner is immature. Get off your high horse ’cause you all aren’t perfect either. Thanks for the news as always Phandroid ;)

  20. 1st and formost the man is human which means he will make an error from time to time. So instead of worrying about a slight error…Pay attention to your damn phone. This article is addressing some that is very detrimental to any android OS user and yet all you can do is point out a descrepancy?

    Do me a favor, get off his nuts, log off your PC, go find a hooker, send me the bill. Obviously you have no life and/or must be a virgin to care about little things like this…wait…you probably do have a little thing HAHAAHAHAH

  21. math is hard, good sir. we understand. that’s why phandroid is a shitty site – because there’s no fact checking or even trying to make sure that the posts are accurate.

  22. My math isn’t the issue. And I do check facts. Excuse me for having a billion other things on my plate at once that led to the mistake, which was simply a flustered oversight opposed to me being mathematically stupid and editorially inaccurate.

  23. so much for you being perfect, quentyn!


  24. Hey Matt, if Phandroid is so shitty why don’t you F*** OFF and go annoy some other site? We don’t want you here either

  25. I don’t care what anyone says about you, Quentyn> You always have GREAT information on Phandroid…I work for a cell company and I can tell you that we ALL read Phandroid ALL the time, and your articles are always the BOMB! Who cares about spelling & typos?! It’s the information that you provide that counts, and WE LOVE YOU!!

  26. Um, who expects a blog to be 100% accurate and to do massive research? I don’t ! Mistakes happen, give the guy a break, he does a great job bringing in new stories for us android phans.


  27. Quentyn is not a droid. Give him a break. Honest mistake jeez.

  28. “These days, it seems there isn’t a month that goes by without a security firm pointing out some potential flaws in Android”… Maybe that’s because they are looking for a new market for their services ? .. I’m sure they could and probably have tried to do similar “automatic analysis” on other mobile OS’s, but probably think they can more easily snow the Android community with scare tactics.. good luck with that.. I really don’t have a problem with these stories showing up, but I really wish a little more thought would be given to them, rather than just “repackaging” a story like this as truth.. I would also point out, that when I read the story.. the numbers say “industry standard”, and although it does mention something about other open source products prior, it is not entirely clear that they are continuing that as “industry standard”

  29. @ Franz, Brad, Naomi, Unpry, Red and Black, Tim, and Jughed, infinite thanks for your support. It’s never my intention to spread false information and I take accurate reporting very seriously. I make mistakes here and there, just as everyone else does. And I would think that not promptly owning up to the mistake would be something to get everyone’s feathers ruffled, but alas, it was a mistake for me to assume that, as well.

  30. *sigh* What truly amazes me is that, considering that Android is considered a “tech-savvy platform” by some. The concept of proportions and percentages (this is 1st grade math, people) is absolutely abominable. a .47:1000 ratio IS “above” normal standards where normal standards are 1:1000. What this means (I can’t believe I even have to explain this) is that every 47 lines out of 100,000 were “flawed” as opposed to the average of 100 per 100,000 or .47% as opposed to 1%. Lets try this in very simple terms; Johnny and Tommy are both nuclear engineers. If Johnny screws up 47 times out of 100,000 troubleshoots, and Tommy screws up 100 times out of 100,000, then Johnny’s performance is “above” Tommy’s performance. Therefore, Johnny is less likely to cause a critical situation.
    Honestly, when you post supercilious, condescending comments with terms like “good sir”, and “In what universe..”, and proceed to make yourself look like a complete pompous moron because you are trying to berate someone for something you apparently have zero concept of, you really look like you should wear a helmet at all times to protect the 2 remaining brain cells you have left fighting for dominance of the vacuum between your ears.
    @Matt; math isn’t hard good idiot, at least this type of math. If you WOULD like something hard, try mapping the E8 object, or even better, what is generally called “the monster”-a mathematical structure that exists in 196,884 dimensions. You actually have the balls to say that decimals are “hard” which causes Phandroid to be “shitty” yet you yourself have absolutely zero idea about what is being discussed. Twit.

  31. @Dennis I agree, and that’s why I didn’t mirror their calling it an “industry” standard. And yea I understand Coverity offers security services, but I didn’t mention it because of the fact that they’re offering their findings to everyone in the OHA. Other firms would be content with saying “Our study shows Android has bugs. Buy our product now!” Still, it’s possible they are using it to sell their services to the OEMs and carriers, but I think if Google finds anything truly severe, they’ll more than likely take their super team of geniuses and patch it up themselves.

  32. Wait, so they found .47 per 1k lines of code for android, and the “usual” is 1.0 in every 1k lines of code. So, doesn’t that actually make android MORE secure than “usual’? Seems more like a headline hitpiece. People skim the headlines and all they see is android is riddle with security holes, yet if you read the actual source article, you see that Android is over 50% more secure than the industry standard. You know you’ve made it when crap like this starts pouring out to try and make you look bad.

  33. wonder how long till the “security” firm that put this “study” out tries to sell us their security app on the android market…just like the last two did.

  34. @DJ Yea, I originally got confused because I was going to report it as saying Google’s Android ranked “above” the standard as far as security goes. I then made the decision to omit several of the details supporting that, but forgot to reflect the change in my sentence.
    That’s pretty much where my carelessness came in. Because I omitted the other details I did without reflecting the change, it sounded as if I were saying Google’s Android was the buggiest of them all.
    The title of this article also doesn’t help, but it was meant as a tongue-in-cheek way to say “Seriously? This is news?” I used the same tongue-in-cheek style when it was reported that touchscreen phones attract fingerprints. Right away, you can see where I get the desire to ridicule.
    But again, I apologize. It was still careless on my part, and I’m trying to clear it up.

  35. [Quote]SoUnprydictable
    you probably do have a little thing HAHAAHAHAH

    You can’t prove that.

  36. Thanks for making the quick fix, Quentyn.

  37. Quentyn, I absolutely wasn’t criticizing you. Typos are typos, humans are humans. What I WAS criticizing were the very unnecessarily condescending remarks made by some of the posters. I always enjoy your articles, keep up the good work!

  38. that’s that fuzzy math logic stuff I heard talk of some time back. ;)

  39. Hey guys… Incase nobody noticed… .47 is less then 1… you know… incase you didnt notice…


  40. yeahh….if you werent a tard yourself, you would have read the couple comments acknowledging it…. TARD

  41. Wow that’s a lot of comments about the math (which is now fixed). Is there a way to delete these irrelevant comments so I can see the comments actually involving the article? I would love to know people’s thoughts regarding how there are so many bugs in android, despite it being substantially less than the average.

  42. Well since everyone is busy complaining about math, I’m going to go ahead and complain about the grammar.

    “….47 defects were find.”

    The find should be found.

    And they say math is America’s weakness…;-)

    (Honestly, I didn’t care about the spelling or math, I’m sure even I’ve made a mistake in this comment somewhere…)

  43. If iOS were open they would find just as many or more “security holes”. If anything they need to praise Android for allowing the audit of the code.

  44. Finally!! I thought that Android is bug free, now there 47 flaws!! :( OMG!

  45. @Tarik: Well said!!! :D

Leave a reply

Your email address will not be published. Required fields are marked *

More in News