Open source mobile operating systems such as Android are becoming increasingly vulnerable to security defects and exploitation by hackers because of the speed with which products are being rushed to market.
The meteoric rise of Google’s Android platform has left it particularly vulnerable to attack. The warning comes from San Francisco-based Coverity, a company that specialises in testing open source community customer and developer code across a range of industries, including the mobile market.
‘The security side of the mobile industry is crisis driven,’ says Dave Petersen, Coverity’s chief marketing officer. ‘They hit a problem and react; then they look to see how they can reduce the problem in the future. The main reason for that is the mobile industry is a very competitive market, where OEMs are bringing out new products or updating OSes every few months.
‘We work with the aviation industry too and Boeing does not bring out new aircraft that fast. It gives them time to test their systems very thoroughly. But if you are trying to compete in the mobile industry you have to get products out there faster than you’d like. It takes time for people to see how they can improve the situation. At the moment they cannot put out the patches very efficiently,’ he says.
Andy Chou, chief scientist and co-founder at Coverity, adds: ‘We’ve seen our other industry sectors take very proactive measures to provide clean code and clean third party code. The systems are well tested and defects fixed – the high impact defects anyway. We are only recently starting to see attacks via malicious apps happening, such as on the Motorola Droid Dream, so the mobile industry will have to start being more proactive.’
A recent report by analysts Canalys found that 86% of SMEs have no company-wide smartphone security in place. Mobile attacks are rising sharply, particularly on the largely open source Android platform, as people rarely read what services an application wants to access - they just want the application and hit install.
Coverity has invented ways to detect the majority of the defects in code that could render an operating system vulnerable to security issues, which in turn could lead to software failures or leave it exposed to malware attacks.
‘We do this at the earliest stages of development, as the code is being written,’ says Petersen. Coverity has been around for eight years and has built a client base of around 1,000 customers.
The company works with the US Department of Homeland Security to test and scan open source code, detect defects and try and harden up the open source code in development.
In its SCAN 2010 report, Coverity looked at a new version of Android under development and for the first time tested a product on the market, in this case the HTC Droid Incredible (the Incredible S in the UK) – both based on the Linux kernel and about a year apart in terms of code development. Coverity only looked at the kernel and not the third party or specific proprietary code HTC has put on top of Android.
Chou says: ‘We found that of the 149 defects on the latest version of Android in development, 106 were the same as on the Incredible. So, those 106 defects were still in the code a year later and 43 new defects had emerged through the code development during the interim period.
‘We need to note that although the two kernels are based on the same code, the HTC Droid Incredible has third party code and HTC developer code on it too, so it was very interesting that they both had 106 defects in common.’
The significance of this, according to Chou, is that the 106 common defects show that a lot of the code is not changing. Chou added that the defects originated not from the Android development team but from the open source Linux developers that first developed the code – bad DNA that continued to stay within the OS.
Meanwhile, says Chou, OEMs do not want to change the source code. ‘If you want fast updates to your devices, you don’t want to change someone else’s software. If you change the code you have to test it and then take responsibility for it and OEMs do not want to do that. And that’s how defects in the Linux kernel get passed on. The code is probably maintained by someone out there in the open source Linux kernel community, but that person may not be working anymore.’
Petersen explains that maintaining quality in open source computer code goes well beyond the mobile market and Android. ‘There is a lack of standards,’ he says.
Coverity is working hard on lining up all the open source code and testing it properly. The company hopes that by putting the spotlight on Android it has helped to highlight the security problems. Fixing defects depends on what individual developers decide to work on. If the code developer community thinks it is a big problem for them, they’ll move quickly to fix it.
Mobiles have only recently started to see exploitation by hackers, but the advent of Near Field payments and the use of mobiles as credit or debit cards is likely to excite the attention of hackers to a much greater degree.
‘Why do people rob banks? Because that’s where the money is,’ says Chou. ‘They track data and financial transactions on computers, so they’ll do the same on mobiles. As these payments systems get rolled out, the OEMs will have thought about the architecture and the security features, but that does not mean the phone will be secure.
‘My guess is that NFC will get rolled out, it will be popular, and then it will be attractive enough to hackers who will look at what they can do to exploit it. It will eventually cause a high profile incident that will cause a lot of people to be worried. OEMs will then have to regain customer trust,’ says Chou.
He warns: ‘It’s a calculated gamble about whether to be first to market, where you may gain traction and credit, or be cautious and get it right, but be behind the curve.’
Chou thinks it is likely we will start to see two camps emerging: ‘those that build the wall higher, so the hackers can’t get in; or those that build the product better, as a way of keeping them out.’
‘What we’ve found out by talking to OEMs is that with Android, the one thing that really helps sell products is having a device with the latest version of the OS on it, so the pressure is harsh,’ says Chou. ‘It is very, very important to do that fast.’
Petersen adds: ‘I think the Android discussion will move to other markets. At the moment, if there is a problem with a phone the OEM usually gets the blame, but we’ll see scrutiny moving into the supply chain - but that is at a nascent stage at the moment.’