Other groups have highlighted the long patch cycle as well. In an analysis of the Android 2.6.32 kernel performed in November 2010, static-analysis firm Coverity found 0.47 defect per line of code -- better than the software industry as a whole. Yet in chasing down the source of flaws, Coverity found that only a few ended with Google. Many others led to open source components and their developers, some of whom never responded to the company's bug reports. Were the issues fixed? The company does not know.
"It is an example of the complexity of the software supply chain -- it has become more expansive because the amount of suppliers that people have for their software," says Andy Chou, the chief scientist at Coverity.
The worries come as attackers are already starting to focus more heavily on compromising mobile devices. IBM's X-Force security research lab estimates that 2011 will see twice as many exploits of vulnerabilities as the previous year. Lookout has seen malware take off from fewer than 100 attacks in 2010 to more than 400 so far this year. Compared to the PC world, where tens of millions of attacks are detected each year, the numbers are small, but the trend is clear: Security researchers and attackers are increasingly targeting mobile devices, and most campaigns are focused on the Android operating system.
The patch problem is not unique to Android, but it is worse for Android
Although Android is the focus, perhaps due to its well-known softness as a target and its growing market share, the problems with mobile patching is not just an issue for Google. Other mobile operating system makers also have to deal with the delay. "Mobile operating systems, in general, have longer patch cycles given the number of different people involved," says Tim Wyatt, principal security engineer at Lookout.
Case in point: flaws in the WebKit HTML rendering engine, which powers most smartphone browsers. In July 2010, researchers reported a use-after-free vulnerability in WebKit. Google fixed the issue in the Chromium browser within eight weeks and ported the fixes to the stock Android source code soon after. It took Apple until March 2011 -- eight months -- to fix the issue on its iOS devices. And Android handset makers? Because the companies do not specify the vulnerabilities patched in their firmware updates, it remains a large question mark.
For Google, the patch issue is more acute because of its choices with security design and its open app marketplace. Apple's popular iPhone, for example, has additional defenses that can make attacking it more difficult. First, Apple vets every application posted to the App Store, complicating -- though not preventing -- the publishing of a malicious program. And the iOS platform has more security designed in, says Dino Dai Zovi, an independent security researcher and author of the "Mac Hacker's Handbook." He notes, "There is a tapestry of security defenses on iOS that block you at every stage, which does not exist on Android."