Boondoggling Google


The hits keep coming for Google!

Earlier this month, Google announced steps it was taking to remote wipe more than 50 malicious applications that android-google-malwareinfected Android devices through the DroidDream malware, which had gained root access to devices running Android OSs from 2.2.1 (Froyo) and older. Just days later, Symantec uncovered a fake Google Android update bearing a name identical to the security update intended to remove DroidDream malware from devices.

Talk about insult to injury. However, you could say, in some fashion, Google had it coming.

DroidDream had exploited a pair of vulnerabilities called “exploid” and “rageagainstthecage” which were issues remaining from Froyo, an earlier Google mobile OS... and these were not the first vulnerabilities discovered in Android OSs that were linked back to Froyo. Meanwhile, the faux patch, according to Mario Ballano of Symantec, appears to have been hosted on Google Code and licensed under the Apache License. Google claims to have patched these vulnerabilities in Android versions above 2.2.2, but many have yet to download the new version.

By not acknowledging these vulnerabilities, or perhaps not knowing they existed, Google left itself open to hackers looking to latch onto and infect the fastest growing mobile platform in the U.S. and showed once again how vital attention to Internal Quality is to software.

NOT Ready for Prime Time

As we’ve said before about Google’s mobile OSs, Google should have taken the time to perform automated analysis and measurement of their software before they declared it “ready for prime time.” Had they done so, they would have had the opportunity to identify the old vulnerabilities and plug the holes. Moving forward, Google really needs to go beyond testing, which cannot sufficiently assess the structural quality of the entire system, and identify those areas that could lead to problems post-deployment.

CAST measures structural quality using hundreds of metrics that capture the design and implementation issues within complex systems; particularly important as more and more application software is built upon layers of code that may already be bringing flaws to the party. By quantifying structural quality in terms of Technical Debt – the cost of fixing the structural quality problems that cause severe business disruptions – CAST not only identifies the IT issue, but makes the business case for its resolution.

Whatever Google does, it should do something to stop its recent history of being boondoggled by hackers exploiting gaps left over from old versions.

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Jonathan Bloom
Jonathan Bloom Technology Writer & Consultant
Jonathan Bloom has been a technology writer and consultant for over 20 years. During his career, Jon has written thousands of journal and magazine articles, blogs and other materials addressing various topics within the IT sector, including software development, enterprise software, mobile, database, security, BI, SaaS/cloud, Health Care IT and Sustainable Technology.
Load more reviews
Thank you for the review! Your review must be approved first
New code

You've already submitted a review for this item