The hits keep coming for Google!
Earlier this month, Google announced steps it was taking to remote wipe more than 50 malicious applications that infected Android devices through the DroidDream malware, which had gained root access to devices running Android OSs from 2.2.1 (Froyo) and older. Just days later, Symantec uncovered a fake Google Android update bearing a name identical to the security update intended to remove DroidDream malware from devices.
Talk about insult to injury. However, you could say, in some fashion, Google had it coming.
DroidDream had exploited a pair of vulnerabilities called “exploid” and “rageagainstthecage” which were issues remaining from Froyo, an earlier Google mobile OS... and these were not the first vulnerabilities discovered in Android OSs that were linked back to Froyo. Meanwhile, the faux patch, according to Mario Ballano of Symantec, appears to have been hosted on Google Code and licensed under the Apache License. Google claims to have patched these vulnerabilities in Android versions above 2.2.2, but many have yet to download the new version.
By not acknowledging these vulnerabilities, or perhaps not knowing they existed, Google left itself open to hackers looking to latch onto and infect the fastest growing mobile platform in the U.S. and showed once again how vital attention to Internal Quality is to software.
NOT Ready for Prime Time
As we’ve said before about Google’s mobile OSs, Google should have taken the time to perform automated analysis and measurement of their software before they declared it “ready for prime time.” Had they done so, they would have had the opportunity to identify the old vulnerabilities and plug the holes. Moving forward, Google really needs to go beyond testing, which cannot sufficiently assess the structural quality of the entire system, and identify those areas that could lead to problems post-deployment.
CAST measures structural quality using hundreds of metrics that capture the design and implementation issues within complex systems; particularly important as more and more application software is built upon layers of code that may already be bringing flaws to the party. By quantifying structural quality in terms of Technical Debt – the cost of fixing the structural quality problems that cause severe business disruptions – CAST not only identifies the IT issue, but makes the business case for its resolution.
Whatever Google does, it should do something to stop its recent history of being boondoggled by hackers exploiting gaps left over from old versions.