Samsung's Tizen appears to have more holes than a screen door, but the mobile operating system, which powers Samsung watches, TVs, and a few phones, may not be as disastrous as it seems.
It does look bad. According to Andrey Karpov, founder and CTO of Program Verification Systems, the Russia-based maker of static code analyzer PVS-Studio, Tizen's codebase contains approximately 27,000 programming blunders.
This is, though, based on extrapolating from 900 errors found in 3.3 per cent of the 72.5 million lines of C/C++ code (excluding comments) that compose the Tizen project.
Karpov's claim echoes the findings of Israeli security researcher Amihai Neiderman, who in April at Kaspersky Lab's Security Analyst Summit, identified 40 zero-day vulnerabilities in Tizen code.
At the time, Neiderman characterized Tizen's codebase as possibly the worst he'd seen.
Those developing Tizen software have said as much. In a post to the Tizen developer mailing list in April about the project's slow response to bug reports, Maxim Khitrov, who develops software for the Biotechnology High Performance Computing Software Applications Institute (BHSAI), said, "Tizen is a mess with really bad code all around."
Even Samsung insiders concede the way Tizen is managed leaves something to be desired. Responding to Khitrov's complaint, Samsung open-source developer Carsten Haitzler observed that Tizen platform maintainers have limited control over product groups that ship Tizen devices.
"They are completely different teams and there is no single coherent 'Tizen leader' who tells everyone what to do with Tizen, how to do it and when," Haitzler lamented. "We can fix bugs in the platform but can't guarantee if an update will ship for devices or if it will be changed by the time it ships for a device."
Envisioned as an Android competitor, Tizen at least matches Google's mobile operating system in terms of disorganization. In terms of numbers, Samsung hopes to reach 10 million Tizen phones this year; Google in May said there are two billion monthly active Android devices.
A bug identified by PVS-Studio
Yet, Samsung doesn't see Tizen's many bugs as a problem. Karpov assembled his list of bugs as a sales pitch for his company's static analyzer. And Youil Kim, from Samsung Electronics, declined his offer on the Tizen mailing list by noting that Samsung is already working on static analysis of Tizen code but prefers another unnamed code quality tool that can find additional problems.
"We don't agree with that Tizen has 27,000 defects that should be fixed," said Kim. "As you know, many of static analysis warnings are often considered as insignificant issues."
Even so, Kim left the door open for further discussions with Karpov on how to improve Tizen's code quality.
In an email to The Register, Neiderman acknowledged that Tizen code had and still has problems. After he reported the vulnerabilities in April, he explained, several people who used to work on Tizen as developers got in touch. "What they all said was that the Samsung didn't really care about security and tried to rush Tizen to the market ASAP," he said.
Neiderman believes the news reports that followed from his research got Samsung's attention. "They started spending more efforts on securing Tizen and even contacted some companies to help them with that," he said.
Asked whether he still considered Tizen's code to be the worst he'd ever seen, Neiderman expressed regret about his choice of words.
"I have since learned to watch my tongue," he said, punctuating his reply with an emoticon grin. "Back then I meant that the code was very bad, something that you could see about 15-20 years ago in terms of security," he added. "They changed stuff, but I haven't checked everything they fixed and changed in their code. I'm not sure if they went back and fixed stuff I didn't find or report to them, so I'm not sure how widespread was their security auditing for their code was."
Neiderman said Tizen presently isn't terrible and isn't great either. "But the worst part for Samsung is that Tizen isn't really lifting off the ground enough, it's not an Android replacement like they wanted it to be," he said.
A Samsung spokesperson said no one was immediately available to field questions about the state of Tizen. ®