AOSP bugs
"AOSP [Android Open Source Project] code has had the most eyes on it, from Google, the SOC partners, the OEMs, the community. It is quite reviewed."
No, it is most certainly not. Let's review the AOSP bugfest:
- Towelroot
- Stock browser same origin policy failure
- OpenSSL
It goes without saying that the use of OpenSSL *requires* the ability to patch.
How does 4.1 Jellybean do on the ssllabs.com browser scanner? I would think the score is an F - and if not, it's certainly not for lack of trying.