December 5, 2022

Since 2019, Google has been integrating code written in the Rust programming language into its Android operating system, and its efforts have paid off in the form of fewer vulnerabilities, with more than half of memory-related flaws reduced, a milestone that coincides with Google’s switch from C and C++ to the memory-safe programming language, Rust.

According to Google, the number of memory safety vulnerabilities has decreased significantly in recent years/releases. Between 2019 and 2022, the number of annual memory safety vulnerabilities decreased from 223 to 85. They now account for 35% of all Android vulnerabilities, up from 76% four years ago. In fact, 2022 will be the first year in which memory safety vulnerabilities do not account for the majority of Android vulnerabilities.

Android 13 is the first Android release in which the majority of new code is written in a memory-safe language. Rust accounts for 21% of all new native code in Android 13, including the UWB stack, DNS-over-HTTP3, Keystore2, Android’s Virtualization framework (AVF), and various other components and their open source dependencies.

Google considers it significant that no memory safety vulnerabilities have been discovered in Android’s Rust code across Android 12 and 13. Google also reports a decrease in critical and remotely exploitable flaws.

The sources for this piece include an article in ZDNet.