Over the years, Android and Google have been working tirelessly to ensure Android security issues are freed. Memory security problems brought on by unsafe programming languages are the most prevalent and difficult to fix; in fact, Mountain View declared support for Rust for the Android Open Source Project last year.
However, to combat these menaces, today, Google has released a series of data showing that the number of memory security vulnerabilities has dropped significantly over the past few years. This occurs through Google sums up and switching to rust to make Android more secure. Likewise, the new programming language leads to fewer memory security vulnerabilities.
How Rust Makes Android More Secure
Regarding memory access, memory safety refers to the state of protection against various software bugs and security flaws. Memory safety bugs in C and C++ continue to be the most challenging source of error to fix.
Without going too technical, the best languages for developing Android apps are Java and Kotlin since they are better at caching runtime mistakes than C and C++. Unfortunately, while the Android platform as a whole is successfully protected from memory issues by the employment of these languages, lower levels of the operating system are not.
Reducing Memory Security Vulnerabilities
Rust provides memory safety guarantees by combining compile-time checks and runtime tests to ensure that memory accesses are correct. In C and C++, the developer is responsible for maintaining memory lifetime, but mistakes are easy to make. Performance-wise, they are all on par with C and C++.
In light of the aforementioned, the number of memory security vulnerabilities has decreased from 223 each year to 85, and more crucially, they no longer account for the bulk of Android vulnerabilities. Thus, 76% of all vulnerabilities were Android vulnerabilities as of currently, down from 76%.
The total number of vulnerabilities reported in the Android Security Bulletin, including those reported internally and those with critical or high severity, are called vulnerabilities. The situation is only getting better with Android 13, as it is the first time that most new code has been introduced in a memory-safe language.
In reality, the Ultra-wideband (UWB) stack, DNS-over-HTTP 3, Keystore 2, Android Virtualization Framework (AVF), and several additional components and their open-source dependencies make up 21% of the new native code in Android 13.
Google Speaks on Android’s Rust Code
In support of this, Google notes that so far, zero memory security vulnerabilities have been discovered in Android’s Rust code on Android 12 and 13. GrandeG observes that the proportion of vulnerabilities brought on by memory security issues appears to correlate pretty closely with the development language used for new code. However, this association does not necessarily suggest chance.
As proof of how important these efforts are, Google notes that memory security vulnerabilities are the most critical ones. In reality, the Mountain View house acknowledges that the transition from C/C++ is difficult and that Rust needs to be used throughout the entire code base.
