The memory safety vulnerabilities in Android dropped from 223 in 2019 to 85 in 2022 as Google gradually transitioned towards memory-safe languages.
Google says that 65% of all vulnerabilities across products and the industry were memory safety flaws. This drop coincides with a shift in programming language usage away from memory unsafe languages.
Android 13 is the first Android release where a majority of new code added to the release is in a memory-safe language. This year, 2022, is the first year where memory safety vulnerabilities do not represent a majority of Android’s vulnerabilities,
In fact, support for the Rust programming language was first introduced in Android 12 as a memory-safe alternative to C/C++. Google’s goal is not to convert existing C/C++ to Rust, but rather to shift the development of new code to memory-safe languages over time.
Roughly 21% of all new native code in Android 13 is in Rust, across different parts of the OS, including Keystore2, the new Ultra-wideband (UWB) stack, DNS-over-HTTP3 and Android’s Virtualization Framework (AVF), among others.
To date, there have been zero memory safety vulnerabilities discovered in Android’s Rust code. The number may not be reduced to zero, but given the volume of the new Rust code across two Android releases and the security-sensitive components where it’s being used, it’s a significant result.
While Rust can be used to reduce memory safety vulnerabilities in Android, the programming language is also being leveraged by threat actors to increase the complexity of malware tools.