Last year, Google announced support for Android Open Source Project (AOSP) for Rust and today the company reported reducing memory security vulnerabilities.
Google stated that “the number of memory vulnerabilities has decreased significantly in recent years.
Specifically, the number of annual memory security vulnerabilities dropped from 223 to 85 between 2019 and 2022. They now account for 35% of Android's total vulnerabilities, down from 76% four years ago. In fact, "2022 is the first year where memory security vulnerabilities do not account for the majority of Android vulnerabilities."
This count is about “vulnerabilities που αναφέρονται στο ενημερωτικό δελτίο ασφαλείας του Android, το οποίο περιλαμβάνει κρίσιμες/υψηλής σοβαρότητας ευπάθειες που αναφέρθηκαν μέσω του προletterVulnerability Reward Program (VRP) but also internally reported vulnerabilities".
During this period, his number code which is not safe for memory entering Android has been reduced:
"Android 13 is the first Android release where the majority of new code added to the release is in a memory-safe language."
Rust makes up 21% of all new code in Android 13, including the Ultra-wideband (UWB) stack, DNS-over-HTTP3, Keystore2, Android's Virtualization framework (AVF), and "various other open source components and dependencies."
"Google considers it important that no "memory security vulnerabilities in Android's Rust code" have been discovered so far in Android 12 and 13.
Today's Google post it also talks about vulnerabilities which do not concern the security of the memory and its future plans:
“… We implement userspace HALs in Rust. We're adding support for Rust in trusted apps. We've ported VM firmware to the Android Virtualization Framework in Rust With support for Rust landing on Linux 6.1, we're excited to bring memory safety to the core, starting with programs driving core.