Rust in Android code and no more memory vulnerabilities

Last year, Google announced Android Open Source Project (AOSP) support for Rust, and today the company reported reducing memory security vulnerabilities.

rust code

Google stated that “the number of memory vulnerabilities has decreased significantly in recent years.

Specifically, the number of annual memory security vulnerabilities dropped from 223 to 85 between 2019 and 2022. They now account for 35% of Android's total vulnerabilities, down from 76% four years ago. In fact, "2022 is the first year where memory security vulnerabilities do not account for the majority of Android vulnerabilities."

This count is for "vulnerabilities reported in the Android security bulletin, which includes critical/high severity vulnerabilities reported through the Vulnerability Reward Program (VRP) as well as internally reported vulnerabilities."

During this time, the amount of memory-unsafe code entering Android has decreased:

"Android 13 is the first Android release where the majority of new code added to the release is in a memory-safe language."

Rust makes up 21% of all new code in Android 13, including the Ultra-wideband (UWB) stack, DNS-over-HTTP3, Keystore2, Android's Virtualization framework (AVF), and "various other open source components and dependencies."

"Google considers it important that no "memory security vulnerabilities in Android's Rust code" have been discovered so far in Android 12 and 13.

Today's Google post it also talks about vulnerabilities which do not concern the security of the memory and its future plans:

“… We implement userspace HALs in Rust. We're adding support for Rust in trusted apps. We've ported VM firmware to the Android Virtualization Framework in Rust With support for Rust landing on Linux 6.1, we're excited to bring memory security to the core, starting with the kernel drivers. The Best Technology Site in Greecegns

every publication, directly to your inbox

Join the 2.111 registrants.
Rust, android, google, Android 13

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).