Last year, Google announced Android Open Source Project (AOSP) support for Rust, and today the company reported reducing memory security vulnerabilities.
Google stated that “the number of memory vulnerabilities has decreased significantly in recent years.
Specifically, the number of annual memory security vulnerabilities dropped from 223 to 85 between 2019 and 2022. They now account for 35% of Android's total vulnerabilities, down from 76% four years ago. In fact, "2022 is the first year where memory security vulnerabilities do not account for the majority of Android vulnerabilities."
This count is for "vulnerabilities reported in the Android security bulletin, which includes critical/high severity vulnerabilities reported through the Vulnerability Reward Program (VRP) as well as internally reported vulnerabilities."
During this time, the amount of memory-unsafe code entering Android has decreased:
"Android 13 is the first Android release where the majority of new code added to the release is in a memory-safe language."
Rust makes up 21% of all new code in Android 13, including the Ultra-wideband (UWB) stack, DNS-over-HTTP3, Keystore2, Android's Virtualization framework (AVF), and "various other open source components and dependencies."
"Google considers it important that no "memory security vulnerabilities in Android's Rust code" have been discovered so far in Android 12 and 13.
Today's Google post it also talks about vulnerabilities which do not concern the security of the memory and its future plans:
“… We implement userspace HALs in Rust. We're adding support for Rust in trusted apps. We've ported VM firmware to the Android Virtualization Framework in Rust With support for Rust landing on Linux 6.1, we're excited to bring memory security to the core, starting with the kernel drivers.