Last year, Google announced Android Open Source Project (AOSP) support for Rust, and today the company reported reducing memory security vulnerabilities.
Google stated that “the number of memory vulnerabilities has decreased significantly in recent years.
Specifically, the number of annual memory security vulnerabilities dropped from 223 to 85 between 2019 and 2022. They now account for 35% of Android's total vulnerabilities, down from 76% four years ago. In fact, "2022 is the first year where memory security vulnerabilities do not account for the majority of Android vulnerabilities."
This count is for “vulnerabilities reported in the Android security bulletin, which includes critical/high severity vulnerabilities reported through theletterVulnerability Reward Program (VRP) but also internally reported vulnerabilities".
During this time, the amount of memory-unsafe code entering Android has decreased:
"Android 13 is the first Android release where the majority of new code added to the release is in a memory-safe language."
Rust makes up 21% of all new code in Android 13, including the Ultra-wideband (UWB) stack, DNS-over-HTTP3, Keystore2, Android's Virtualization framework (AVF), and "various other open source components and dependencies."
"Google considers it important that no "memory security vulnerabilities in Android's Rust code" have been discovered so far in Android 12 and 13.
Today's Google post it also talks about vulnerabilities which do not concern the security of the memory and its future plans:
“… We implement userspace HALs in Rust. We are adding support for Rust to trusted applications. Έχουμε μετεγκαταστήσει το VM firmware στο το Android Virtualization Framework σε Rust Με την υποστήριξη του Rust landing in Linux 6.1, we're excited to bring memory safety into the kernel, starting with the kernel drivers.