Google: After Using Rust, We Slashed Android Memory Safety Vulnerabilities

upstart writes:

Google: After using Rust, we slashed Android memory safety vulnerabilities:

Google's decision to use Rust for new code in Android in order to reduce memory-related flaws appears to be paying off. Memory safety vulnerabilities in Android have been more than halved -- a milestone that coincides with Google's switch from C and C++ to the memory-safe programming language, Rust.

This is the first year that memory safety vulnerabilities are not the biggest category of security flaws, and comes a year after Google made Rust the default for new code in the Android Open Source Project (AOSP).

Other memory-safe languages Google has used for Android include Java and Java-compatible Kotlin. C and C++ are still dominant languages in AOSP, but Android 13 is the first version where most of the new code is from memory-safe languages. After Google adopted it for AOSP in April 2021, Rust now accounts for about 21% of new code. The Linux kernel project this year adopted Rust as the new official second language to C.

Android version 10 from 2019 had 223 memory safety bugs, while Android 13 has 85 known memory safety issues.

Over that period, memory safety vulnerabilities have dropped from 76% down to 35% of Android's total vulnerabilities, notes Android security software engineer Jeffrey Vander Stoep. With this drop in memory safety vulnerabilities, Google is also seeing a decline in critical and remotely exploitable flaws.

Read more of this story at SoylentNews.