Since Android 12, Google has brought Rust language support in the Android system. As an alternative to C/C++, their goal is not to convert existing C/C++ code into Rust, but to write new The code is developed in Rust language.

By integrating more and more Rust code into its Android operating system, Google’s efforts to reduce vulnerabilities are finally paying off.

“The number of memory safety vulnerabilities has dropped significantly over the past few years/versions of the Android system,” Google said in the announcement.

Specifically, between 2019 and 2022, the number of memory safety vulnerabilities dropped from an initial 223 per year to 85 today. Memory security vulnerabilities now account for only 35% of the total vulnerabilities in the Android system, compared to 76% four years ago, and 2022 is the first year that memory security vulnerabilities are no longer the largest proportion of Android system vulnerabilities.

During this period, the amount of new memory-unsafe code entering the Android system has also decreased.

Rust accounts for 21% of all new native code in Android 13, and there are already about 1.5 million lines of Rust code in AOSP, covering various functions and components, including ultra-wideband (UWB) stack, DNS-over-HTTP3, Keystore2 , Android’s Virtualization Framework (AVF), and various other components and their open source dependencies.

Throughout Android 12 and 13 so far, zero memory safety vulnerabilities have been found in Rust code, which is an important finding because in the past Android vulnerability density was greater than 1/kLOC, that is, every thousand lines of code At least one bug would have been found, and based on the number of lines of Rust code, this could have prevented hundreds of bugs from reaching Android.