Google published a blog post on its security blog this week, explaining that memory safety vulnerabilities — where buffer overflows and other similar problems in code can allow other software to break out of sandboxes and cause problems — are on the decline in Android phones. The company said, “we see that the number of memory safety vulnerabilities have dropped considerably over the past few years/releases. From 2019 to 2022 the annual number of memory safety vulnerabilities dropped from 223 down to 85.”
So, why the drop in security problems? Google was quick to note that “correlation doesn’t necessarily mean causation,” but the likely culprit is the decision to write much of Android’s newer code in the Rust programming language, rather than older languages like C or C++. Rust enforces memory safety, drastically reducing the possibility of security problems related to memory.
Google revealed in the blog post, “From 2019 to 2022 it has dropped from 76% down to 35% of Android’s total vulnerabilities. 2022 is the first year where memory safety vulnerabilities do not represent a majority of Android’s vulnerabilities.” Rust is still not most of the new code added each year, but it the percentage of Rust code is gradually increasing. Google also noted that, so far, zero security problems have been discovered in Android’s Rust code.
There are still many other possible security problems outside of memory safety issues, but it seems like Android phones and tablets are safer because of the transition to Rust. That’s certainly worth celebrating.
Source: Google Security Blog