The reduction in memory-related vulnerabilities in Android over the past five years is attributed to Google’s secure-by-design approach. This strategy emphasizes the use of memory-safe languages like Rust for new code development.
Currently, memory safety issues make up only 24% of all Android vulnerabilities, a significant decrease from 76% in 2019. It is projected that there will be approximately 36 memory-related vulnerabilities in Android for the entire year of 2024, which is half the number from last year and substantially lower than the 223 flaws reported in 2019.
Secure-by Design Approach Pays Off
In a blog post dated September 25, researchers from Google’s Android and security teams acknowledge the progress made through Safe Coding. This approach prioritizes memory-safe languages like Rust for new code development. The researchers highlighted the importance of making interoperability safe and convenient as a key aspect of their memory safety journey.
Traditionally, memory safety vulnerabilities have accounted for more than 60% of all software vulnerabilities, with a higher severity level compared to other flaws. The shift to memory-safe languages like Rust, Go, and C# with built-in safety checks has gained momentum, but transitioning existing code bases entirely to memory-safe languages may take years.
A Gradual Transition
Google’s strategy involves using memory-safe languages like Rust for new Android features while maintaining existing code with bug fixes. The company has gradually increased the use of Rust within the Android Open Source Project, with Android 13 seeing most new code written in a memory-safe language.
While Google recognizes the challenges in transitioning existing C and C++ code to Rust, the company continues to invest in tools to enhance memory safety. The decline in memory-related vulnerabilities is also attributed to older vulnerabilities decaying over time, with new code being the primary source of issues.
