The annual variety of reminiscence security vulnerabilities in Android dropped from 223 in 2019 to 85 in 2022 as Google steadily transitioned in direction of memory-safe languages.
The tech large made the announcement in a weblog publish on Thursday, the place it wrote that for over a decade, 65% of all vulnerabilities throughout merchandise and the trade had been reminiscence security flaws.
“On Android, we’re now seeing one thing completely different – a big drop in reminiscence security vulnerabilities and an related drop within the severity of our vulnerabilities,” Google wrote.
“This drop coincides with a shift in programming language utilization away from reminiscence unsafe languages. Android 13 is the primary Android launch the place a majority of latest code added to the discharge is in a memory-safe language.”
Extra particularly, the corporate mentioned that from 2019 to 2022, the quantity has dropped from 76% right down to 35% of Android’s whole vulnerabilities.
“2022 is the primary yr the place reminiscence security vulnerabilities don’t signify a majority of Android’s vulnerabilities,” Google wrote.
“Whereas correlation doesn’t essentially imply causation, it’s fascinating to notice that the p.c of vulnerabilities attributable to reminiscence issues of safety appears to correlate slightly carefully with the event language that’s used for brand new code.”
In actual fact, help for the Rust programming language was first launched in Android 12 as a memory-safe different to C/C++.
“As we famous within the authentic announcement, our objective is to not convert current C/C++ to Rust, however slightly to shift improvement of latest code to memory-safe languages over time.”
In response to the Search agency, roughly 21% of all new native code in Android 13 is in Rust, throughout completely different elements of the OS, together with Keystore2, the brand new Extremely-wideband (UWB) stack, DNS-over-HTTP3 and Android’s Virtualization Framework (AVF), amongst others.
“Up to now, there have been zero reminiscence security vulnerabilities found in Android’s Rust code,” Google mentioned.
“We don’t count on that quantity to remain zero ceaselessly, however given the amount of latest Rust code throughout two Android releases, and the security-sensitive elements the place it’s getting used, it’s a big outcome.”
Whereas Rust can be utilized to cut back reminiscence security vulnerabilities in Android, the programming language can also be being leveraged by menace actors to enhance the complexity of malware instruments.