The annual number of memory safety vulnerabilities in Android dropped from 223 in 2019 to 85 in 2022 as Google gradually transitioned towards memory-safe languages.
The tech giant made the announcement in a blog post on Thursday, where it wrote that for over a decade, 65% of all vulnerabilities across products and the industry were memory safety flaws.
“On Android, we’re now seeing something different – a significant drop in memory safety vulnerabilities and an associated drop in the severity of our vulnerabilities,” Google wrote.
“This drop coincides with a shift in programming language usage away from memory unsafe languages. Android 13 is the first Android release where a majority of new code added to the release is in a memory-safe language.”
More specifically, the company said that from 2019 to 2022, the number has dropped from 76% down to 35% of Android’s total vulnerabilities.
"2022 is the first year where memory safety vulnerabilities do not represent a majority of Android’s vulnerabilities,” Google wrote.
“While correlation doesn’t necessarily mean causation, it’s interesting to note that the percent of vulnerabilities caused by memory safety issues seems to correlate rather closely with the development language that’s used for new code.”
In fact, support for the Rust programming language was first introduced in Android 12 as a memory-safe alternative to C/C++.
“As we noted in the original announcement, our goal is not to convert existing C/C++ to Rust, but rather to shift development of new code to memory-safe languages over time.”
According to the Search firm, roughly 21% of all new native code in Android 13 is in Rust, across different parts of the OS, including Keystore2, the new Ultra-wideband (UWB) stack, DNS-over-HTTP3 and Android’s Virtualization Framework (AVF), among others.
“To date, there have been zero memory safety vulnerabilities discovered in Android’s Rust code,” Google said.
“We don’t expect that number to stay zero forever, but given the volume of new Rust code across two Android releases, and the security-sensitive components where it’s being used, it’s a significant result.”
While Rust can be used to reduce memory safety vulnerabilities in Android, the programming language is also being leveraged by threat actors to increase the complexity of malware tools.