Rust has been gaining popularity in recent years as an alternative to C/C++ and has been integrating code written in Rust into the Android operating system since 2019 and into the Linux Kernel since 2021.
In Android, memory safety bugs account for over 65% of high-severity or critical bug vulnerabilities. These flaws reduce security and increase the cost of software development if not detected early. And the Rust integration has led to fewer Android vulnerabilities.
However, since Android began integrating Rust code, that number has declined. A significant decrease in memory safety vulnerabilities over the last few years/releases. From 2019 to 2022, the annual number of memory safety vulnerabilities is 223. It has decreased from the number of cases to 85.
And the reason for this decline is thought to be a shift in programming languages. In other words, it is said that the transition to a language that guarantees memory safety is a factor.
Starting with Android 12 last year, Rust became the language of the Android platform. And this year, with Android 13, most of the new code added in the release is written in memory-safe languages: Rust, Java and Kotlin.
With less memory-safe code flowing into Android, memory-safety flaws accounted for 76% of Android vulnerabilities in 2019 but 35% in 2022. It was the first year that bugs did not make up the majority of vulnerabilities.
It is said that Google is not the only company making efforts to shift to such a memory-safe language and that Meta and Microsoft are also making similar moves. Google also states the goal is not to convert existing C/C++ to Rust but to migrate new code development to memory-safe languages takes time.
About 21% of new native code in Android 13 is written in Rust. This includes about 1.5 million lines of Rust code within the Android Open-Source Project (AOSP), including Keystore2, the new Ultra-wideband (UWB) stack, and DNS-over-HTTP3, previously written in C++.