This transition has proven effective in lowering security risks across Android’s codebase.
Google’s shift to memory-safe programming languages like Rust has significantly reduced memory-related vulnerabilities in its Android operating system. Over the past six years, the percentage of these vulnerabilities has dropped from 76 per cent to 24 per cent, largely thanks to a secure-by-design approach that prioritises safe coding practices.
This transition has proven effective in lowering security risks across Android’s codebase. By focusing on safe coding for new features, Google has not only improved overall security but also made these changes more “scalable and cost-effective,” according to Jeff Vander Stoep and Alex Rebert, who shared the insights. The reduction of new memory-unsafe code has allowed for fewer vulnerabilities, as new memory-safe development increasingly takes over.
Interestingly, the number of vulnerabilities can drop even as new memory-unsafe code is introduced. Vander Stoep and Rebert explained that vulnerabilities tend to “decay exponentially” over time, with the majority appearing in newly written or modified code. “The problem is overwhelmingly with new code,” they noted, highlighting the need for a fundamental change in how code is developed. Older code naturally becomes safer, making fixes and rewrites less effective as the codebase ages.
Google’s commitment to memory safety began gaining momentum in 2019 when the company prioritized shifting new development to memory-safe languages. This change has had a measurable impact: the number of memory safety vulnerabilities identified in Android dropped from 223 in 2019 to fewer than 50 in 2024.
The decline isn’t due only to the adoption of Rust. Google has also advanced its methods for detecting and addressing vulnerabilities, moving from reactive patching to proactive strategies like using Clang sanitizers to discover issues before they can be exploited. This proactive approach helps prevent flaws at their root, contributing to Android’s enhanced security.
Google aims to evolve these strategies further by embedding security directly into the design of the code itself, focusing on “high-assurance prevention.” As Vander Stoep and Rebert stated, “Instead of focusing on the interventions applied (mitigations, fuzzing), or attempting to use past performance to predict future security, Safe Coding allows us to make strong assertions about the code’s properties and what can or cannot happen based on those properties.”
Rather than rewriting old code, Google is focusing on ensuring interoperability between languages like Rust, C++, and Kotlin. This incremental approach offers a more practical way to integrate memory-safe languages without overhauling entire systems. By adopting safe coding practices, Google hopes to “turn off the tap” of new vulnerabilities, allowing security to improve over time as fewer new vulnerabilities arise.
Google has also partnered with Arm to strengthen Android’s security, particularly in the GPU software and firmware stack. This collaboration has already uncovered several vulnerabilities, including two issues in Pixel’s customized driver code (CVE-2023-48409 and CVE-2023-48421) and another in Arm’s Valhall GPU firmware and 5th Gen GPU architecture (CVE-2024-0153).
Both companies stressed the importance of proactive testing, stating, “Proactive testing is good hygiene as it can lead to the detection and resolution of new vulnerabilities before they’re exploited.”
With its focus on secure-by-design practices and collaborations like the one with Arm, Google is making significant strides in reducing vulnerabilities across the Android ecosystem, ensuring safer and more resilient systems in the years to come.
