The annual variety of memory basic safety vulnerabilities in Android dropped from 223 in 2019 to 85 in 2022 as Google slowly transitioned in the direction of memory-safe and sound languages.
The tech big built the announcement in a blog site write-up on Thursday, in which it wrote that for in excess of a 10 years, 65% of all vulnerabilities throughout solutions and the sector were memory safety flaws.
“On Android, we’re now looking at a little something unique – a significant fall in memory safety vulnerabilities and an involved fall in the severity of our vulnerabilities,” Google wrote.
“This fall coincides with a change in programming language use away from memory unsafe languages. Android 13 is the very first Android launch the place a vast majority of new code extra to the release is in a memory-safe language.”
Far more especially, the organization claimed that from 2019 to 2022, the amount has dropped from 76% down to 35% of Android’s whole vulnerabilities.
“2022 is the very first yr where memory basic safety vulnerabilities do not symbolize a the greater part of Android’s vulnerabilities,” Google wrote.
“While correlation doesn’t essentially indicate causation, it is appealing to take note that the percent of vulnerabilities caused by memory basic safety issues seems to correlate alternatively closely with the advancement language which is made use of for new code.”
In point, aid for the Rust programming language was initially introduced in Android 12 as a memory-safe alternate to C/C++.
“As we famous in the first announcement, our purpose is not to transform current C/C++ to Rust, but rather to shift development of new code to memory-protected languages in excess of time.”
In accordance to the Search agency, around 21% of all new indigenous code in Android 13 is in Rust, across distinct elements of the OS, together with Keystore2, the new Ultra-wideband (UWB) stack, DNS-more than-HTTP3 and Android’s Virtualization Framework (AVF), among others.
“To date, there have been zero memory protection vulnerabilities learned in Android’s Rust code,” Google explained.
“We really do not count on that variety to keep zero without end, but specified the quantity of new Rust code throughout two Android releases, and the security-sensitive factors wherever it is becoming utilized, it is a important result.”
Although Rust can be utilised to reduce memory safety vulnerabilities in Android, the programming language is also staying leveraged by threat actors to raise the complexity of malware applications.
Some parts of this short article are sourced from: