Google Pixel 7
Joe Fedewa / How-To Geek

Just like any widely-used software, security vulnerabilities are constantly discovered (and later patched) in Android all the time. Thankfully, one type of security problem is on the decline, thanks to a switch in programming languages.

Google published a blog post on its security blog this week, explaining that memory safety vulnerabilities — where buffer overflows and other similar problems in code can allow other software to break out of sandboxes and cause problems — are on the decline in Android phones. The company said, “we see that the number of memory safety vulnerabilities have dropped considerably over the past few years/releases. From 2019 to 2022 the annual number of memory safety vulnerabilities dropped from 223 down to 85.”

So, why the drop in security problems? Google was quick to note that “correlation doesn’t necessarily mean causation,” but the likely culprit is the decision to write much of Android’s newer code in the Rust programming language, rather than older languages like C or C++. Rust enforces memory safety, drastically reducing the possibility of security problems related to memory.

Graph of memory unsafe code and memory safety vulnerabilities, showing a drop from 2019 to 2022

Google revealed in the blog post, “From 2019 to 2022 it has dropped from 76% down to 35% of Android’s total vulnerabilities. 2022 is the first year where memory safety vulnerabilities do not represent a majority of Android’s vulnerabilities.” Rust is still not most of the new code added each year, but it the percentage of Rust code is gradually increasing. Google also noted that, so far, zero security problems have been discovered in Android’s Rust code.

There are still many other possible security problems outside of memory safety issues, but it seems like Android phones and tablets are safer because of the transition to Rust. That’s certainly worth celebrating.

Source: Google Security Blog

Profile Photo for Corbin Davenport Corbin Davenport
Corbin Davenport is the News Editor at How-To Geek, an independent software developer, and a podcaster. He previously worked at Android Police, PC Gamer, and XDA Developers.
Read Full Bio »