The Rust programming language is the important thing to creating the Android working system safer, Google’s engineers have claimed.

In a weblog submit (opens in new tab) revealed by Android safety engineer Jeffrey Vander Stoep, the Googler says the variety of extreme reminiscence vulnerabilities has considerably dropped within the final three years and suggests it’s all due to the OS shifting away from memory-unsafe programming languages, C and C++.

Three years in the past, the bulk (65%)of Android bugs had been both high-severity or critical-severity reminiscence security bugs (suppose out-of-bounds learn and write flaws, for instance). Since then, Google has been steadily writing new Rust code and including it to Android (versus merely enhancing current code). Now, the variety of these flaws has dropped considerably, and so they’re now not the largest subject plaguing the cellular OS.

Much less extreme vulnerabilities in a continuing

“From 2019 to 2022 the annual variety of reminiscence security vulnerabilities dropped from 223 right down to 85,” Vander Stoep explains. 

With Android 12 (launched in early October 2021), the OS turned a Rust-first product, he stated. And whereas reminiscence security bugs have declined due to the usage of the novel programming language, different types of vulnerabilities have remained regular at roughly 20 new flaws found each month. Nonetheless, these flaws should not as extreme as reminiscence security bugs.

However this doesn’t imply Google is giving up on C and C++ utterly. The corporate will proceed to spend money on instruments to jot down safer C and C++ code, Vander Stoep stated, mentioning the Scudo hardened allocator, HWASAN, GWP-ASAN, and KFENCE on Android (opens in new tab) gadgets. He additionally stated Google elevated its use of fuzzing. 

Thus far, Rust has been fairly dependable, however Vander Stoep is aware of this would possibly change sooner or later: To this point, there have been zero reminiscence security vulnerabilities found in Android’s Rust code,” he concluded. “We don’t count on that quantity to remain zero without end, however given the amount of latest Rust code throughout two Android releases, and the security-sensitive elements the place it’s getting used, it’s a major consequence.”

• Here is the rundown of the most effective endpoint safety companies (opens in new tab) round

Through: The Register (opens in new tab)