The once-a-year variety of memory security vulnerabilities in Android dropped from 223 in 2019 to 85 in 2022 as Google steadily transitioned in direction of memory-safe and sound languages.
The tech giant produced the announcement in a site put up on Thursday, the place it wrote that for above a decade, 65% of all vulnerabilities throughout products and the industry were being memory basic safety flaws.
“On Android, we’re now observing some thing different – a important drop in memory safety vulnerabilities and an linked fall in the severity of our vulnerabilities,” Google wrote.
“This drop coincides with a change in programming language usage away from memory unsafe languages. Android 13 is the initially Android launch wherever a vast majority of new code extra to the release is in a memory-safe language.”
Far more specially, the business mentioned that from 2019 to 2022, the variety has dropped from 76% down to 35% of Android’s whole vulnerabilities.
“2022 is the first year wherever memory basic safety vulnerabilities do not depict a the greater part of Android’s vulnerabilities,” Google wrote.
“While correlation does not automatically indicate causation, it is fascinating to note that the % of vulnerabilities brought on by memory basic safety issues appears to correlate fairly closely with the improvement language which is made use of for new code.”
In truth, assistance for the Rust programming language was initial introduced in Android 12 as a memory-safe and sound alternative to C/C++.
“As we pointed out in the initial announcement, our objective is not to change current C/C++ to Rust, but fairly to shift enhancement of new code to memory-safe languages about time.”
In accordance to the Lookup agency, roughly 21% of all new native code in Android 13 is in Rust, throughout different parts of the OS, like Keystore2, the new Ultra-wideband (UWB) stack, DNS-over-HTTP3 and Android’s Virtualization Framework (AVF), amid many others.
“To date, there have been zero memory protection vulnerabilities identified in Android’s Rust code,” Google reported.
“We really don’t hope that variety to continue to be zero forever, but offered the volume of new Rust code throughout two Android releases, and the security-sensitive parts exactly where it is getting utilized, it is a important consequence.”
Even though Rust can be made use of to decrease memory basic safety vulnerabilities in Android, the programming language is also becoming leveraged by risk actors to maximize the complexity of malware applications.
Some parts of this article are sourced from:
www.infosecurity-magazine.com