 |
| Google: Rust is the answer to Android security |
A Google engineer said that the Rust programming language is the answer to making Android more secure, especially when it comes to memory vulnerabilities.
Android security engineer Jeffrey Vandersweb said in a Google blog post that the number of memory critical vulnerabilities has dropped dramatically over the past three years.
Vander Stewepp believes this is due to the operating system's move away from memory-unsafe programming languages such as C and C++.
Three years ago, most Android vulnerabilities (65%) were high-risk or critical memory vulnerabilities. Since then, Google has been writing and adding new Rust code to Android, not just improving the existing code. With the number of these vulnerabilities greatly reduced, mobile operating systems are no longer the biggest problem.
“From 2019 to 2022, the annual number of storage vulnerabilities increased from 223 to 85,” said VanderStop. He added that with the release of Android 12 in early October 2021, the operating system will now focus primarily on the Rust language.
While memory vulnerabilities have decreased due to the use of new programming languages, other types of vulnerabilities have remained the same, with approximately 20 new vulnerabilities discovered each month. However, these vulnerabilities are not as serious as memory vulnerabilities.
This is not to say that Google has completely abandoned C and C++. The company will continue to invest in tools for writing more secure C and C++ code, Vander Stueb said, citing Scudo, HWASAN, GWP-ASAN, and KFENCE custom tools on Android devices.
Although the Rust language is still very reliable, VanderStueb knows this may change in the future as no memory leaks have been found in Android's Rust code yet. But he said, "We don't expect that number to stay at zero forever, but it's an important realization given the size of the new Rust code for both Android versions and the time-sensitive components." security using this code. "