Android Is A Lot Safer When It Uses Rust, Said Google

Android, Rust

Android is a popular operating system, developed using a modified version of the Linux kernel and other open-source software.

The operating system is extremely flexible and customizable, and this advantage makes it the most popular operating system being used on numerous devices from many brands. But this advantage is also its disadvantage, because it is giving Android some vulnerabilities.

And among those, include memory related bugs.

Google that commercially sponsored the development of Android, has been integrating code written in the Rust programming language into its Android operating system since 2019.

The multi-paradigm, general-purpose programming language emphasizes performance, type safety, and concurrency.

But what Google likes from it the most, is the way it enforces memory safety.

Rust was originally developed by Graydon Hoare, who created it as a personal project while working at Mozilla Research in 2006.

Mozilla officially sponsored the project in 2009. Since the first stable release in January 2014, Rust has been adopted by companies.

And Google uses Rust because it focuses on eliminating issues related to how data is being used while stored inside memory.

With Rust, all references point to valid memory - without requiring the use of a garbage collector or reference counting present in other memory-safe languages.

And because it simultaneously enforce memory safety and prevent concurrent data races, Rust's "borrow checker" tracks the object lifetime of all references in a program during compilation.

According to reports, the memory safety bugs account for more than 65% of vulnerabilities of high or critical severity bugs in Chrome and Android, and the figures are similar in software from other vendors.

These flaws, which include out of bounds read and write or use after free, literally degrade security and increase the cost of software development when not caught early.

But after four years in which Android has been collecting bits of Rust, Google managed to lower that number,

Android, Rust
Credit: Google

"From 2019 to 2022 the annual number of memory safety vulnerabilities dropped from 223 down to 85," said Android security engineer Jeffrey Vander Stoep in a blog post.

Stoep also said that the decline coincides with efforts to move away from memory unsafe programming languages, by which he means C/C++ – a language that does not guarantee memory safety but can support it.

Rust started becoming Android's platform language since Android 12 in 2021.

And on Android 13 in 2022, according to Stoep, the majority of new code added to the release is already written in a memory safe language.

What this means, it's either written in Rust, or Java, or Kotlin.

As a matter of fact, in Android 13, roughly 21% of new native code is written in Rust. This includes about 1.5 million lines of Rust code in the Android Open Source Project (AOSP), consisting of some core components that in prior years would have been written in C++.

With less memory-unsafe code on Android, memory safety flaws have gone down from 76% of Android vulnerabilities in 2019 to 35% in 2022.

Other types of bugs however, remained relatively steady.

Android, Rust
Credit: Google

In other words, Google's decision to use Rust for new code in Android in order to reduce memory-related flaws appears to be paying off.

"Rust's combination of speed and memory safety makes it a great choice for a wide range of projects," said Rebecca Rumbul, executive director and CEO of the Rust Foundation, in an email to The Register. "It's no surprise to see Rust being increasingly integrated into existing projects and products, and Google's recent blog discussing Rust in Android really highlights its security benefits."

"Those security benefits are also being recognized by policymakers around the world, with governments in Europe and North America recognizing Rust as a solution to some of the security issues experienced in the past," Rumbul added.

It's worth noting though, that the change was not driven by "heroics."

Android, Rust
Credit: Google

According to Stoep notes, it happens because developers are using the best tools for the job.

Knowing that after finding out that Rust is a promising programming langauge, the Android team plans to step up usage of Rust, although there are no plans to get rid of C and C++ for its systems programming.

"Humility needs to go both ways though. Rust doesn't solve all problems, and there are areas where C/C++ will continue to be the most practical option for development, at least for a while. That's OK," said Stoep.

"We'll work on reducing that over time while continuing to scale up our Rust usage and continuing to invest-in and deploy improvements to C/C++."

Published: 
05/12/2022