Using memory-safe programming languages such as Rust, Google has moved towards safe memory, which resulted in a drastic drop in memory-related vulnerabilities of the Android codebase. Memory vulnerabilities in Android decreased from 76% six years ago to 24% now.
Role of Memory-Safe Programming
According to Google, using memory-safe languages like Rust can help cut security risks in the codebase itself. The company has focused on safe code practices so that vulnerabilities do not occur in the first place, which has made this process of coding more scalable and cost-efficient over time. The more unsafe development reduces over time, memory-safe practices take up more space and render fewer vulnerabilities in total. As Jeff Vander Stoep and Alex Rebert of Google explained, the memory vulnerabilities tend to reduce even with new memory-unsafe codes being introduced. This is because vulnerabilities decay in time. Newer or recently modified code is more likely to carry issues.
Google Goes for Rust
In April 2021, the company announced that it was embracing Rust as a memory-safe language for Android development. The company has begun to concentrate on Rust for new development since 2019 and has continued to do so. Since then, memory safety flaws in Android went down from 223 in 2019 to less than 50 in 2024. Such a drastic downfall is partly due to proactive measures and improvement in discoverability tools such as those utilised with Clang sanitizers. Google also shifted its strategy from reactive patching to vulnerability prevention work by its security teams. They now focus on preventing issues before the problems crop up.
Safe Coding: The New Way
Google has learned that memory safety strategies must be evolved. The company abandoned older interventional methods like mitigations and fuzzing, instead opting for more secure-by-design principles. This type of principle allows for the embedding of security within the foundational blocks of coding, and it enables developers to construct code that-in itself-prevents vulnerabilities. This is called Safe Coding and lets Google safely make propositions regarding the code with its properties.
Combining Rust, C++, and Kotlin
In addition to promoting Rust, Google is also aiming to interface the language with other languages such as C++ and Kotlin. Thus, this practical solution allows doing memory-safe practices in ways that are pretty easy for today's needs by not rewriting older code completely. Making memory-safe languages incrementally, in itself, will eliminate entire categories of vulnerabilities and ensure all Android code is safer in the long term.
For instance, the approach of Google is based on the presumption that as the number of vulnerabilities introduced decreased, the existing ones would automatically decrease over time. This change helps improve the design of security and scalability strategies concerning memory safety so they can be applied better to large systems.
Partnership between Arm and a System for Better Security
Related to this, Google has collaborated with Arm to further enhance the security of the GPU software and firmware stack across the Android ecosystem. The result was that the former identified several security issues in the code for it. Such were two memory problems in Pixel's driver - CVE-2023-48409 and CVE-2023-48421 - and a problem in the Arm Valhall GPU firmware, CVE-2024-0153. According to Google and Arm, proactive testing is a very key role to identify vulnerabilities before they are exploited.
Future Prospects
In the future, Google aims to build a safer Android by maintaining its main focus on memory safety while pushing ahead its approach to security. The company's efforts in lessening vulnerabilities in memory, codification practice improvement, and collaboration with industry partners are targeted towards minimising memory leakage, thus ensuring long-term security solutions.
This enhances the vulnerability of Android but also acts as a role model to other tech companies that should establish memory-safe languages and secure-by-design principles in their development processes.
