Google’s commitment to security is evident in its strategic shift towards memory-safe languages, which has significantly reduced the prevalence of memory safety issues in Android. This transition is part of a broader initiative to enhance the security of the Android ecosystem. Buffer overflows and use-after-free bugs, once the most common vulnerabilities in Android, have seen a dramatic decrease. In 2019, these issues accounted for 76% of all vulnerabilities. However, recent data shows that they now represent only 24% of all Android vulnerabilities. This substantial reduction can be attributed to Google’s adoption of memory-safe languages, which inherently prevent such vulnerabilities.
Memory safety vulnerabilities have traditionally accounted for, and continue to account for, more than 60% of all application software vulnerabilities. They have also been disproportionately severe when compared to other flaws. For instance, in 2022, memory-related bugs made up only 36% of all identified Android vulnerabilities but accounted for 86% of the most severe flaws in the operating system and 78% of confirmed exploited Android bugs. Much of this has to do with how widely used programming languages such as C and C++ allow software developers to directly manipulate memory, leaving the door open for errors to creep in. In contrast, memory-safe languages like Rust, Go, and C# feature automatic memory management and built-in safety checks against common memory-related bugs. Numerous security stakeholders including the US Cybersecurity and Infrastructure Security Agency (CISA) and even the White House have raised concerns over heightened security exposure associated with using memory-unsafe languages and the substantial costs involved in addressing them. While the shift to memory-safe languages has been slowly gaining momentum, many expect it will take years and possibly decades to move existing code bases entirely to memory-safe code.
This trend is a reflection of the broader industry’s move towards safer, more reliable programming practices. In recent years, Google has made significant strides in enhancing the safety and reliability of its Android platform. One of the key strategies it has adopted is the use of memory-safe languages such as Rust. This move has been instrumental in reducing the incidence of memory-related issues, which have historically been a major concern in Android development.
Google’s memory safety initiatives in C and C++. The percentage of Android vulnerabilities that were memory-related. The investment by Google in memory safety tools for C and C++. The impact of these bugs on Android security. Google’s commitment to enhancing memory safety in C and C++ is a testament to the ongoing efforts to bolster the security of their existing codebases written in these languages.
“The problem is overwhelmingly with new code, necessitating a fundamental change in how we develop code,” the researchers said.