BleepingComputer reports that memory safety vulnerabilities in Android have dropped by 68% between 2019 and 2024 as Google focused on leveraging Rust and other memory-safe languages for new code.
Despite prioritization for memory-safe languages, old code had only been subjected to security fixes and was largely unchanged as Google sought to advance safety and convenience in ensuring interoperability in Android. While Google has combated memory safety issues through reactive patching, proactive mitigations and vulnerability discovery, and high-assurance prevention via Safe Coding, such techniques were regarded by the firm to be increasingly "insufficient" in attaining acceptable memory-safe risk levels, as well as costly to developers, products, users, and businesses. "As highlighted by numerous government agencies, including CISA, in their secure-by-design report, "only by incorporating secure by design practices will we break the vicious cycle of constantly creating and applying fixes," said Google. Such a development comes months after software developers were urged by the Cybersecurity and Infrastructure Security Agency to use memory-safe languages in new code after noting memory-unsafe languages across more than half of popular open-source projects.
