Google: Less Than 20% of New Vulnerabilities in Android are Memory Safety Related

A blog post by Google shows that memory safety vulnerabilities account for less than 20% of new vulnerabilities in Android this year, down from 76% in 2019.

This trend is a continuation of Google’s push toward writing new code in memory-safe languages. A blog post from last year described the seemingly disproportionate impact this strategy had on eliminating memory safety issues overall.

Essentially, old code written in memory-unsafe languages tends to have significantly fewer vulnerabilities than new code, so instead of trying to rewrite all old code in Rust, it’s better to write new code in Rust since that will have the greatest impact on preventing vulnerabilities.

This information shows that it’s possible to massively improve memory safety vulnerabilities in projects that have been written in memory-unsafe languages for years, without having to do a full rewrite. Furthermore, it can start at any time.

Rust, as a low level language, allows for the level of control and performance needed for programming things like operating systems and browsers while maintaining memory safety.

CISA in 2023 put out an urgent call for software developers to use memory safety languages, citing the excessively high proportion of vulnerabilities caused by memory safety bugs.

Google’s work should serve as a template for projects looking to incorporate memory-safe languages into their codebase.