Engineers from Google summed up the first results of the implementation in Android platform support for RUST. In Android 13, approximately 21% of the added new compiled code is written on Rust, and 79% on C/C ++. In the AOSP (Android Open Source Project) repository, in which the original texts of the Android platform develops, there are approximately 1.5 million lines of code on Rust related to such new components as the Keystore2 cryptographic keys, glass for UWB chips (ultra-wideband ), implementation of the DNS-OVER-HTTP3 protocol, an AVF virtualization framework (Android Virtualization Framework), experimental stacks for Bluetooth and Wi-Fi.
In accordance with the previously adopted strategy for reducing the risk of vulnerabilities caused by errors when working with memory, the Rust language is still used mainly when developing a new code and to gradually strengthen the safety of the most unprotected and vital software components. The general purpose of the transfer of the entire platform to RUST is not set and the old code remains on C/C ++, and the fight against errors in it is carried out through the use of Fuzzing testing, static analysis and use in the development of techniques similar to involving the MiraclePTR type (binding over RAW appraisers, performing additional checks to the released areas of memory), memory distribution system scudo (safe replacement of malloc/free) and mechanisms for identifying errors when working with memory hwasan (hardware-assisted addressanitizer), gwp-asan and kfence .
As for statistics on the nature of vulnerabilities in the Android platform, it is noted that as a new code is reduced, unsafe with memory, there is also a decrease in the number of vulnerabilities caused by errors when working with memory. For example, the proportion of vulnerabilities caused by problems decreased from 76% in 2019 to 35% in 2022. In the absolute numbers in 2019, 223 vulnerabilities related to memory work were revealed in 2020 – 150, in 2021 – 100, and in 2022 – 85. 2022 was the first year in which vulnerability related to memory ceased to dominate. P>
