Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Sees Drop in Memory Safety Bugs in Android as Code Matures

Memory safety bugs in Android have decreased significantly as old code matures and new code uses memory-safe languages.

Google says its secure-by-design approach to code development has led to a significant reduction in memory safety vulnerabilities in Android and fewer risks to users.

The internet giant has been battling memory safety issues in both Android and Chrome for years, including by migrating them to memory-safe programming languages, such as Rust, and the effort has paid off, it says.

Memory safety bugs in Android have dropped from 76% in 2019 to 24% in 2024, and the decrease is expected to continue as the platform’s existing code base matures, while new code is developed using the memory-safe languages, Google says.

Given that most security defects reside in new or recently modified code, even if the amount of memory unsafe code in Android remains the same, the number of memory safety issues reduces as the code gets safer with time.

“Despite the majority of code still being unsafe (but, crucially, getting progressively older), we’re seeing a large and continued decline in memory safety vulnerabilities. We first reported this decline in 2022, and we continue to see the total number of memory safety vulnerabilities dropping,” Google notes.

The overall security risk to users has also decreased, as memory safety flaws are significantly more severe compared to other vulnerability types, and are more likely to be exploited remotely, the internet giant points out.

According to Google, the transition to memory-safe languages represents a major shift in approaching security, as reactive patching, proactive mitigations, and proactive vulnerability discovery failed to eliminate the root cause.

“The foundation of this shift is Safe Coding, which enforces security invariants directly into the development platform through language features, static analysis, and API design. The result is a secure-by-design ecosystem providing continuous assurance at scale, safe from the risk of accidentally introducing vulnerabilities,” Google says.

Advertisement. Scroll to continue reading.

Moving forth, the internet giant will focus on interoperability, instead of throwing away existing memory-unsafe code and rewriting it all.

“The concept is simple: once we turn off the tap of new vulnerabilities, they decrease exponentially, making all of our code safer, increasing the effectiveness of security design, and alleviating the scalability challenges associated with existing memory safety strategies such that they can be applied more effectively in a targeted manner,” Google says.

Related: Google Pushes Rust in Legacy Firmware to Tackle Memory Safety Flaws

Related: From Open Source to Enterprise Ready: 4 Pillars to Meet Your Security Requirements

Related: Five Eyes Agencies Publish Guidance on Eliminating Memory Safety Bugs

Related: Mozilla Patches High-Risk Firefox, Thunderbird Security Flaws

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.