Android’s Transition to Rust: A New Era in Security and Development
Android has been making substantial strides in improving its software security and development processes through a shift towards the Rust programming language. This move is focused on enhancing memory safety, leading to a deeper improvement in software stability and quicker engineering cycles across the platform.
A Significant Drop in Memory Safety Vulnerabilities
For the first time, the Android team has reported that memory safety vulnerabilities now account for less than 20% of all vulnerabilities within the ecosystem. This statistic reflects contributions across various programming languages, including C, C++, Java, Kotlin, and Rust, covering both first- and third-party components. With a 90-day standard patch window observed in the industry, this metric is expected to remain stable as 2025 approaches.
The Impact of Rust Adoption
Rust has been pivotal in this positive trend. The Android team highlights data showing that Rust programming results in an impressive reduction in memory safety vulnerabilities—up to 1000 times better than C and C++. Interestingly, the benefits of Rust go beyond security measures. Code written in Rust demonstrates a significantly lower rollback rate—four times less than that of C++—and requires 25% less time for code review. These efficiencies are transforming the Android development landscape.
Rethinking Systems Programming
Historically, Android leaned heavily on systems programming languages like C and C++. With the integration of Rust, the goal was not to replace Java or Kotlin but to introduce a safer alternative that still offers low-level control as necessary. As Rust’s usage grows, there’s a noticeable decline in new C++ contributions. Currently, first-party code trends indicate that both Rust and C++ are being used in roughly equivalent volumes for systems-level programming. This shift enables effective performance comparisons via the DORA framework, which assesses engineering teams based on stability and throughput.
Faster Development with Fewer Revisions
Data collected over the past year shows that Rust code generally requires about 20% fewer revisions compared to similar C++ code. As expertise in Rust has developed from 2023 to 2024, changes made in Rust are also spending less time in code review—an improvement attributed to the growing familiarity with the language among developers. This trend is contributing to notable stability improvements across the platform.
Rust’s ongoing adoption is mirrored in its low rollback rate, continuously dropping even as its use surpasses that of C++. For medium and large changes, Rust modifications are rolled back at a quarter of the rate of C++. The impact of these rollbacks extends beyond individual teams, as they disrupt workflow and lead to extended postmortems. Thus, reducing the incidence of rollbacks significantly improves overall productivity.
Expanding Rust’s Role in Android
Rust’s influence on Android is no longer limited to the core platform. Significant milestones include:
-
Kernel Development: Android 6.12 features the first official kernel with Rust support, showcasing the platform’s initial production Rust driver. Collaborations with companies like Arm and Collabora are also underway to develop a Rust-based GPU driver.
-
Firmware Security: Rust has been integrated into firmware for some time now, with Android and Arm joining forces to work on Rusted Firmware-A to bolster security in high-privilege firmware settings.
-
First-Party Applications: Notably, various first-party apps are adopting Rust. The Nearby Presence feature utilizes Rust for secure Bluetooth-based device discovery, while MLS, a messaging security protocol, is set to be implemented in Rust in Google Messages. Furthermore, Chromium has made the switch to Rust for memory-safe implementations of PNG, JSON, and web-font parsers.
Addressing Vulnerabilities Wisely
Android recently faced a significant moment when it almost shipped its first Rust-based memory safety flaw—a linear buffer overflow issue in CrabbyAVIF. While the problem was rectified before public release, it was tracked internally as CVE-2025-48530. Fortunately, the Scudo hardened allocator managed to prevent exploitation, turning a potentially serious issue into a manageable crash that facilitated improved overflow handling in subsequent iterations.
To minimize risks further, Android is developing an in-depth training module on Rust’s unsafe features. This program aims to equip developers with a thorough understanding of safe abstractions, undefined behavior, and sound practices for using unsafe blocks.
Moving Forward with Safety and Productivity
The experience gained from Rust’s implementation demonstrates that even when faced with some unsafe code, memory safety can significantly improve. The statistics speak volumes: only one potential vulnerability has been identified over 5 million lines of Rust code, compared to around 1,000 vulnerabilities per million lines in traditional C/C++ code. This paradigm shift allows development to accelerate while maintaining security, promoting a culture where safety and productivity can thrive together.
