Google’s Real-World Testing Shows Rust Reduces Android Memory Vulnerability Rate by 1000 Times Compared to C/C++!

Source: CSDN (ID: CSDNnews)

In recent years, Rust has become a rather controversial programming language. On one hand, many U.S. government agencies have publicly called for a shift away from C/C++ towards memory-safe programming languages like Rust. At the same time, major companies are competing to embrace Rust, emphasizing that it allows for writing safer code. On the other hand, there is a noticeable “backlash” among developers, with many feeling that Rust is being “overhyped” and that its learning curve is significantly steeper than that of other languages.

In this atmosphere of being both “popular and criticized,” the official Google blog recently shared an article about the real-world implementation of Rust in Android, showcasing some core data that demonstrates Rust’s impact on Android security.

With the release of this blog, discussions about Rust have surged once again. Next, let’s take a look at how Google is actually using Rust in Android.

Google's Real-World Testing Shows Rust Reduces Android Memory Vulnerability Rate by 1000 Times Compared to C/C++!

The proportion of memory safety vulnerabilities has dropped below 20% for the first time.

According to the latest data released by Google for 2025, the proportion of memory safety vulnerabilities in Android has dropped below 20% of all vulnerabilities for the first time.

Google's Real-World Testing Shows Rust Reduces Android Memory Vulnerability Rate by 1000 Times Compared to C/C++!

This statistic covers code updates from both first-party and third-party (including open-source projects) on the Android platform, involving C, C++, Java, Kotlin, and Rust.

Google stated that the reason for adopting Rust was to enhance security, and the results exceeded expectations: the density of memory safety vulnerabilities introduced by Rust is 1000 times lower compared to existing C/C++ code in Android.

Rust has not only brought effective improvements in security but has also significantly impacted software delivery efficiency—the rollback rate for Rust-related changes has decreased by 4 times, and the time required for code reviews has also been reduced by 25%. In other words, “safer” now also means “more efficient.”

Google's Real-World Testing Shows Rust Reduces Android Memory Vulnerability Rate by 1000 Times Compared to C/C++!

The Real Applications of Rust

“Developing an operating system relies on low-level control and predictability provided by system-level programming languages like C, C++, and Rust,” Google stated, “While Java and Kotlin are also important in Android platform development, they play more of a complementary role and cannot replace system languages.”

Since 2021, Google has begun to introduce Rust into the Android system, making it a safe alternative to C/C++. Therefore, this analysis mainly focuses on “new or still actively developed code,” as data indicates this can more effectively reflect trends.

From the overall usage of system languages (excluding Java/Kotlin), two trends are very clear: the usage of Rust is rapidly increasing, while new C++ code is slowly declining.

Google's Real-World Testing Shows Rust Reduces Android Memory Vulnerability Rate by 1000 Times Compared to C/C++!

Google further explained that if we only look at their first-party Android code, the amount of new Rust code is now comparable to C++, which also means that both have comparable development efficiency.

To measure this change, Google used the industry-standard DORA framework (a standard for assessing software engineering team performance), focusing on two key metrics:

  • Throughput: the speed of software change delivery

  • Stability: the quality of these changes

Cross-language comparisons can often be tricky. Google stated that they employed various methods to ensure the reliability of the comparison results, such as:

  • Similar change scale: Rust and C++ have similar functional density, although Rust is slightly denser. This difference favors C++, but the overall comparison remains valid. Google used Gerrit’s change scale definition for uniform measurement.

  • Similar developer communities: The analysis only included first-party code changes on the Android platform, with the vast majority of developers being Google software engineers, and the two groups highly overlap, with many engineers participating in both Rust and C++ code development.

  • Long-term trend tracking: As Rust usage increases, Google observes whether various metrics are steadily improving, accelerating, or reverting to average levels.

Based on this, Google has made the following new discoveries:

Throughput: Rust reviews faster, with less rework

Google pointed out that code reviews are a time-consuming and often delay-prone part of development, and “code rework” is a significant cause of delays.

Data shows that Rust performs significantly better in this regard: from 2023 onwards, Rust code requires about 20% fewer modifications on average compared to the same scale of C++.

Google's Real-World Testing Shows Rust Reduces Android Memory Vulnerability Rate by 1000 Times Compared to C/C++!

Additionally, Rust-related changes also spend less time in code review, approximately 25% less than C++. Google speculates that the significant improvement from 2023 to 2024 may stem from the overall increase in the Android team’s proficiency with Rust.

Google's Real-World Testing Shows Rust Reduces Android Memory Vulnerability Rate by 1000 Times Compared to C/C++!

However, while faster reviews can indeed lead to efficiency gains, Google emphasizes that Rust’s true advantage lies in its “stability.”

Stability: Rust’s rollback rate is astonishingly low

In the DORA metrics, “rollback rate” is a key reference for measuring the quality of code changes. Google states that Rust has a clear advantage in this area: in medium to large changes, Rust’s rollback rate is about one-fourth that of C++, and as the use of Rust continues to expand, this number is decreasing.

Google's Real-World Testing Shows Rust Reduces Android Memory Vulnerability Rate by 1000 Times Compared to C/C++!

The value of a low rollback rate is not just about “stability.”

Google explains that rollbacks can severely disrupt organizational efficiency—they can interrupt development rhythms, slow team collaboration, and may lead to a series of chain reactions such as rebuilding, writing incident reports, and blocking other team tasks, far exceeding the impact on the engineer who submitted the code. Therefore, the stability improvements brought by Rust essentially enhance overall development throughput.

It is worth mentioning that in an internal survey conducted by Google in 2022, engineers generally believed that Rust code is easier to review and less prone to errors. The current hard data further corroborates this point.

Google's Real-World Testing Shows Rust Reduces Android Memory Vulnerability Rate by 1000 Times Compared to C/C++!

Expanding the Battlefield: Using Rust in More Areas

Thanks to these findings, Google stated that as Rust’s support in Android system services and system libraries has matured, they are further promoting Rust’s security and productivity advantages to more areas.

  • Kernel: The Android kernel based on Linux 6.12 has enabled Rust support by default for the first time, and the first officially launched Rust driver has also appeared. Google is also collaborating with Arm and Collabora to develop a Rust version of the kernel-mode GPU driver.

  • Firmware: Firmware has high permissions and strict performance requirements, and many security measures are not applicable, so the risk of vulnerabilities is very high. Google revealed that it has been using Rust in firmware for several years and has released a series of tutorials and example code to the community (https://github.com/google/aarch64-rt). Additionally, they have collaborated with Arm on the Rusted Firmware-A project, firmly believing that Rust can bring substantial security improvements in the firmware domain.

  • Google’s First-party Apps: Several security-sensitive Google applications have also begun to use Rust to ensure memory safety from the ground up, such as:

    Nearby Presence: The protocol for securely discovering nearby Bluetooth devices has been rewritten in Rust and is now running in Google Play Services;

    MLS: The Rust implementation of the RCS secure messaging protocol will be included in future versions of Google Messages;

    Chromium: Various parsers, including PNG, JSON, and Web Fonts, have been replaced with Rust implementations, helping engineers handle data from the web more safely while adhering to the “Rule of 2.”

Google emphasizes that these cases demonstrate that Rust indeed plays a role in reducing security risks, but memory-safe languages are only part of the overall strategy, and they continue to maintain a multi-layered defense system. This “multi-layered defense” has recently proven its value once again.

Google's Real-World Testing Shows Rust Reduces Android Memory Vulnerability Rate by 1000 Times Compared to C/C++!

Android Almost Experienced Its First Rust Memory Safety Vulnerability (But It Didn’t Happen)

However, using Rust does not equate to “zero vulnerabilities.” Google revealed that they recently successfully avoided an issue that nearly became “the first Rust memory safety vulnerability on Android”: a linear buffer overflow in CrabbyAVIF (https://android.googlesource.com/platform/external/rust/crabbyavif/).

To ensure this patch received high priority and was tracked during the release process, Google assigned it the number CVE-2025-48530.

Google's Real-World Testing Shows Rust Reduces Android Memory Vulnerability Rate by 1000 Times Compared to C/C++!

Although the vulnerability ultimately did not reach users, Google has drawn many lessons from this incident.

Scudo: A Key Player in Critical Moments

Investigations revealed that the Scudo hardened allocator used by default in Android made the vulnerability unexploitable through a “protection page” mechanism. In other words, Scudo turned a potentially silent memory corruption issue into a noticeable crash, thereby exposing the problem.

However, Google also found that the crash reports lacked the critical information “this was caused by an overflow,” which slowed down the investigation. This issue has now been fixed, and now when an overflow touches Scudo’s protection page, the system can clearly identify it.

Google also stated that while devices like Pixel have Scudo enabled by default, they are working with more partners to promote Scudo as a mandatory option for all devices. In the meantime, they will continue to assign sufficient CVE levels to vulnerabilities that can be blocked by Scudo.

Strengthening Unsafe Rust Training: If You Can’t Eliminate It, Teach Everyone to Do It Right

Google also emphasized that operating system development cannot avoid unsafe code—whether in C, C++, or Rust’s unsafe{}—so a simple “complete ban” is not realistic. The key is to ensure developers understand how to use it safely.

To this end, Google is adding a deep module on unsafe code to its comprehensive Rust training course (https://google.github.io/comprehensive-rust/), covering topics such as reasoning about unsafe code, soundness, undefined behavior, how to use safety annotations, and how to encapsulate unsafe code.

Google believes that enhancing developers’ understanding of unsafe Rust will further improve the code quality of Android and the entire open-source ecosystem.

Google's Real-World Testing Shows Rust Reduces Android Memory Vulnerability Rate by 1000 Times Compared to C/C++!

Vulnerability Density Comparison: The Safety Gap of Rust is Not Insignificant

In response, some netizens expressed skepticism: “Since Rust can also have memory safety vulnerabilities, what’s the point of using Rust?”

Google’s answer is straightforward—using Rust significantly reduces vulnerability density.

Google provided a conservative estimate that the Android platform currently has about 5 million lines of Rust, with 1 potential memory vulnerability discovered (and fixed before release), leading to an estimate of 0.2 vulnerabilities per million lines (MLOC).

In contrast, historical data shows that C/C++ has a density of about 1000 vulnerabilities per million lines.

In other words, Rust has brought about a reduction of over 1000 times.

Google pointed out that memory safety vulnerabilities are extremely powerful (and historically very common); a high density of vulnerabilities can render even good security designs ineffective, as attackers can chain multiple vulnerabilities to bypass defenses. Therefore, a significant drop in vulnerability density not only reduces bugs themselves but also makes the entire security architecture more effective.

Is unsafe Rust more dangerous?

Google’s answer is—no.

Google further responded to the controversy surrounding unsafe Rust. Some argue that about 4% of unsafe{} code in Rust may be more error-prone than C/C++. However, Google’s data indicates that even under the conservative assumption that “the bug probability of unsafe Rust = the bug probability of C/C++”, its risk is still severely overestimated.

Possible reasons include:

  • unsafe{} does not disable most of Rust’s safety checks (a common misconception)

  • Encapsulation makes safety easier to reason about

  • unsafe{} blocks themselves receive more scrutiny

Google's Real-World Testing Shows Rust Reduces Android Memory Vulnerability Rate by 1000 Times Compared to C/C++!

Rust Allows Google to No Longer Choose Between “Speed” and “Safety”

Google stated that in the past, to reduce memory safety risks, they had to rely on static analysis, runtime defenses, sandbox isolation, quick patches, etc., each of which came at the cost of performance or development efficiency. But Rust has brought another route: the safest path is also the most efficient path.

Google believes that the future security of Android will continue to improve, and with the further popularization of Rust, they may even regain the performance and productivity that were sacrificed for safety in the past.

Source:security.googleblog.com/2025/11/rust-in-android-move-fast-fix-things.html

– EOF –

Recommended Reading Click the title to jump

1. 20,000 programmers signed! The father of Node.js criticizes Oracle, which has a significant impact on the industry

2. Nostalgia! Microsoft revives a 34-year-old artifact with Rust, Linux users are laughing out loud

3. An Indian programmer holds 4 full-time jobs and secures a $200,000 annual salary offer

Leave a Comment