To make Android more secure, Google recommends developers to use Rust to write system code

As a fairly complete mobile operating system, the Android system involves many components. Broadly speaking, it can be divided into two parts: the application ecosystem and the operating system itself. For developers, the programming language they choose will vary depending on the part of Android they are developing.

For application developers, Java and Kotlin are popular choices, while for developers working on operating systems and internal low-level, C and C++ are popular choices. Today, Google has added a third choice for operating system developers - Rust, because the Android Open Source Project now supports the Rust programming language to develop operating systems.

Limitations of C and C++

The underlying layer of the Android system requires system programming languages ​​such as C and C++. These languages ​​provide developers with control and predictability, which is very important when accessing low-level system resources and hardware. Unfortunately, C and C++ do not provide memory safety guarantees, making them prone to errors and security vulnerabilities. It is the developer's responsibility to manage memory lifespan in these languages, but this is easier said than done in complex and multi-threaded code bases.

C and C++ together make up tens of millions of lines of code on the Android platform. These memory safety vulnerabilities have become the most difficult source of code errors to fix, accounting for about 70% of Android's high-severity security vulnerabilities. Simply fixing these bugs has become insufficient to deal with the problem, and a better approach is to prevent these bugs in the first place.

The lack of memory safety guarantees forces developers to run Android processes in a tightly constrained, permissionless sandbox. However, sandboxes are very expensive in terms of resources, consume additional overhead, and introduce latency. Sandboxes also cannot completely eliminate code vulnerabilities, and due to the high density of bugs, the effectiveness of sandboxes is reduced, further allowing attackers to chain multiple vulnerabilities.

Another limitation, while not unique to C and C++, but applicable to all memory safety issues, is that the error condition must actually be triggered in the instrumented code in order to be detected. So even if your code is well-tested, actual bugs may remain undetected. And when bugs are found, getting them fixed is another task involving a long and expensive process that may not necessarily result in the correct fix. As a result, bug detection becomes unreliable, and given these limitations, bug prevention is a better approach.

Rust and its advantages

Rust provides memory safety guarantees by using a combination of compile-time and runtime checks to enforce object lifetime/ownership and ensure that memory accesses are efficient. This safety is achieved while providing performance comparable to C and C++. Rust also reduces the need for sandboxes, giving developers more overhead space to introduce new features that are safer and lighter.

[[391645]]

While Rust does have its benefits, it's not feasible to switch the entire Android operating system to Rust overnight. And it may not be necessary at all, as most Android memory errors occur in new or recently modified code, with about 50% of code being less than a year old. Google believes that its work on memory-safe languages ​​is best focused on new development rather than rewriting mature C and C++ code.

What switching to Rust means for Android

Rust also focuses on preventing bugs rather than relying heavily on detecting them, thereby improving the correctness of your code. It has several key features such as memory safety, data concurrency, a more expressive type system, immutable references and variables by default, safer integer handling, better error handling in the standard library, and more.

Google said it has been adding Rust support to the Android open source project for the past 18 months. But adding a new language to the Android platform is a huge undertaking. Some toolchains and dependencies need to be maintained, testing infrastructure and tools must be updated, and developers need to be trained.