Key Takeaways
- Google’s new code practices cut Android memory-related vulnerabilities from 76% to 24% over six years.
- Google emphasizes secure coding to prevent memory vulnerabilities, transitioning to languages like Rust.
- Prioritizing secure code practices will lead to long-term benefits for Android users and developers.
Staying safe online with modern-day cybersecurity risks is down to your caution and diligence before trusting web links and apps. However, our friends at XDA would attest that secure hardware features such as ECC for device RAM are essential for critical applications, and a nice-to-have even otherwise, given their negligible impact on performance. Google believes the same is true for code on Android, and just shared how new coding practices have helped cut Android’s app memory-related vulnerabilities from 76% to just 24% over six years.
How the AOSP is coded directly determines how easily bad actors can access the code and insert malicious elements in there, which could be anything from info stealer malware to ransomware. A part of these risks stem from memory vulnerabilities, where manipulated app code can give threat actors unauthorized access to your device’s memory, and Google’s new Safe Coding guidelines could go a long way in securing your OS.
Google is transitioning to new code languages like Rust to reduce the dependency on memory-unsafe code. However, the company also highlights research that shows vulnerabilities decline while the adoption of memory-unsafe languages grew. That’s because these issues are usually limited to new code, causing an exponential decline in the risk as adoption increases. This means as long as new code is made safer, the benefits will increase exponentially as the bugs therein are ironed out and the codebase matures.
Prioritizing prevention to keep memory safe
This approach laying emphasis on the security of new code may pose challenges initially, but will have long-term benefits. These efforts are already bearing fruit on Android, where memory safe code practices have been preferred since 2019. Google shared plenty of data in a developer blog detailing the shift and its advantages.
Source: Google
Although this code-level change shouldn’t have an impact on the average Android user, it could mean developers and Google’s Android team won’t have to engage in last-minute firefighting with software updates, Play system updates, and app patches as much as before. In any case, Google says the AOSP is already well below the industry’s 70% threshold of memory-unsafe vulnerabilities.