This Google Security Blog post discusses Android’s successful adoption of Rust programming language, showing that memory safety vulnerabilities have dropped below 20% of total vulnerabilities in 2025. The key finding is that Rust code demonstrates a 1000x reduction in memory safety vulnerability density compared to C/C++ code, while also improving development efficiency with 4x lower rollback rates and 25% faster code reviews.
The post details how Rust is expanding beyond Android system services into the Linux kernel, firmware, and first-party Google applications like Nearby Presence and secure messaging protocols. It also analyzes a near-miss memory safety vulnerability (CVE-2025-48530) in Rust code that was caught before release, emphasizing that Android’s Scud...
This Google Security Blog post discusses Android’s successful adoption of Rust programming language, showing that memory safety vulnerabilities have dropped below 20% of total vulnerabilities in 2025. The key finding is that Rust code demonstrates a 1000x reduction in memory safety vulnerability density compared to C/C++ code, while also improving development efficiency with 4x lower rollback rates and 25% faster code reviews.
The post details how Rust is expanding beyond Android system services into the Linux kernel, firmware, and first-party Google applications like Nearby Presence and secure messaging protocols. It also analyzes a near-miss memory safety vulnerability (CVE-2025-48530) in Rust code that was caught before release, emphasizing that Android’s Scudo hardened allocator prevented exploitation and that even with this incident, Rust’s vulnerability density remains orders of magnitude lower than C/C++.
The overall message is that Rust enables Android to “move faster while fixing things” - achieving better security without the traditional trade-offs of reduced performance or slower development, challenging the historical assumption that security improvements must come at a cost to productivity.