Looking to prevent memory bugs, the Android Open Source Project now supports the Rust language for development of the Android mobile OS itself, taking on development tasks that have been the domain of C/C++.
In a Google blog post on April 6, members of the Android team stressed that correctness of code in Android was a top priority for security, stability, and quality. Memory safety bugs are a top contributor to stability issues, representing about 70 percent of high-severity security vulnerabilities in Android; safety bugs in C and C++ continue to be the most difficult to address. Rust provides memory safety guarantees by leveraging compile-time checks to enforce object lifetime checks to ensure that memory accesses are valid, Android team members said. Further, Rust achieves this safety while providing performance equivalent to C and C++.
Rust joins a list of memory-safe languages for Android OS development that also includes Java and Kotlin. While the Android OS uses Java extensively to protect large portions of the platform from memory bugs, neither Java nor Kotlin are an option for lower layers of the OS. These layers require languages like C, C++, and Rust, which offer predictable performance in resource-constrained environments. Further, with C and C++, developers must manage memory lifecycles themselves, which is prone to mistakes, especially when working with complex, multithreaded codebases. Rust manages memory use automatically.
C and C++ lack the same memory safety guarantees as Rust and require robust isolation. All Android processes are sandboxed and builders of the OS follow the “rule of two” guideline for code safety (namely, choose only two: code that handles untrustworthy inputs, code that uses unsafe implementation languages such as C and C++, or code that runs with no sandbox). While this rule reduces the severity of security vulnerabilities, it has limitations. Sandboxing is expensive, consuming overhead and producing latency, while not eliminating vulnerabilities from code.
Memory-safe languages like Rust overcome these limitations, lowering the density of bugs in code, increasing the effectiveness of current sandboxing, reducing the need to sandbox, and enabling introduction of new features that are safer and lighter on resources.
The Android team’s memory-safety efforts will be focused on new development rather than rewriting mature C/C++ code. Most memory bugs occur in new or recently modified code. Team members also cautioned that adding a new language to the Android platform is a large undertaking, with toolchains and dependencies that need to be maintained, and test infrastructure and tooling needing to be updated. Also, developers have to be trained.
Rust support has been added to the Android Open Source Project during the past 18 months, with some early adopter projects to be revealed soon.