Google is developing parts of Android in Rust to improve security
Android as a complete OS solution involves a lot of moving parts. Very broadly speaking, these parts are the app ecosystem and then the OS itself. As a developer, your programming language of choice varies depending on what part of Android you are working on. For app developers, Java and Kotlin are popular options. For developers working on the OS and the lower levels within it, C and C++ have been popular choices so far. Today, Google is adding a third option for OS developers, as the Android Open Source Project now supports the Rust programming language for developing the OS itself.
Limitations of C and C++
Lower levels of the Android OS require systems programming languages like C and C++. These languages provide developers with control and predictability, which is important when accessing low-level system resources and hardware.
Unfortunately, C and C++ fail to provide memory safety guarantees, making them prone to bugs and security vulnerabilities. The developer is responsible for managing memory lifetime on these languages, but in complex and multi-threaded codebases, that is easier said than done.
C and C++ together constitute tens of millions of lines of code on the Android platform. These memory safety bugs become the most difficult-to-address source of incorrectness of code, representing ~70% of Android’s high severity security vulnerabilities. Merely fixing these bugs becomes insufficient to deal with the issue, and a better approach would be to prevent them in the first place.
The lack of memory safety guarantees forces developers to run Android processes within tightly constrained and unprivileged sandboxes. But sandboxes are expensive on resources, consuming additional overhead and introducing latency. Sandboxing also doesn’t eliminate the code’s vulnerabilities entirely, and its efficacy is reduced because of high bug density, further allowing attackers to chain multiple vulnerabilities.
Another limitation, though not unique to C and C++ but applicable to all memory safety issues, is that the erroneous state must actually be triggered in instrumented code in order to be detected. So even if your code has excellent testing, the actual bug may stay undetected. And when bugs are found, getting them fixed is another task, involving a long and costly process that may not always lead to a correct fix. Thus, bug detection becomes unreliable, and bug prevention is the better approach to take in light of these limitations.
This is where the switch to a memory-safe language like Rust comes into the picture.
Rust and its benefits
Rust provides memory safety guarantees by using a combination of compile-time checks to enforce object lifetime/ownership, and runtime checks to ensure that memory accesses are valid. This safety is achieved while providing equivalent performance to C and C++. Rust also reduces the need for sandboxing, allowing developers more overhead room to introduce new features that are safer and lighter on resources.
While Rust does indeed have its benefits, it’s not feasible to switch the entire Android OS to Rust overnight. And that might not even be needed, as most of Android’s memory bugs occur in new or recently modified code, with about 50% being less than a year old. Google believes that its memory-safe language efforts are best focused on new developments rather than rewriting mature C and C++ code.
Rust also focuses on preventing bugs rather than leaning heavily on the detection of bugs, resulting in improved correctness of code. It has several key features, such as memory safety, data concurrency, more expressive type systems, immutable references and variables by default, safer integer handling, better error handling in standard libraries, and much more.
What does the switch to Rust mean for Android?
Google says that it has been adding Rust support to the Android Open Source Project for the past 18 months. But adding a new language to the Android platform is an enormous undertaking. Some toolchains and dependencies need to be maintained, test infrastructure and tooling must be updated, and developers need to be trained.
Google has a few early adopter projects that they will be sharing in the coming months. But even so, it is being made clear that scaling Rust support to more of the OS is a multi-year project.
From what we can see, Google is already using Rust at a few places. Android’s new Bluetooth stack rewrite code-named “Gabeldorsche” is being written in Rust. Work started on Gabeldorsche around the time of Android 11 but is still not in use yet. Android’s Keystore 2.0 module is written in Rust, and so is the userspace portion of binder, Android’s IPC driver. While not related to Android, Fuchsia‘s new netstack is also being written in Rust.
For app developers, the switch changes nothing about how you, as an app developer, write apps or how the framework APIs work. This switch only affects how the OS is written. According to a member of the Android Developer Relations team, Google also does not plan to release a Rust NDK at the moment. The supported languages for app development will continue to be Kotlin, Java, C, and C++.