Android has shared new insights into how the platform’s long-term shift toward Rust is reshaping both security and software development. The new data reflects a decisive move toward memory safety, and, unexpectedly, faster engineering cycles across the Android ecosystem.
The Android team reported that memory safety vulnerabilities have dropped below 20% of all Android vulnerabilities for the first time. This data covers code contributions across C, C++, Java, Kotlin, and Rust in both first- and third-party components. Although the report arrives before the end of 2025, the industry-standard 90-day patch window means the numbers are unlikely to shift much before the year’s end.
Rust adoption has been central to this trend. According to the Android team, Rust offers a 1000x reduction in memory safety vulnerability density when compared to C and C++. Yet the most surprising results aren’t limited to security. Rust-based changes now carry a 4x lower rollback rate and spend 25% less time on code review.
Shifting the Balance in Systems Programming
Android’s historical reliance on systems languages like C and C++ meant that adopting Rust was never meant to replace Java or Kotlin, but to provide a safer alternative where low-level control is required. As Rust usage rises and new C++ additions slowly decline, first-party code trends now show Rust and C++ contributing comparable volumes of new systems-level code.
This parity allows meaningful performance comparisons using the DORA framework, which evaluates engineering teams based on throughput and stability. Android engineers working in both Rust and C++ were measured using similar-sized changes and overlapping developer pools to ensure fairness.
Throughput Improvements: Fewer Revisions, Faster Reviews
Data stretching back to 2023 has shown consistent patterns: Rust code requires roughly 20% fewer revisions than equivalent C++ code. Rust changes also spend 25% less time in review, a trend the Android team attributes partly to rising Rust expertise between 2023 and 2024.
While these incremental gains help, the largest improvement is visible in stability metrics.
Rust’s low rollback rate continues to decline even as its adoption surpasses C++. For medium and large changes, Rust changes are rolled back at about one-quarter the rate of C++. Because rollbacks disrupt multiple teams, initiate postmortems, and trigger rebuilds, this stability substantially increases overall productivity.
A 2022 Google survey found that engineers perceived Rust as easier to review and more likely to be correct. The new data empirically supports those perceptions.
Rust’s Footprint
Rust’s role in Android is expanding beyond platform code:
- Kernel: Android 6.12 is the first shipping kernel with Rust support enabled and includes the platform’s first production Rust driver. Android is also collaborating with Arm and Collabora on a Rust-based GPU driver.
- Firmware: Rust has been deployed in firmware for years. Android and Arm are now collaborating on Rusted Firmware-A to enhance security in high-privilege firmware environments.
First-party apps:
- Nearby Presence uses Rust for secure Bluetooth-based device discovery.
- MLS, the RCS messaging security protocol, is implemented in Rust and will appear in Google Messages in a future release.
- Chromium has replaced PNG, JSON, and web-font parsers with Rust-based memory-safe implementations.
The First Almost-Vulnerability in Rust
Android nearly shipped what would have been its first Rust-based memory safety flaw: a linear buffer overflow in CrabbyAVIF. It never reached public release, but the team assigned it CVE-2025-48530 to track it through internal channels.
The Scudo hardened allocator prevented exploitation. Scudo’s guard pages stopped the overflow and converted what could have been silent corruption into a visible crash, though crash reporting initially lacked clarity. Android has since improved overflow.
To reduce unsafe risks further, Android is adding a new deep-dive module on unsafe Rust to its Comprehensive Rust training program, focusing on sound use of unsafe blocks, undefined behavior, safety comments, and safe abstractions.
Conclusion
Android’s experience with Rust shows that even with some unsafe code, memory safety improves dramatically: only one potential vulnerability across 5 million lines, compared with around 1,000 per million lines in C/C++. This shift allows development to move faster while staying secure, replacing “move fast and break things” with a model where safety and productivity reinforce each other.
