Google has released its 2025 security metrics for Android, and the data makes a compelling case that its bet on Rust as a replacement for C and C++ is paying off on two fronts simultaneously: security and developer productivity.
Memory Safety Vulnerabilities Hit a New Low
For the first time, memory safety vulnerabilities have fallen below 20% of total Android vulnerabilities. Google attributes this decline to a strategy focused on preventing vulnerabilities in new and actively developed code rather than attempting to retroactively fix legacy C and C++ codebases. The 2025 figures cover both first-party (Google-developed) and third-party open-source code changes to the Android platform across C, C++, Java, Kotlin, and Rust. Because Android operates on a 90-day industry-standard patch window, Google considers these results close to final even though the year is not yet complete.
The most striking security figure: Rust exhibits roughly a 1,000x reduction in memory safety vulnerability density compared to Android’s C and C++ code.
Rust is Now Moving as Fast as It is Safe
Google assessed development performance using the DORA framework, which measures throughput (velocity of delivering changes) and stability (quality of those changes). Key findings include:
- Fewer revisions: Rust changes of similar size require approximately 20% fewer revisions than equivalent C++ changes, a trend consistent since 2023.
- Faster code review: Rust changes spend about 25% less time in code review than C++ changes. Google attributes a notable improvement between 2023 and 2024 to growing Rust expertise within the Android team.
- Lower rollback rate: For medium and large changes, the rollback rate for Rust is approximately 4x lower than for C++. This is significant because rollbacks create cascading disruption, triggering rework, build respins, postmortems, and cross-team delays.
The volume of new Rust code in first-party Android development now rivals that of C++, making cross-language comparisons statistically meaningful. To keep comparisons valid, Google limited analysis to Android platform developers, used Gerrit’s standardized change size definitions, and tracked trends over multiple years.
A Near-Miss in Unsafe Rust
Google also disclosed a near-miss memory safety bug found in a block of unsafe Rust code, stopping short of an actual vulnerability. The team used the incident to address the broader question of why Rust still provides substantial safety guarantees even when unsafe blocks are present. The analysis reinforces that unsafe Rust remains an exception requiring explicit opt-in, and that mitigations and review processes can limit exposure when such code is necessary.
Broader Adoption Continues
Google is pushing Rust adoption beyond the core Android platform into first-party applications, the Linux kernel, and firmware. The overall message from the 2025 data is that the tradeoff historically assumed between security and development speed does not hold for Rust. Across every measured dimension, writing memory-safe code in Rust is proving to be both more secure and more efficient than the C and C++ workflows it is replacing.
