Rust at Scale: An Added Layer of Security for WhatsApp

WhatsApp rolled out a Rust-based media validation library to billions of devices as a defense-in-depth security layer against malicious files.

• •The 2015 Android Stagefright vulnerability motivated WhatsApp to build its own media validation layer independent of OS patches
• •The original C++ "wamedia" library was rewritten in Rust in parallel, using differential fuzzing and integration tests to ensure compatibility
• •The Rust version replaced 160,000 lines of C++ with 90,000 lines of Rust, with better performance and lower runtime memory usage
• •The "Kaleidoscope" system checks for non-conformant file structures, embedded scripts in PDFs, spoofed extensions/MIME types, and known dangerous file types
• •This is described as the largest known deployment of Rust to a diverse set of end-user platforms, covering Android, iOS, Mac, Web, and Wearables