Pierluigi Paganini
September 30, 2021
The Facebook security team has open-sourced the code for Mariana Trench, an internal open-source tool used by the company experts to identify vulnerabilities in Android and Java applications.
The name comes from the Mariana Trench, the deepest oceanic trench on Earth located in the western Pacific Ocean.
The tool allows to automate the code review, it is part of a collection of tools used by the company for the static and dynamic analysis of the code.
“We’re sharing details about Mariana Trench (MT), a tool we use to spot and prevent security and privacy bugs in Android and Java applications. As part of our effort to help scale security through building automation, we recently open-sourced MT to support security engineers at Facebook and across the industry.” states Facebook. “This post is the third in our series of deep dives into the static and dynamic analysis tools we rely on. MT is the latest system, following Zoncolan and Pysa, built for Hack and Python code respectively.”
Mariana Trench is a static analysis platform targeting Android that was trained by Facebook experts to identify potential flaws in Android and Java applications by analyzing Dalvik bytecode.
The tool can be customized by users according their needs to scan for specific vulnerabilities.
The tool was optimized to analyze large codebases (10s of millions of lines of code), according to the experts it can find vulnerabilities as code changes, before it ever lands in your repository.
In order to make the results of the tool more presentable it is recommended to use a standalone post processing named Static Analysis Post Processor (SAPP).
SAPP provides a visual representation of data flow, allowing security experts to inspect possible paths.
Facebook revealed that over 50% of vulnerabilities detected across its apps, including Facebook, Instagram, and WhatsApp, were discovered using automated tools.
“There are differences in patching and ensuring the adoption of code updates between mobile and web applications, so they require different approaches. While server-side code can be updated almost instantaneously for web apps, mitigating a security bug in an Android application relies on each user updating the application on the device they own in a timely way.” concludes Facebook “This makes it that much more important for any app developer to put systems in place to help prevent vulnerabilities from making it into mobile releases, whenever possible.”
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Facebook)
[adrotate banner=”5″]
[adrotate banner=”13″]
