Facebook open-sources an internal tool to detect security bugs in Android applications.

Facebook has open sourced Mariana Trench, one of its internal security tools that its security team uses to find and fix bugs in Android and Java applications.

https:// engineering.fb.com/2021/09/29/security/mariana-trench/

Learn more about Mariana Trench (MT), a tool for finding and preventing security and privacy bugs in Android and Java applications. As part of our efforts to enhance security through automation, we are making MT open source to help security engineers at Facebook and across the industry.

This tool has been used internally at Facebook to find bugs in the Facebook, Instagram, and WhatsApp Android applications.

Facebook commented that the tool works by analyzing Dalvik bytecode (the format in which Android applications are packaged for distribution).

https://source. android.com/devices/tech/dalvik/dalvik-bytecode

The advantage of being able to work with Dalvik bytecode is that Mariana Trench (MT) can scan it with or without direct access to the app’s source code, making Mariana Trench the third static code analyzer that Facebook has released to date. Code Analyzer. Previous releases include

  • Zoncolan (August 2019) – a tool for analyzing web apps written in the Hack programming language (used internally at Facebook to find bugs in Facebook web apps
  • Pysa (August 2020) – Tools for analyzing Python code (used internally at Instagram to find bugs in the Instagram platform

Mariana Trench, like the first two tools, looks for “sources” where the data goes into the codebase and “sinks” where the data ends up.

The three tools track the movement of data across the codebase to find dangerous “sinks”, such as functions that can execute code, retrieve or manipulate sensitive user data.

When a dangerous sinks is discovered, the tool notifies the developer, who can then address the reported issue and prevent a small code update in a huge code base from accidentally opening up a vulnerability in another part of the code.

The Mariana Trench for speed

There are many static code analysis tools developed for Java code and Android apps, some of which have been around for decades, but according to Facebook, MT’s biggest advantage is its speed: it takes about 45 minutes to examine the entire Facebook code base, estimated to be tens of millions of lines. According to Facebook, the biggest advantage of MT is its speed: it takes about 45 minutes to examine the entire Facebook code base, which is estimated to be tens of millions of lines.

The social network says tools like Zoncolan, Pysa, and Mariana Trench are essential for security teams that are increasingly relying on automated bug detection systems.

In the first half of 2021, over 50% of security vulnerabilities discovered in our suite of apps were detected using automated tools.

More details and documentation of the tool can be found on the official Mariana Trench website.

Mariana Trench | Mariana Trench
Security focused static analysis tool for Android and Java applications.