Hey, guys in this article, I will tell you Facebook's open source tool for finding security holes in Android apps.
Facebook has launched a static analysis tool that it's software and its security engineers use internally to find potentially dangerous security and privacy holes in the company's Android and Java applications.
This security-focused tool, called Mariana Trench (MT), can scan large codebases of tens of millions of lines of code for vulnerabilities before they are introduced into the codebase.
Facebook revealed that its engineers found more than 50% of all security bugs in the company's applications using automated tools similar to Mariana Trench.
How does it work
Mariana Trench works by analyzing the flow of information from "sources" (confidential user data such as passwords or locations) to "wells" (functions or methods that use source data).
Mariana Trench is specifically designed to automatically detect those issues that, in most cases, could lead to serious privacy and security issues.
"By default, Mariana Trench parses the Dalvik bytecode and can work with or without access to the source code," explains Facebook on the tool's documentation website.
"A flow from sources to sinks indicates that, for example, user passwords can be recorded in a file, which is undesirable and is referred to as a 'problem' in the context of the Mariana Trench," said the Facebook software engineer Dominik. Gabi.
Developers and engineers can use the tool to target specific security and privacy issues by fine-tuning and training it by adding new rules and model generators to fit areas where sensitive data should not end up.
The latest of our static analysis tools - Mariana Trench. It’s open source and designed to detect and prevent security bugs in #Android and #Java applications, more here: https://t.co/1HNlvVghGJ https://t.co/prOnVDpnDi
— Facebook Security (@fbsecurity) September 29, 2021
Third open source code analysis tool since 2019
The company previously released two other static code analysis tools designed to detect and prevent security issues for Python (Pisa) and Hack (Zoncolan) code.
You can find the Mariana Trench code analysis tool on GitHub and her dedicated website, a binary distribution on PyPI, and a short tutorial to get started.
“We created MT to specifically focus on Android applications. There are differences in patching and ensuring code updates are adopted between mobile and web apps, so they require different approaches, ”added Gabi.
"While server-side code can be updated almost instantly for web applications, mitigating a security bug in an Android application depends on each user updating the application on the device they own in a timely manner.
"This makes it much more important for any application developer to implement systems to help prevent vulnerabilities from becoming mobile whenever possible."