Mariana Trench, an Android-focused static analysis tool intended to discover and prevent security and privacy issues in apps built for the mobile operating system at scale, has been open-sourced by Facebook.
Mariana Trench is a tool that scans big mobile codebases and flags possible vulnerabilities in pull requests before they are deployed.
Mariana Trench (MT) can examine huge codebases with tens of millions of lines of code to identify vulnerabilities before they are introduced.
Facebook stated that its experts discovered more than 50% of the security flaws in the company’s applications using automated methods similar to Mariana Trench.
The tool lets developers create rules for different data flows to scan the codebase for possible concerns such as intent redirection weaknesses that might lead to the loss of sensitive data or injection vulnerabilities that allow attackers to upload arbitrary code — specifically setting boundaries as to where user-supplied data entering the app is allowed to come from (source) and flow into (sink) such as methods that can execute code and retrieve or interact with user data.
Data flows that violate the rules are reported to a security engineer or the software developer who submitted the pull request with the modifications.
Mariana Trench is the company’s third open-source offering, following Zoncolan and Pysa, which target the Hack and Python programming languages, respectively.
According to the firm, patching and guaranteeing the acceptance of code changes differs across mobile and online apps, necessitating distinct techniques.
Server-side code for web apps can be fixed nearly instantly, but addressing a security flaw in an Android application requires each user to update the app on the device they own on a regular basis. As a result, it’s even more critical for every app developer to have processes in place to assist prevent vulnerabilities from making it into mobile versions.
You might also like: