[TheRecord] Facebook open-sources internal tool used to detect security bugs in Android apps

Facebook has open-sourced Mariana Trench, one of its internal security tools, used by its security teams for finding and fixing bugs in Android and Java applications.

The tool, made available on GitHub a few months back but formally released today, has been used internally at Facebook for the past months to find bugs in the Facebook, Instagram, and WhatsApp Android applications.

Under the hood, Facebook said the tool works by analyzing Dalvik bytecode, the format in which Android apps are packaged for distribution.

The benefit of being able to work with Dalvik bytecode is that Mariana Trench (MT) can scan apps with or without direct access to their source code.

Mariana Trench is also the third static code analyzer that Facebook has released so far. Previous releases include:

Zoncolan (August 2019) – a tool for analyzing web apps written in the Hack programming language (used internally at Facebook to find bugs in the Facebook web apps)Pysa (August 2020) – a tool for analyzing Python code (used internally to find bugs on the Instagram platform)

Mariana Trench works on the same design as the first two—by looking for “sources” (where data enters a codebase) and “sinks” (where data ends up).

All three tools track how data moves across a codebase to find dangerous “sinks,” such as functions that can execute code and retrieve or interact with sensitive user data.

Once a dangerous sink is found, the tool notifies developers, who can then take action to address reported issues and prevent a tiny code update in a giant codebase from accidentally opening a vulnerability in another part of the code.

Mariana Trench was built for speed

While there are plenty of static code analyzers built for Java code and Android apps, some of which have been around for decades, Facebook said MT’s main advantage is its speed, with the tool needing around 45 minutes to go through the entire Facebook code base, estimated in the realm of tens of millions of lines of code.

The social network said that tools like Zoncolan, Pysa, and Mariana Trench are essential to its security teams, which are relying more and more on automated bug detection systems.

“In the first half of 2021, over 50 percent of the security vulnerabilities we found across our family of apps were detected using automated tools,” Facebook said today.

More details and the tool’s documentation are available on the Mariana Trench official website.

The post Facebook open-sources internal tool used to detect security bugs in Android apps appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] Worried about ransomware? Take these three key steps to protect yourself

All posts, ZDNet

Microsoft sets out a three stage process to improve your defences against ransomware. Source: Read More (Latest topics for ZDNet in Security)

Read More

[NCSC-FI News] Financial cyberthreats in 2021

The year 2021 was eventful in terms of digital threats for organizations and individuals, and financial institutions were no exception. Throughout the past year, we have seen cybercriminals continue to actively target our users with tools and techniques that emerged due to the pandemic Imperfections in the transition to remote/hybrid work continue to pose a […]

Read More

[HackerNews] Experts Uncover Campaign Stealing Cryptocurrency from Android and iPhone Users

All posts, HackerNews

Researchers have blown the lid off a sophisticated malicious scheme primarily targeting Chinese users via copycat apps on Android and iOS that mimic legitimate digital wallet services to siphon cryptocurrency funds. “These malicious apps were able to steal victims’ secret seed phrases by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, or OneKey,” said Lukáš Štefanko Source: […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.