Facebook has recently launched Mariana Trench, an Android-focused static analysis tool that can discover and prevent security and privacy issues in apps built for mobile OS at scale.
It’s intended to scan big mobile codebases and detect potential vulnerabilities in pull requests before they reach production. The utility enables developers to create rules for different data flows to check the codebase for possible problems – like, intent redirection flaws that could cause sensitive data to be leaked – explicitly setting clear limits for where user-supplied data entering the program can originate from (source) and go to (sink), such as a database, file, web view, or log.
Data flows that break the rules are reported to a security engineer or the software developer who provided the pull request with the modifications.
According to Facebook, over half of the vulnerabilities discovered across its family of applications, including Facebook, Instagram, and WhatsApp, were found using automated methods.
Mariana Trench is the company’s third open-source offering, following Zoncolan and Pysa, which target the Hack and Python programming languages, respectively.
Similar efforts were made by Microsoft-owned GitHub, which purchased Semmle and created a Security Lab in 2019 to secure open-source software, in addition to providing free semantic code analysis tools like CodeQL available to find flaws in publicly published code.
While server-side code for web apps may be changed practically instantly, addressing a security flaw in an Android app requires each user to promptly update the app on their device. As a result, it’s even more critical for every app developer to have processes in place to prevent vulnerabilities from making it into mobile versions.
Mariana Trench is available on GitHub, and Facebook has also made a Python package available on the PyPi repository.