New Facebook Open-Sources Tool to Find Flaws in Android App Security

New Facebook Open-Sources Tool to Find Flaws in Android App Security

Recently Facebook open-sourced a static analysis tool its software and security engineers use internally to discover the probable security and the privacy flaws in the company’s Android and Java applications.

This security-focused tool, also known as Mariana Trench (MT), can analyze large codebases of tens of millions of lines of code to address vulnerability before they are introduced in the codebase.

Facebook stated that its engineers discover more than 50% of all the security flaws across the organizations’ applications utilizing automated tools similar to Mariana Trench.

What is its Working Process?

Marian Trench works by examining the information bugs from “sources” (user sensitive information such as credentials or locations) to “sinks” (functions or methods using data originating from various sources).

Mariana Trench is specifically created to automatically discover such issues, which, in most cases, could result in severe privacy and security flaws. “By default Mariana Trench analyzes dalvik bytecode and can work with or without access to the source code,” Facebook describes on the tool’s documentation site.

“A progress from sources to sinks shows that such as user credentials may get logged into a file, which is not desirable and is known as an ‘issue’ under the context of Mariana Trench,” Facebook Software Engineer said.

Developers and engineers can utilize this tool to focus on some security and privacy concerns by adjusting and training it by adding new rules and model generators so that it homes in on the areas critical data shouldn’t be stopped up.

New-Facebook-Open-Sources-Tool-to-Find-Flaws-in-Android-App-Security-image1

Third Code Examine Tool Open-Sourced Since 2019

The organizations priorly released two other static code analysis tools created to detect and prevent security concerns for Python code (Pysa) and Hack code (Zoncolan).

‘We built MT to focus particularly on Android applications. There are differences in patching and ensuring the adoption of code updates between mobile and web applications, so they require different approaches,” Gabi stated.

“While server-side code can be updated almost instantaneously for web apps, mitigating a security bug in an Android application relies on each user updating the application on the device they own in a timely way.

“This makes it that much more important for any app developer to put systems in place to help prevent vulnerabilities from making it into mobile releases, whenever possible.”

Leave a Reply