Facebook Releases New Tool That Finds Security and Privacy Bugs in Android Apps

Fb on Wednesday announced it can be open up-sourcing Mariana Trench, an Android-concentrated static examination system the enterprise works by using to detect and reduce stability and privateness bugs in programs created for the cellular running program at scale.

“[Mariana Trench] is developed to be in a position to scan huge mobile codebases and flag possible challenges on pull requests in advance of they make it into creation,” the Menlo Park-based social tech behemoth explained.

Automatic GitHub Backups

In a nutshell, the utility makes it possible for developers to frame policies for various knowledge flows to scan the codebase for in purchase to unearth opportunity concerns — say, intent redirection flaws that could consequence in the leak of sensitive information or injection vulnerabilities that would enable adversaries to insert arbitrary code — explicitly environment boundaries as to where user-equipped information coming into the app is permitted to appear from (supply) and move into (sink) these types of as a databases, file, world-wide-web watch, or a log.


Knowledge flows uncovered violating the principles are then surfaced back either to a stability engineer or the application engineer who manufactured the pull request made up of the adjustments.

The social media huge explained about 50% of vulnerabilities detected across its family of apps, including Facebook, Instagram, and WhatsApp, were being identified employing automated applications. Mariana Trench also marks the third these types of company the business has open up-sourced immediately after Zoncolan and Pysa, each of which goal Hack and Python programming languages, respectively.

Prevent Data Breaches

The growth also follows related moves from Microsoft-owned GitHub, which acquired Semmle and released a Safety Lab in 2019 with an purpose to safe open up-resource software package, in addition to producing semantic code evaluation equipment this sort of as CodeQL freely accessible to location vulnerabilities in publicly offered code.

“There are distinctions in patching and guaranteeing the adoption of code updates concerning cell and world-wide-web purposes, so they demand unique techniques,” the corporation explained.

“Although server-facet code can be current almost instantaneously for internet apps, mitigating a stability bug in an Android software relies on every user updating the software on the machine they individual in a timely way. This can make it that a lot far more essential for any application developer to set devices in put to assistance avert vulnerabilities from building it into mobile releases, anytime attainable.”

Mariana Trench can be accessed in this article by using GitHub, and Fb has also unveiled a Python offer on the PyPi repository.

Fibo Quantum