{"id":18124,"date":"2021-09-29T11:00:06","date_gmt":"2021-09-29T18:00:06","guid":{"rendered":"https:\/\/engineering.fb.com\/?p=18124"},"modified":"2021-10-20T08:25:44","modified_gmt":"2021-10-20T15:25:44","slug":"mariana-trench","status":"publish","type":"post","link":"https:\/\/engineering.fb.com\/2021\/09\/29\/security\/mariana-trench\/","title":{"rendered":"Open-sourcing Mariana Trench: Analyzing Android and Java app security in depth"},"content":{"rendered":"

We\u2019re sharing details about<\/span> Mariana Trench<\/span><\/a> (MT), a tool we use to spot and prevent security and privacy bugs in Android and Java applications. As part of our effort to help scale security through building automation, we recently open-sourced MT to support security engineers at Facebook and across the industry.\u00a0<\/span><\/p>\n

This post is the third in our series of deep dives into the static and dynamic analysis tools we rely on. MT is the latest system, following <\/span>Zoncolan<\/span><\/a> and<\/span> Pysa<\/span><\/a>, built for Hack and Python code respectively.\u00a0<\/span><\/p>\n

Facebook\u2019s mobile applications, including Facebook, Instagram, and Whatsapp, run on millions of lines of code and are constantly evolving to enable new functionality and improve our services. To handle this volume of code, we build sophisticated systems that help our security engineers detect and review code for potential issues, rather than requiring them to rely on only manual code reviews. In the first half of 2021, over 50 percent of the security vulnerabilities we found across our family of apps were detected using automated tools.<\/span><\/p>\n

We built MT to focus particularly on Android applications. There are differences in patching and ensuring the adoption of code updates between mobile and web applications, so they require different approaches. While server-side code can be updated almost instantaneously for web apps, mitigating a security bug in an Android application relies on each user updating the application on the device they own in a timely way. This makes it that much more important for any app developer to put systems in place to help prevent vulnerabilities from making it into mobile releases, whenever possible.<\/span><\/p>\n

MT is designed to be able to scan large mobile codebases and flag potential issues on pull requests before they make it into production. It was built as a result of close collaboration between security and software engineers at Facebook who train MT to look at code and analyze how data flows through it. Analyzing data flows is useful because many security and privacy issues can be modeled as data flowing into a place it shouldn\u2019t.<\/span><\/p>\n

You can find MT on<\/span> GitHub<\/span><\/a>, and we\u2019ve released a binary distribution on<\/span> PyPI<\/span><\/a>. We\u2019ve also written a <\/span>short tutorial<\/span><\/a> to help get you started. Our teams are actively developing and continuing to improve MT. We welcome your feedback: If you are interested in collaborating with us, please open an issue or reach out to us on GitHub.<\/span><\/p>\n

How Mariana Trench works<\/span><\/h2>\n

MT works very similarly to <\/span>Zoncolan<\/span><\/a> and <\/span>Pysa<\/span><\/a>. The main difference is that MT is optimized for analyzing Android and Java applications. We briefly cover the basics in this blog post and encourage our readers to review our previous write-ups for a more in-depth technical explanation.<\/span><\/p>\n

Security engineers often think of vulnerabilities in terms of data flows that they don\u2019t want to see in their applications. For example, an application should not be logging sensitive data or be subject to injection vulnerabilities that would allow attackers to insert malicious code.<\/span><\/p>\n

In MT, a data flow can be described by:<\/span><\/p>\n