Open-sourcing Mariana Trench: Analyzing Android and Java app security in depth

We’re sharing details about Mariana Trench (MT), a tool we use to spot and prevent security and privacy bugs in Android and Java applications. As part of our effort to help scale security through b…

Dominik Gabi
8 min readintermediate
--
View Original

Overview

The article discusses Mariana Trench (MT), a tool developed by Facebook for identifying security and privacy vulnerabilities in Android and Java applications. It emphasizes the importance of automated security measures in handling large codebases and highlights MT's capabilities in analyzing data flows to prevent potential issues before they reach production.

What You'll Learn

1

How to use Mariana Trench to analyze Android applications for security vulnerabilities

2

Why automated tools are essential for managing security in large codebases

3

How to define data flow rules in Mariana Trench to identify potential security issues

Prerequisites & Requirements

  • Understanding of static and dynamic analysis concepts
  • Familiarity with GitHub and PyPI for accessing Mariana Trench(optional)

Key Questions Answered

How does Mariana Trench help in identifying security vulnerabilities in Android apps?
Mariana Trench analyzes data flows in Android applications to identify potential security vulnerabilities before they reach production. It uses static analysis techniques to model Java methods and flag issues based on defined rules, allowing security engineers to catch problems early in the development process.
What are the main components of data flows in Mariana Trench?
In Mariana Trench, a data flow consists of a source, which is a point of origin like user-controlled input, and a sink, which is a destination such as a logging function. By defining rules, engineers can trace paths from sources to sinks to identify vulnerabilities.
What is the role of the Static Analysis Post Processor (SAPP) in conjunction with Mariana Trench?
SAPP is a standalone tool designed to review and analyze the results produced by Mariana Trench. It helps security engineers triage findings by visualizing data flows from sources to sinks, making it easier to evaluate potential vulnerabilities.
How does Facebook prioritize false positives when using Mariana Trench?
Facebook prioritizes finding more potential issues with Mariana Trench, even if it results in more false positives. This approach is taken to ensure that edge cases, which may be theoretically exploitable but rarely occur in production, are not overlooked.

Key Statistics & Figures

Percentage of vulnerabilities detected using automated tools
over 50 percent
In the first half of 2021, more than half of the security vulnerabilities across Facebook's family of apps were identified through automated tools.

Technologies & Tools

Security Tool
Mariana Trench
Used for identifying security and privacy vulnerabilities in Android and Java applications.
Analysis Tool
Static Analysis Post Processor (sapp)
Helps review and analyze the results produced by Mariana Trench.

Key Actionable Insights

1
Implement Mariana Trench in your development workflow to automate security checks on Android applications.
By integrating MT, you can identify vulnerabilities early in the development process, reducing the risk of security issues in production.
2
Regularly refine the rules used in Mariana Trench to improve the accuracy of vulnerability detection.
As your application evolves, updating and refining rules ensures that MT continues to provide relevant and actionable insights.
3
Utilize the Static Analysis Post Processor (SAPP) to enhance the review process of MT's output.
SAPP's visualization capabilities allow for a more efficient triage of potential vulnerabilities, helping security engineers quickly assess the validity of findings.

Common Pitfalls

1
Relying solely on automated tools like Mariana Trench without human review can lead to missed vulnerabilities.
While MT is powerful, it is essential to combine its findings with manual reviews to ensure comprehensive security coverage.

Related Concepts

Static Analysis Tools
Dynamic Analysis Techniques
Security Vulnerability Management
Data Flow Analysis