New open-source Facebook tool hopes to find security flaws in Android apps

A developer writing code
(Image credit: Shutterstock / Elle Aon)

Facebook today released a home-brewed tool that it uses internally to discover security and privacy flaws in its Android and Java applications.

Named Mariana Trench (MT), the static analyzer is licensed under the open source MIT license, and is designed to spot vulnerabilities in large codebases made up of tens of millions of lines of code.

According to Facebook’s software engineer Dominik Gabi, developers within the company have banked on automated tools like MT to find more than 50% of all security bugs in the company’s mobile apps.

Gabi adds that the company built MT to focus on smartphone apps, which require a different approach for mitigating security bugs as compared to web apps.

Prevention is better than cure

In the post Gabi gives a technical overview of how the tool actually works, and points to Facebook’s tutorial that’ll help Android developers roll MT in their pipeline.

Unlike web apps, which can be updated instantly to fix a bug, patching Android apps requires the help of users, adding a costly time delay, which can be exploited by attackers to exploit the vulnerabilities.

This is why tools like MT help detect security gaffes during development before they land in the finalized app. 

“MT is designed to be able to scan large mobile codebases and flag potential issues on pull requests before they make it into production,” notes Gabi, adding that MT was the result of a collaboration between security and software engineers at Facebook.

Written in Python, MT is currently available on GitHub and Facebook has also released a binary for the tool in the Python Package Index (PyPI) repository. 

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
An Android phone being held in the hand
Google is ramping up Android security protection with new Android app safety tools
coding
Popular open source vulnerability scanner Nuclei forced to patch worrying security flaw
Holographic representation of cloud computing over open businessman's hand
Businesses are struggling to address vulnerabilities hidden in phantom dependencies
Facebook on laptop
Researcher nets major reward for finding Facebook bug able to unlock the gates to its internal systems
Cyber-security
Empowering developers with cutting-edge security training
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over