We briefly cover the basics in this blog post and encourage our readers to review our previous write-ups for a more in-depth technical explanation.
The main difference is that MT is optimized for analyzing Android and Java applications. MT works very similarly to Zoncolan and Pysa. We welcome your feedback: If you are interested in collaborating with us, please open an issue or reach out to us on GitHub. Our teams are actively developing and continuing to improve MT. We’ve also written a short tutorial to help get you started. You can find MT on GitHub, and we’ve released a binary distribution on PyPI. Analyzing data flows is useful because many security and privacy issues can be modeled as data flowing into a place it shouldn’t. It was built as a result of close collaboration between security and software engineers at Facebook who train MT to look at code and analyze how data flows through it. MT is designed to be able to scan large mobile codebases and flag potential issues on pull requests before they make it into production. This makes it that much more important for any app developer to put systems in place to help prevent vulnerabilities from making it into mobile releases, whenever possible. While server-side code can be updated almost instantaneously for web apps, mitigating a security bug in an Android application relies on each user updating the application on the device they own in a timely way.
There are differences in patching and ensuring the adoption of code updates between mobile and web applications, so they require different approaches. We built MT to focus particularly on Android applications. In the first half of 2021, over 50 percent of the security vulnerabilities we found across our family of apps were detected using automated tools.
To handle this volume of code, we build sophisticated systems that help our security engineers detect and review code for potential issues, rather than requiring them to rely on only manual code reviews.
MT is the latest system, following Zoncolan and Pysa, built for Hack and Python code respectively.įacebook’s mobile applications, including Facebook, Instagram, and Whatsapp, run on millions of lines of code and are constantly evolving to enable new functionality and improve our services. This post is the third in our series of deep dives into the static and dynamic analysis tools we rely on. As part of our effort to help scale security through building automation, we recently open-sourced MT to support security engineers at Facebook and across the industry. We’re sharing details about Mariana Trench (MT), a tool we use to spot and prevent security and privacy bugs in Android and Java applications.