430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Facebook released Mariana Trench tool to find flaws in Android and Java apps

Facebook released Mariana Trench, an internal open-source tool that can be used to identify vulnerabilities in Android and Java applications. The Facebook security team has open-sourced the code for Mariana Trench, an internal open-source tool used by the company experts to identify vulnerabilities in Android and Java applications. The name comes from the Mariana Trench, the […]

Facebook

Facebook released Mariana Trench, an internal open-source tool that can be used to identify vulnerabilities in Android and Java applications.

The Facebook security team has open-sourced the code for Mariana Trench, an internal open-source tool used by the company experts to identify vulnerabilities in Android and Java applications.

The name comes from the Mariana Trench, the deepest oceanic trench on Earth located in the western Pacific Ocean.

The tool allows to automate the code review, it is part of a collection of tools used by the company for the static and dynamic analysis of the code.

“We’re sharing details about Mariana Trench (MT), a tool we use to spot and prevent security and privacy bugs in Android and Java applications. As part of our effort to help scale security through building automation, we recently open-sourced MT to support security engineers at Facebook and across the industry.” states Facebook. “This post is the third in our series of deep dives into the static and dynamic analysis tools we rely on. MT is the latest system, following Zoncolan and Pysa, built for Hack and Python code respectively.”

Mariana Trench is a static analysis platform targeting Android that was trained by Facebook experts to identify potential flaws in Android and Java applications by analyzing Dalvik bytecode.

The tool can be customized by users according their needs to scan for specific vulnerabilities.

The tool was optimized to analyze large codebases (10s of millions of lines of code), according to the experts it can find vulnerabilities as code changes, before it ever lands in your repository.

In order to make the results of the tool more presentable it is recommended to use a standalone post processing named Static Analysis Post Processor (SAPP).

SAPP provides a visual representation of data flow, allowing security experts to inspect possible paths.

Facebook revealed that over 50% of vulnerabilities detected across its apps, including Facebook, Instagram, and WhatsApp, were discovered using automated tools. 

“There are differences in patching and ensuring the adoption of code updates between mobile and web applications, so they require different approaches. While server-side code can be updated almost instantaneously for web apps, mitigating a security bug in an Android application relies on each user updating the application on the device they own in a timely way.” concludes Facebook “This makes it that much more important for any app developer to put systems in place to help prevent vulnerabilities from making it into mobile releases, whenever possible.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)

[adrotate banner=”5″]

[adrotate banner=”13″]