New open-source Facebook tool hopes to find security flaws in Android apps

Facebook promises it’ll continue developing the tool actively

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Facebook today released a home-brewed tool that it uses internally to discover security and privacy flaws in itsAndroidandJavaapplications.

NamedMariana Trench(MT), the static analyzer is licensed under theopen sourceMIT license, and is designed to spot vulnerabilities in large codebases made up of tens of millions of lines of code.

According toFacebook’s software engineer Dominik Gabi, developers within the company have banked on automated tools like MT to find more than 50% of all security bugs in the company’s mobile apps.

Gabi adds that the company built MT to focus on smartphone apps, which require a different approach for mitigating security bugs as compared to web apps.

Prevention is better than cure

Prevention is better than cure

In the post Gabi gives a technical overview of how the tool actually works, and points to Facebook’s tutorial that’ll help Android developers roll MT in their pipeline.

Unlike web apps, which can be updated instantly to fix a bug, patching Android apps requires the help of users, adding a costly time delay, which can be exploited by attackers to exploit the vulnerabilities.

This is why tools like MT help detect security gaffes during development before they land in the finalized app.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“MT is designed to be able to scan large mobile codebases and flag potential issues on pull requests before they make it into production,” notes Gabi, adding that MT was the result of a collaboration between security and software engineers at Facebook.

Written inPython, MT is currently available on GitHub and Facebook has also released a binary for the tool in the Python Package Index (PyPI) repository.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Another reason to avoid edge-lit 4K TVs: they may fail faster than others, according to this report