Now, the company has open-sourced MT to support security engineers not just at Facebook, but across the industry. While server-side code can easily be updated instantaneously for web apps, however, mitigating a security bug in an app relies on every user updating the application on the device level.
It therefore behooves on app developers to put systems in place to help in thwarting such vulnerabilities from making it into mobile app releases.
What Open-sourcing of Mariana Trench App Debugging tool means for Developers?
MT is built for analyzing Java and Android applications, which a developer can specifically require MT to show flows by defining rules. The rule could also be specified, for instance, to finding issues that allow attackers to intercept sensitive data by defining a rule that shows all traces from “user-controlled” sources to an “intent redirection” sink.
It achieves this by computing a model for each Java method in the codebase, with the models computed using a static analysis technique called abstract interpretation.
A typical scenario is whereby a security engineer would start by broadly defining the boundaries of the data flows in scanning the codebase, defining a rule connecting the two is not enough. Therefore an engineer also has to review the identified issues and refine the rules until the results are sufficiently high-signal.
MT was built through close collaboration between security and software engineers at Facebook who trains MT to look at code and analyze how data flows through it. The analyzing of data flows is useful as many security and privacy issues can be modeled when data flow into a wrong place.
How to get Started with Mariana Trench App Debugging tool?
MT is currently available on GitHub, and a binary distribution has been released on PyPI. You can also find a short tutorial to help get you started here.
Facebook teams will actively continue to develop and improve MT, with developers who are interested in collaborating in building the project, recommended to open an issue or reach out on GitHub.