Announcement: Facebook Releases Tool to Detect Security and Privacy Bugs in Android Apps
In a statement on Wednesday, Facebook described Mariana Trench as the company’s new open-source static analytics platform for discovering and preventing security and privacy flaws in Android apps running on the large mobile operating system ladder.
Mariana Trench is said to be customized to analyze large mobile codebases and flag potential bugs before they appear in production, according to Menlo Park-based social tech company.
With the utility, developers can define rules for specific data streams to analyze the codebase for possible bugs, such as redirection intent flaws that could lead to sensitive data being leaked. Additionally, vulnerability scanners detect injection vulnerabilities – which allow adversaries to inject arbitrary code into a program – through explicit information about the source and recipient of the data the user provides. These sources and recipients may include a database, file, web view, or log.
When data flows that violate the rules are made in a pull request from a security engineer or software engineer, they are notified.
Among its apps, which include Facebook, Instagram, and WhatsApp, more than 50% of vulnerabilities were discovered using automated tools, according to the social networking giant. It is Facebook’s third programming language service opening, following on from Zoncolan and Pysa, which specifically targeted Python and Hack.
GitHub has also taken similar actions following the acquisition of Semmle and the launch in 2019 of a security lab to safeguard open-source software, as well as to provide analytics to identify vulnerabilities in public code with CodeQL.
“Mobile and web apps require different approaches when it comes to patching and adopting code updates,” the company said.
GitHub users can access Mariana Trench, and Facebook has also published a Python package for PyPi.
Mariana Trench: How Does It Work?
MTA has a similar mechanism to that of Zoncolan and Pysa. MT’s strength lies in its ability to analyze Java and Android applications.
The data flows that security engineers do not want to see in their applications are often the basis of vulnerabilities. The application should be safe from vulnerability issues such as logging sensitive data or allowing unauthorized code injection.
An MT data flow is defined as follows:
- The point of origin is the source. The user can control this string through the *Intent.getData* method.
- Sink: the place the data goes. *Log.w* or *Runtime.exec* can be used in Android.
MT can display different flow types depending on rules. Intention redirection sinks (services from which attackers intercept sensitive data) can be discovered by specifying a rule that shows the traces between “user-controlled” sources and sinks.
Each source can be linked to a sink using MT. A Java method model is constructed for each one it finds in the codebase. An abstract interpretation technique is used for computing these models.
Mariana Trench: A Security Engineering Resource
A defense-in-depth approach to application security is being implemented by Facebook’s security engineers using MT. An engineer would typically begin her scan by defining broadly which data flows she will be interested in scanning.
Identifying where user-controlled data is being transferred (the intents available in Android’s SDK, filesystems, etc.), and where they shouldn’t be (e.g., APIs which construct SQL queries) is crucial to finding SQL injections, for example. Creating a rule connecting the two is just a start – it’s not enough to define it. The engineers must also refine the rules, as necessary, to ensure sufficient signal strength.
Using automated code scanning tools comes with inherent trade-offs, just like any engineering endeavor. For decades, the goal of static analysis research was to minimize false positives. This calculus is very different in sec+ analysis. Although MT generates more false positives, Facebook uses it to uncover more potential errors. Those working on edge cases are also interested in data flows that are practically impossible, although theoretically they could still be used for production.
As a way to help security engineers manage and triage the output, MT is designed to allow them to quickly identify whether an issue is a false positive based on parameters such as trace length or the specific functions encountered.
Facebook promotes each rule that’s been created to run with each pull request once it’s proved effective. MT can surface a violation to one of our on-call security engineers, or to the software engineer who made the pull request directly if one of the flows violates the rule.
The defense-in-depth approach integrates MT in a more comprehensive way rather than as a stand-alone solution. Facebook engineers continue to build our apps, in collaboration with software engineers, focusing on building MT in a way that improves its fidelity and diagnoses its limitations over time.
Viewing the Results: Post-Processing Static Analysis
The tools Facebook has developed to review and analyze the results created by MT (as well as Pysa) go beyond merely building the analysis systems themselves. SAPP stands for Static Analysis Post Processor.
SAPP and a command-line interface (CLI) Facebook created the first project for DefCon. Static analysis tools such as MT, as well as SAPP, were designed specifically to support them.
It makes it easy to triage the raw output from MT using SAPP. With SAPP, experts can quickly assess whether they agree with the tool’s assessment by visually seeing how data may flow from source to sink.
Step-by-step data flow can be visualized with SAPP’s trace view. In this way, the security engineer can direct himself through the possible ways in which he might reach his destination.
The SAPP presentation identifies several issues, each of which could pose a security threat. To determine if the overall issue is valid, your response should contain several traces that are materially similar. Security engineers can focus on specific results within each list using the extensive filtering and search capabilities of SAPP.
Mariana Trench: Getting Started
Facebook has released a binary distribution of MT on PyPi and there is a GitHub repository for MT. A short tutorial can also be found on GitHub.
The Facebook MT team is actively working on improving MT!