Facebook today released an in-house tool that it uses internally to uncover security and privacy vulnerabilities in its Android and Java applications.
Appointed Marianne Trench (MT), the static analyzer is licensed Open source MIT, and is designed to detect vulnerabilities in large code bases consisting of tens of millions of lines of code.
According to Facebook software engineer Dominik Gabi, the company’s developers have relied on automated tools like MT to find more than 50% of all security bugs in the company’s mobile apps.
Gabi adds that the company built MT to focus on smartphone apps, which require a different approach to mitigate security bugs compared to web apps.
Prevention is better than cure
In the article, Gabi gives a technical overview of how the tool actually works and refers to Facebook’s tutorial that will help Android developers integrate TM into their pipeline.
Unlike web apps, which can be instantly updated to fix a bug, updating Android apps requires user help, which adds costly delay, which can be exploited by attackers to exploit vulnerabilities.
That’s why tools like MT help detect security vulnerabilities during development before they land in the finalized application.
“MT is designed to be able to analyze large mobile codebases and flag potential issues on pull requests before they go into production,” Gabi notes, adding that MT was the result of collaboration between Facebook security and software engineers.
Written in Python, MT is currently available on GitHub, and Facebook has also released a binary for the tool in the Python Package Index (PyPI) repository.