Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Facebook Open-Sources ‘Mariana Trench’ Code Analysis Tool

Facebook’s security team on Wednesday pulled the curtain on Mariana Trench, an open-source tool that it has been using internally to identify vulnerabilities in Android and Java applications.

Facebook’s security team on Wednesday pulled the curtain on Mariana Trench, an open-source tool that it has been using internally to identify vulnerabilities in Android and Java applications.

Named after the deepest oceanic trench on Earth, Facebook built Mariana Trench internally to handle the analysis of applications at scale, to help significantly reduce the risk of delivering security and privacy errors in production.

Designed to automate code analysis, this is the third static and dynamic analysis tool that Facebook has made public, following the release of Zoncolan and Pysa in 2019 and 2020.

The tool (available on Github) can scan large mobile codebases to identify potential flaws on pull requests and has already been trained by Facebook’s security and software engineers.

Facebook said Mariana Trench works much like Zoncolan and Pysa (which target Hack and Python code, respectively), with the main difference being its optimization for Android and Java applications (through Dalvik bytecode analysis).

According to Facebook, the tool can be customized to hunt for specific vulnerabilities only, even in large codebases, by simply defining rules to tell it where data comes from and where it shouldn’t go.

[READ: Microsoft Introduces Free Source Code Analyzer ]

“A rule could specify, for example, that we want to find intent redirections (issues that allow attackers to intercept sensitive data) by defining a rule that shows us all traces from ‘user-controlled’ sources to an ‘intent redirection’ sink,” the social media giant said.

Part of a broader defense-in-depth approach at Facebook, the tool relies on abstract interpretation (static analysis method) to identify possible paths from each source to its sink.

Results produced by Mariana Trench can be reviewed and analyzed using a standalone processing tool called Static Analysis Post Processor (SAPP), which Facebook first detailed at DefCon last year and which was designed to “visually demonstrate how data can potentially flow from source to sink so it is easier for experts to quickly evaluate whether they agree with the tool’s assessment.”

By illustrating data flow step-by-step, SAPP makes it easy for security engineers to walk through possible paths. However, it can also group traces that are materially similar, and enables engineers to filter and search through results.

Facebook has published a tutorial to help engineers get started with the tool.

Related: Facebook Open Sources Analysis Tool for Python Code

Related: Microsoft Introduces Free Source Code Analyzer

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.