Mariana Trench – Security Focused Static Analysis Tool For Android And Java Applications

December 20, 2021

Mariana Trench is a security focused

 

The issue tells you that Mariana Trench found a remote code execution in MainActivity.onCreate where the data is coming from Activity.getIntent one call away, and flows into the constructor of ProcessBuilder 3 calls away. Click on “Traces” in the top right corner of the issue to see an example trace.

The trace surfaced by Mariana Trench consists of three parts.

The source trace represents where the data is coming from. In our example, the trace is very short: Activity.getIntent is called in MainActivity.onCreate directly.

The trace root represents where the source trace meets the sink trace. In our example this is the activitie’s onCreate method.

The final part of the trace is the sink trace: This is where the data from the source flows down into a sink. In our example from onCreate, to onClick, to execute, and finally into the constructor of ProcessBuilder.

Configuring Mariana Trench

You might be asking yourself, “how does the tool know what is user controlled data, and what is a sink?”. This guide is meant to quickly get you started on a small app. We did not cover how to configure Mariana Trench. You can read more about that at our website under Configuration.

Contributing

For an in-depth guide on building from source and development on Mariana Trench, see the Developer’s Guide at our website.

Download Mariana-Trench

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source

You may have missed

news

Bank of England U-Turns on Critical Third Party Vulnerability Disclosure Rules

November 15, 2024
news

Sitting Ducks DNS Attacks Threaten Over 1 Million Global Domains

November 15, 2024
news

API Security Threats: 83% of Companies Experience Security Incidents

November 15, 2024
news

Microsoft Power Pages: Misconfiguration Risks and Data Exposure

November 15, 2024
news

Telecom Hack Exposes US Officials: Chinese Espionage Campaign Unveiled

November 15, 2024