Mariana Trench: Tool to test Android App


Mariana Trench is a security-focused static analysis platform targeting Android.

This guide will walk you through setting up Mariana Trench on your machine and get you to find your first remote code execution vulnerability in a small sample app.


Mariana Trench requires a recent version of Python. On MacOS you can get a current version through homebrew:

 $ brew install python3 

On a Debian flavored Linux (Ubuntu, Mint, Debian), you can use apt-get:

 $ sudo apt-get install python3 python3-pip python3-venv 

This guide also assumes you have the Android SDK installed and an environment variable $ANDROID_SDK pointed to the location of the SDK.
For the rest of this guide, we assume that you are working inside of a virtual environment. You can set this up with
 $ python3 -m venv ~/.venvs/mariana-trench 
The name of the virtual environment in front of your shell prompt indicates that the virtual environment is active.

Installing Mariana Trench

Inside your virtual environment installing Mariana Trench is as easy as running
(mariana-trench)$ pip install mariana-trench

Running Mariana Trench

We'll use a small app that is part of our documentation. You can get it by running
 (mariana-trench)$ git clone
(mariana-trench)$ cd mariana-trench/documentation/sample-app
We are now ready to run the analysis 
 (mariana-trench)$ mariana-trench \
  --apk-path=sample-app-debug.apk \
# ...
INFO Analyzed 68886 models in 4.04s. Found 4 issues!
# ... 

Exploring Results

The analysis has found 4 issues in our sample app. The output of the analysis is a set of specifications for each method of the application.
Let's focus on the remote code execution issue found in the sample app. You can identify it by its issue code 1 (for all remote code executions) and the callable void MainActivit.onCreate(Bundle). With only 4 issues to see it's easy to identify the issue manually but once more rules run, the filter functionality at the top right of the page comes in handy.
The issue tells you that Mariana Trench found a remote code execution in MainActivit.onCreate where the data is coming from Activity.getIntent one call away, and flows into the constructor of ProcessBuilder 3 calls away. Click on "Traces" in the top right corner of the issue to see an example trace.

The trace surfaced by Mariana Trench consists of three parts.

The source trace represents where the data is coming from. In our example, the trace is very short: Activity.getIntent is called in MainActivity.onCreate directly.