Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Needle - Black Hat Arsenal EU 2016

Marco Lancini
November 03, 2016

Needle - Black Hat Arsenal EU 2016

I delivered a talk based on this presentation at Black Hat Arsenal EU 2016 (https://www.blackhat.com/eu-16/arsenal.html#needle) in London (November 3rd, 2016).


Assessing the security of an iOS application typically requires a plethora of tools, each developed for a specific need and all with different modes of operation and syntax. The Android ecosystem has tools like "drozer" that have solved this problem and aim to be a 'one stop shop' for the majority of use cases, however iOS does not have an equivalent.

"Needle" is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Given its modular approach, Needle is easily extensible and new modules can be added in the form of python scripts. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections.​ The only requirement in order to run Needle effectively is a jailbroken device. We will be releasing the tool and describing its architecture, capabilities and roadmap.

We will also demonstrate how Needle can be used to find vulnerabilities in iOS applications from both a black-box and white-box perspective (if source code is provided).

Marco Lancini

November 03, 2016

More Decks by Marco Lancini

Other Decks in Technology


  1. + A tool for auditing iOS Application Security + An

    open source, modular framework • streamline the entire process • acts as a central hub What is Needle? Black Hat Arsenal EU
  2. Motivation Beginners: easy to use Professionals: save time during assessments

    Developers: quickly test their products Black Hat Arsenal EU
  3. + Manage connections with the iDevice • SSH over Wi-Fi

    • SSH over USB + Device setup, port forwarding, cleanup… + Basic commands • shell, push/pull + App management • metadata, open, decrypt, data protection… Device Manager Black Hat Arsenal EU
  4. + Initialize and manage all the other components + Load/execute

    modules/jobs + Maintain status • global options, loaded modules, running jobs, device status… • pointers to instantiated objects • constants Framework Core Black Hat Arsenal EU
  5. + Common functionalities offered both to the Core and APIs

    + Sanitization, logging, printing… Helpers Black Hat Arsenal EU
  6. + The framework core exposes APIs to interact with the

    local and remote OS + These wraps common functionalities • file and data access • command execution • networking + Speed-up creation of new modules API Black Hat Arsenal EU
  7. Currently Supported Modules Black Hat Arsenal EU Binary •App Metadata

    •Compilation Checks •Shared Libraries •Strings •Class Dump •Install IPA •Pull IPA Storage •Binary Cookies •Cache.db Files •Plist Files •SQL Files •Dump Keychain •Screenshot Caching •Keyboard Autocomplete Caching
  8. Currently Supported Modules Black Hat Arsenal EU Dynamic •Jailbreak Detection

    •URI Handler •Heap Dump •Monitor File changes •Monitor OS Pasteboard •Syslog Monitor •Syslog Watch Hooking •Cycript shell •Frida shell •Frida trace •Frida launcher •Enumerate Classes (script) •Enumerate Methods (script) •Enumerate All Methods (script)
  9. Currently Supported Modules Black Hat Arsenal EU Comms •List Installed

    Certificates •Export Installed Certificates •Import Installed Certificates •Delete Installed Certificates •Install MitmProxy CA Certificate •Intercepting Proxy Static •Code Checks
  10. Roadmap Black Hat Arsenal EU •Replace all the dependencies Agent

    to deploy on device Support for non-jailbroken devices •Substrate integration •WebView scanner •Hook Swift methods •URI handlers fuzzer •Pinning detection/bypass •Obfuscation detection New modules … community based