[iOS Tool] Needle

[sushi2k]

Describe the issue Needle doesn't seem to be maintained anymore. The last update was > 1 year and no issues have been answered this year. It also doesnt' seem to work on iOS JB devices with Chimera. https://github.com/mwrlabs/needle/issues/273

We should review where we use Needle and if other tools are a better alternative (e.g. objection, passionfruit).

[commjoen]

Needle still does the job for me if I want to use it using ios 12 jailbroken device with unc0ver. There are quiet a few tools that require to use unc0ver. I think we can re-evaluate after a year again.

[cpholguera]

I was doing some research on Needle (for the sake of going towards offering the most up-to-date and relevant tools).

Considering that:

• its installation is far from straightforward (it gave me several headaches)
• it has very old dependencies incl. Python2 (end of life: January 1st, 2020), mitmproxy-0.17.1 (current: 4.0.4)
• there are better, simpler and modern alternatives

Here's an overview of how currently we use Needle in the MSTG and the alternatives:

Usage	Alternative	Already in the MSTG?
"connect to your iPhone's USB"	iproxy 2222 22&ssh -p 2222 root@localhost`	YES
"capture the logs of an iOS application"	Xcode, socat+syslog, passionfruit	YES
"list the content of the keychain" (jailbroken only)	Objection (Jailbroken / non-Jailbroken) ios keychain dump/add/clear, passionfruit	YES
"Searching for Binary Cookies"	objection ios cookies get & passionfruit Storage -> Cookies	TBA
"Searching for Property List Files"	passionfruit/find	TBA
"Searching for Cache Databases"	passionfruit/find	TBA
"Searching for SQLite Databases"	passionfruit/find	TBA
"Dump the keyboard cache file"	strings/rabin2/etc	TBA
"Getting snapshot files"	objection/shell ls Library/Caches/Snapshots/	TBA
"bypass insecure biometric authentication"	objection ios ui biometrics_bypass	TBA
"Performing URL Requests"	use Frida `openURL() as we describe	YES
"bypass non-specific jailbreak detection"	objection ios jailbreak disable/simulate	TBA
"Data Protection Class verification" (requires FileDP tool)	objection ls	TBA

Suggestions:

• As a first step: enhance/update all mentioned parts of the guide with the up-to-date alternatives.
• Specially update "Testing Local Data Storage (MSTG-STORAGE-1 and MSTG-STORAGE-2)" which is heavily relying in Needle using objection and passionfruit instead of Needle.
• Last: decide on dropping it and leave it in the Testing Tools chapter for the record (including a note on why is not being used anymore). Re-evaluate after a year again as @commjoen suggests.

I'm afraid that if someone reads "Testing Local Data Storage (MSTG-STORAGE-1 and MSTG-STORAGE-2)" and wants to perform the tests I guess they can get quite annoyed as the installation is not straightforward, might even not succeed and who knows if some of the commands are still working. In contrast, using the alternatives it will "just work" (and also for non-jailbroken devices).

Reference list of all needle modules: https://github.com/mwrlabs/needle/wiki/Feature-List

[commjoen]

Good research @cpholguera ! Well done! Maybe, in the mean time as step 0: explain that we have to use unc0ver as a JB instead of Chimera, show the "odd steps" and then execute step 1 :). Because that is already quiet a huge step :).

[cpholguera]

Thank you! I agree. That's a good zero step ;)

[commjoen]

so maybe we can start doing step 0 in this issue, then have another issue with step 1/2 and then another issue with step 3 :) ?

[sushi2k]

That's a good plan. Let's just suggest for now the usage of unc0ver and that there are issues with Chimera and do the rest with 1.3 milestone.

See https://github.com/OWASP/owasp-mstg/pull/1411

[commjoen]

Step 0 completed in #1411.

[cpholguera]

See suggestion from https://github.com/OWASP/owasp-mstg/pull/1481

[kysokzla]

Hey guys, what should be done to close this milestone? I've used needle and objection a lot also we have modified it a lot.

[commjoen]

Good point @kysokzla ! Let's reiterate on this on slack soon ;-)

[commjoen]

meeting notes: we will pick up this issue later at the next milestone, not during the 1.2 release now because it does work on ios 11/12 partially but requires to use the right JB. We will evaluate the tools again on the next more intensive collaboration session (e.g. summit or alike).

[kysokzla]

@commjoen i'll try to do my research

[sushi2k]

So Needle is not maintained anymore. The cydia repo is down and even MWR is suggesting to use objection:

https://github.com/FSecureLABS/needle/issues/277