The iOS Security Testing Framework.
Update: 5 October 2019
Today we would like to formally announce the deprecation of Needle. The main reason for this descision is due to the changes in iOS and how it can be pentested since Needle's first introduction.
There are two components to Needle: the server side IPA file and the client side Python client. The Needle server relies on APIs that, up until iOS 10, allowed applications to list what other applications were installed on the iOS device. Starting with iOS 11, this API was restircted to applications that had a specific Entitlement, which required the application to be signed by Apple.
Needle was originally build to heavily rely on this API to list the installed applications and index each list item in an internal database. Without the ability to list all applications on the device, Needle would no longer work consistently while running on a device that has iOS 11 and up.
While there are many workarounds to this issue, they are workarounds and not fixes. It was deemed that the only way to permanently ensure that Needle works on all iOS versions was to completely re-write Needle from the ground up. This can be done, but the mobile security field has already embraced Frida for their mobile security needs.
Needle also contains some Frida scripts that could be used independently of Needle. These scripts can be located at '/needle/modules/hooking/frida'.
Objection (https://github.com/sensepost/objection) was found to be a good alternative to Needle. Some of F-Secure Labs' mobile security team has contributed to the Objection project.
Needle will remain open source and can be installed locally, as long as you have a macOS computer.
- The source code for the Needle Agent application can be found here: https://github.com/FSecureLABS/needle-agent
- After downloading the source code, compile using Xcode and install via your favorite side loading method (such as Cydia Impactor)
- Run the Needle client as normal
Assessing the security of an iOS application typically requires a plethora of tools, each developed for a specific need and all with different modes of operation and syntax. The Android ecosystem has tools like "drozer" that have solved this problem and aim to be a ‘one stop shop’ for the majority of use cases, however iOS does not have an equivalent.
Needle is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Given its modular approach, Needle is easily extensible and new modules can be added in the form of python scripts. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections. The only requirement in order to run Needle effectively is a jailbroken device.
With the release of Needle v1.0.0, we provided a major overhaul of its core and the introduction of a new native agent, written entirely in Objective-C. The new NeedleAgent is an open source iOS app complementary to Needle, that will allow it to programmatically perform tasks natively on the device, eliminating the need for third party tools.
The agent, already available for download on Cydia, will (over time) allow Needle to:
- Provide transparent support for iOS 10 and future versions
- Remove all dependencies required now
- Provide a platform that will enable security testing on non-jailbroken devices
Needle is open source software maintained by MWR InfoSecurity, released under a 3-clause BSD license, and can be freely downloaded from and is available on Github.