Press Release

‘Needle’ Used to Discover Issues Within iOS Applications

News

MWR InfoSecurity will be demonstrating Needle – its open source modular framework for conducting security assessments of iOS applications

MWR's Marco Lancini will be presenting at OWASP’s 13th Annual AppSecUSA Security Conference in Washington on Friday October 14th and Black Hat Europe Arsenal in London, on Thursday November 3rd. The session will include the tool's architecture, capabilities and roadmap as well as demonstrate how Needle can be used to find vulnerabilities in iOS applications from both a black-box and white-box perspective (if source code is provided).

Marco Lancini, Security Consultant at MWR and developer of Needle, explains:

“Assessing the security of an iOS application typically requires a plethora of tools, each developed for a specific need and all with different modes of operation and syntax. The Android ecosystem has tools like ‘drozer’ that have solved this problem and aim to be a ‘one stop shop’ for the majority of use cases, however iOS did not have an equivalent. Needle is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Given its modular approach, Needle is easily extensible and new modules can be added in the form of python scripts.”

Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections. The only requirement in order to run Needle effectively is a jailbroken device. The tool's architecture, capabilities and roadmap will be described.

Marco will also be using Needle as part of his two-day workshop at DeepSec in Vienna. The exercise-driven training course uses detailed tutorials to guide attendees through all the steps necessary to exploit a real iOS application, and in the process, provide an understanding of the modern attacker's mind-set and capabilities. Anyone interested can register to attend here: https://www.mwrinfosecurity.com/events/deepsec-2016/

 

 

Accreditations

As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.