The latest 2 releases of Needle were focused on providing features essential for its integration within a CI pipeline.

  • Needle v1.1.0 introduced automatic issue detection: modules will now automatically detect and keep track of issues in the target app. All the issues are going to be stored in an SQLite database contained in the chosen output directory (named issues.db)
  • Needle v1.2.0 introduced non-interactive mode: a new command line interface (needle-cli.py) will now allow to completely script Needle.

These 2 features made it possible to create the PoC below, where needle has been integrated with Jenkins.

PoC

  • Connect a Jailbroken iDevice to the machine running Jenkins (either via USB or WiFi) and start the needle agent (see the Quick Start Guide for details)

  • Create a new Jenkins project:

Image: Jenkins Project.

  • Add an “Execute Shell” step under the Build process:

Image: Execute Shell Script.

First, run needle in non-interactive mode, specifying the output folder, the target app, and all the modules you want to have executed (see Non-Interactive mode on the Wiki for a full list of options):

python ~/needle/needle/needle-cli.py
        -g OUTPUT_FOLDER=/tmp/needle/
        -g SKIP_OUTPUT_FOLDER_CHECK=True
        -g APP=mwr.ios.dvia
        -m binary/info/metadata
        -m binary/info/compilation_checks

As a quick PoC, the “issues.db” database could be checked for the presence of vulnerabilities: if so, the build could be marked as a fail. Note that a more complex logic could be used to determine if the build should be failed.

issues=$(sqlite3 -batch /tmp/needle/issues.db "select * from issues")
if [ -n "$issues" ]; then
    echo "ISSUES IDENTIFIED";
    # Fail the build
    exit 1;
else
    echo "No Issues Identified";
fi
  • When a build is run, the shell script will kick in and run needle against the target app:

Image: Run the build.

Image: Run the build.