[iOS11] list_apps fails

[GrahamM]

Issue

Expected behaviour

Target app wizard returns apps to be targeted

Actual behaviour

Target app wizard returns nothing.

Steps to reproduce

1. Run a module, and allow the target app wizard to run.

needle error logs

[needle][strings] > run
[D] Setup local output folder: /root/.needle/output
[D] Setting up issues database...
[D] [DB] QUERY: CREATE TABLE IF NOT EXISTS issues (app TEXT, module TEXT, name TEXT, content TEXT, confidence TEXT, outfile TEXT)
[*] Checking connection with device...
[V] Connection not present, creating a new instance
[V] [AGENT] Connecting to agent (192.168.250.218:4444)...
[+] [AGENT] Successfully connected to agent (192.168.250.218:4444)...
[D] [AGENT] Executing command: os_version
[V] [SSH] Connecting (192.168.250.218:22)...
[+] [SSH] Connected (192.168.250.218:22)
[D] Creating temp folder: /var/root/needle/
[D] [REMOTE CMD] Remote Command: if [ -d /var/root/needle/ ]; then echo "yes"; else echo "no" ; fi
[D] [REMOTE CMD] Remote Command: mkdir /var/root/needle/
[D] [AGENT] Executing command: os_version
[*] Target app not selected. Launching wizard...
[D] [AGENT] Executing command: list_apps
[+] Apps found:
[>][QUESTION] Please select a number: 

Environment

Needle Version

• Framework (on your machine): 1.3.2
• Agent (on your device): 1.0.5

Workstation Operating System

Kali 2018.1

Python Version

2.7.14+

Python Packages (pip freeze)

see https://gist.github.com/GrahamM/2738a6f312380fefef1d38f3596737bc

Device iOS Version

11.2

[whoot]

Cant reproduce. Works fine for me on iOS 11.0.3.
With "HIDE_SYSTEM_APPS = True" I get:

[needle][list_apps] > run
[*] Checking connection with device...
[+] Already connected to: 192.168.1.120
[D] Creating temp folder: /var/root/needle/
[D] [REMOTE CMD] Remote Command: if [ -d /var/root/needle/ ]; then echo "yes"; else echo "no" ; fi
[*] Looking for apps...
[D] [AGENT] Executing command: list_apps
[+] Apps found:
		0 - org.coolstar.electra
		1 - com.highaltitudehacks.dvia

EDIT: Uhm... stupid question since you are using iOS 11.2: I dont think your device is jailbroken, isn´t it?
=> "The only requirement in order to run Needle effectively is a jailbroken device."

[FernandoQuintero]

Got the same problem, no Apps found, running
iDevice: IPAD 11.0.2
Host: MacOSX 10.13.3

Python 2.7.14
needle 1.3.2
needle agent: 1.0.5

Jailbreak with Electra, and all the stuff APT Strict installed.

Some idea?

[klmitchell2]

On iOS 11.1 (with Electra 1.0.4 jailbreak) list_apps returns no applications as well. Setting APP to a known bundle identifier returns [!] KeyError: 'com.Example.App'.

[klmitchell2]

Update: Enabling tweaks in Electra 1.0.4 results in list_apps working as expected.

[whoot]

Close and resolved?

[peterfillmore]

Worked out a fix for iOS 11.
iOS 11 has added an entitlement for list databases:
com.apple.private.coreservices.canmaplsdatabase

This needs to be added to the entitlements for the NeedleAgent

my fix was to resign the application with that entitlement
Heres the updated entitlement:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>application-identifier</key>
	<string>U38MMB3T7J.mwr.needle.agent</string>
	<key>com.apple.developer.team-identifier</key>
	<string>U38MMB3T7J</string>
	<key>get-task-allow</key>
	<true/>
	<key>com.apple.private.coreservices.canmaplsdatabase</key>
	<true/>	
	<key>keychain-access-groups</key>
	<array>
		<string>U38MMB3T7J.mwr.needle.agent</string>
	</array>
</dict>
</plist>

Steps to fix

1. Install jtool onto the device.

2. dump the current entitlements
   /Applications/NeedleAgent.app root# jtool.liberios -arch arm64 --ent ./NeedleAgent > ./NeedleAgent.ent

3. Thin the binary to arm64
   jtool -e arch -arch arm64 ./NeedleAgent64

4. Resign the thinned binary
   jtool.liberios --sign --ent NeedleAgent.ent --inplace ./NeedleAgent.arch_arm64

5. Backup old agent file
   mv /Applications/NeedleAgent.app/NeedleAgent /Applications/NeedleAgent.app/NeedleAgent.backup

6. Remove current agent
   rm -R /Applications/NeedleAgent.app/NeedleAgent

7. Refresh the uicache
   uicache

8. Copy resigned app over
   cp /Applications/NeedleAgent.app/NeedleAgent.arch_arm64 /Applications/NeedleAgent.app/NeedleAgent

9. refresh cache again
   uicache

[meetinthemiddle-be]

I'm having the exact same issue; /device/list_apps module returns an empty list, but still asks for a number to input. manually setting APP to com.publisher.appname results in a KeyError (to be expected as you're trying to access an index in an empty list). Enabling Tweaks in Electra does not solve the issue as it did for @klmitchell2.

Version info in my setup:

on iPhone 6+
iOS: 11.1.2
Electra: 11.0-11.1.2
Needle Agent: 1.0.5

On Kali 2018.2
Python 2.7.15
Needle : 1.3.2

Any suggestions besides using the jtool workaround? In any event if the transition from iOS 10 to 11 would be the culprit, it seems strange that some people on iOS 11 can get the list without resigning? @peterfillmore : I'd like to get your input on this as why this is an issue for some iOS11 users but not all.

I started researching into the jtool workaround, but seem to run into a dead end there as well. "1. Install jtool onto the device" is already causing more questions than I can answer atm.

[marco-lancini]

@peterfillmore: resigning manually is not a viable option to consider. If that entitlement is really needed, we will have to release a new version of the Agent.

@peterfillmore, @meetinthemiddle-be: have you tried what proposed by @klmitchell2?

Update: Enabling tweaks in Electra 1.0.4 results in list_apps working as expected.

[peterfillmore]

Yes - tried to disable tweaks in electron jailbreak and that didn’t fix the issue. Checking the error logs indicated it was an entitlements issue with my particular device at least (iOS 11.0 - electron jailbreak) My understanding is that at some stage iOS added an entitlement to be able to read SQLite databases outside of an apps container (i think - I can’t seem to locate much info on this) Since in iOS 10 the app list lives in one of these dbs it needs that entitlement to then read that SQLite dB. Signing The needle agent with the appropriate entitlement seemed to fix the issue for me at least. Can anyone give us a root cause as to why disabling tweaks fixes the issue? As it’d make sense to see what clashes with needle in the tweaks. Thanks! Peter

…

On 27 Jul 2018, at 2:34 am, Marco Lancini ***@***.***> wrote: @peterfillmore: resigning manually is not a viable option to consider. If that entitlement is really needed, we will have to release a new version of the Agent. @peterfillmore, @meetinthemiddle-be: have you tried what proposed by @klmitchell2? Update: Enabling tweaks in Electra 1.0.4 results in list_apps working as expected. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[marco-lancini]

@Yogehi: are you able to reproduce the issue/fix?

[meetinthemiddle-be]

Like @peterfillmore , for me toggling Electra "tweaks" didn't produce different results for Needle.

Aside from this issue, it might be an idea to catch this condition (zero length app list).

Also, if one knows the UUID of the app, which one could figure out manually through SSH, would there be a way of using that string in the APP variable directly if the app list is unavailable, rather than using it as a key for that list that might not be there?

Above there also seems to be some confusion about whether it's the enabling or disabling of the tweaks feature that would fix the issue; for me it's neither.

[Yogehi]

Update on this.

I'm still looking into how to resolve this. I agree that the additional entitlement should work. My issue right now is getting Xcode to allow me to compile Needle with the new entitlement.

I'll update this when I can.

[Yogehi]

Sooooooooo more bad news.

The ‘com.apple.private.coreservices.canmaplsdatabase‘ entitlement does work on iOS 11.0-11.2.

It does NOT work on iOS 11.3.1.

[meetinthemiddle-be]

If this is a limitation of Needle and it's documented, that's the way it is.

Is there still a possibility of just using the UUID in the APP variable directly without using the app list as a mapper between the two? This would be a workaround for the problem as this can be found out through SSH. We're already working with a rooted device to begin with so getting that value manually as a "plan B" seems acceptable to me.

[poldenais]

HI this is an issue for me as well, I have electra jailbreak on iOS 11.3.1 and list apps returns nothing when I attempt to run modules.

[peterfillmore]

Cheers. So can anyone throw a debug log here for 11.3.? Would have a look myself but don’t have one that fits the profile.

…

Sent from my iPhone

On 17 Aug 2018, at 10:16 pm, poldenais ***@***.***> wrote: HI this is an issue for me as well, I have electra jailbreak on iOS 11.3.1 and list apps returns nothing when I attempt to run modules. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[poldenais]

Device iOS Version with Electra JB

11.3.1

Expected behaviour

Target app wizard returns apps to be targeted

Actual behaviour

Target app wizard returns nothing.

Steps to reproduce

Run a module, and allow the target app wizard to run.
needle error logs

[needle] > use binary/info/metadata
[needle][metadata] > run
[D] Setup local output folder: /Users/paulnash/.needle/output
[?] Attention! The folder chosen to store local output is not empty: /Users/paulnash/.needle/output
[?] Do you want to back it up first?
[?] Y: the content will be archived in a different location, then the folder will be emptied
[?] N: no action will be taken (destination files might be overwritten in case of filename clash)
[y/n]: y
[V] Archiving local output folder: /Users/paulnash/.needle/output --> /Users/paulnash/.needle/backup/needle-output_2018-08-20-09:35:28
[D] Copying: /Users/paulnash/.needle/output -> /Users/paulnash/.needle/backup/needle-output_2018-08-20-09:35:28
[D] Deleting: /Users/paulnash/.needle/output
[D] Creating local output folder: /Users/paulnash/.needle/output
[D] Setting up issues database...
[D] [DB] QUERY: CREATE TABLE IF NOT EXISTS issues (app TEXT, module TEXT, name TEXT, content TEXT, confidence TEXT, outfile TEXT)
[D] Setting up issues database...
[D] [DB] QUERY: CREATE TABLE IF NOT EXISTS issues (app TEXT, module TEXT, name TEXT, content TEXT, confidence TEXT, outfile TEXT)
[*] Checking connection with device...
[V] Connection not present, creating a new instance
[D] Setting up USB port forwarding on port 2222
[D] [LOCAL CMD] Local Subprocess Command: /Users/paulnash/Downloads/needle-master/needle/libs/usbmuxd/tcprelay.py -t 22:2222
[D] [AGENT] Setting up port forwarding on port 4444
[V] [AGENT] Connecting to agent (127.0.0.1:4444)...
[+] [AGENT] Successfully connected to agent (127.0.0.1:4444)...
[D] [AGENT] Executing command: os_version
[V] [SSH] Connecting (127.0.0.1:2222)...
[+] [SSH] Connected (127.0.0.1:2222)
[D] Creating temp folder: /var/root/needle/
[D] [REMOTE CMD] Remote Command: if [ -d /var/root/needle/ ]; then echo "yes"; else echo "no" ; fi
[D] [AGENT] Executing command: os_version
[*] Target app not selected. Launching wizard...
[D] [AGENT] Executing command: list_apps
[+] Apps found:
[>][QUESTION] Please select a number: 

Needle Version

Framework (on MacBook): 1.3.2
Agent (on iPad device): 1.0.5

Python Version

2.7

[poldenais]

Hi Is anything else needed above? thanks,

[Yogehi]

hi everyone,

i had time to look into this today and i discovered that my ios 11.3.1 device randomly started using the device/list_apps module just fine.

i took some other ios 11 devices i had around me, played with them with different configurations, and came up with the following workaround to get needle working on ios:

restart device and enter your passcode to unlock the device
wait 5 minutes
run electra with tweaks ON
if device/list_apps != work {
	restart device and enter your passcode to unlock the device
	wait 5 minutes
	run electra with tweaks OFF
	restart device and enter your passcode to unlock the device
	wait 5 minutes
	run elextra with tweaks ON
}

i can confirm this worked for the following:

• iphone 7s running ios 11.3.1
• iphone 6s running ios 11.1.1
• iphone 6 running ios 11.3.1

could other people who are still having issues try this for me please?

[poldenais]

Hi @Yogehi,
I had the list apps problem but now it is working and the apps on the device are being listed. But when
The apps are listing but when I choose an option, I get the following below now.

Device iOS Version with Electra JB

11.3.1

[?] Resetting connection to device...
[V] [AGENT] Connecting to agent (127.0.0.1:4444)...
[+] [AGENT] Successfully connected to agent (127.0.0.1:4444)...
[V] [SSH] Connecting (127.0.0.1:2222)...
[+] [SSH] Connected (127.0.0.1:2222)
[?] Rerunning last command...
[!] sh: lipo: command not found

[marco-lancini]

@poldenais, from your error I can say that lipo has not been installed on your device

[poldenais]

@marco-lancini thanks Marco, I got that sorted now and installed Darwin CC again. My jailbreak wasn't right. still getting [!] sh: open: command not found on some commands though

[milo991]

I'm having the same issue with list_apps coming back blank on IOS 11.2.1 with Electra, I've tried disabling / re-enabling tweaks on Electra but still not working.

Can get a shell through needle but can't run many modules at all