The iOS Security Testing Framework. Needle is the MWR's iOS Security Testing Framework, released at Black Hat USA in August 2016. It is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections.
The release of version 1.0.0 provided a major overhaul of its core and the introduction of a new native agent, written entirely in Objective-C. The new NeedleAgent is an open source iOS app complementary to Needle, that allows to programmatically perform tasks natively on the device, eliminating the need for third party tools.
Needle has been presented at and used by workshops in various international conferences like Black Hat USA/EU, OWASP AppSec and DEEPSEC. It was also included by ToolsWatch in the shortlist for the Top Security Tools of 2016, and it is featured in the OWASP Mobile Testing Guide.

The Offensive iOS Exploitation workshop is an exercise-driven training course that uses detailed tutorials to guide the attendees through all the steps necessary to exploit a real iOS application, and in the process, provide them an understanding of the modern attacker's mind-set and capabilities. The course cover iOS hacking, from the basics of vulnerability hunting on the platform to advanced exploitation techniques. In addition, this workshop use MWR's newly released "Needle" to identify and exploit all the common mobile application security flaws, over and above the OWASP Mobile Top Ten.
At its conclusion, it will have imparted the information necessary to develop secure and robust applications. Other take-aways will include how to develop secure mobile applications that can withstand advanced attacks, how hackers attack mobile applications and iOS devices, and the most up to date and effective secure coding practices.

Technical Reviewer of the security-related chapters of the "500 Lines or Less" book.

Technical Reviewer in the peer review process of some IEEE Journals (i.e., 'Transactions on Emerging Topics in Computing (TETCSI)').

AndroRAT++ is a proof-of-concept mobile malware, embedded in a legitimate application, that enhances the features of a well-know RAT application (AndroRAT). The RAT, once installed, allows the attacker to control the phone remotely, obtaining access to certain sensitive information, and using the device for malicious purposes. The attacker can also attempt to escalate his privileges in order to gain complete access to the device's resources. An exploit kit has been embedded in the source code of AndroRAT++: the attacker can then silently obtain root privileges and, therefore, complete access to the device.

As first contribution to the OWASP Project, I was assigned to team responsible for the translation of the Top 10 2013 in Italian.

We pointed out the security weaknesses of using Social Authentication (SA) as part of a two-factor authentication scheme, focusing on Facebook's deployment. We have designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker. We then revisited the SA concept and proposed reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.