Ghost in the Droid - Josh Wright

all right welcome everybody I think it's time for me to start I'm so glad you guys are here thank you so much for coming my name is Joshua right I'm a senior instructor with the SANS Institute I've been teaching with sands for about 13 years now I've written the classes on mobile hacking wireless hacking and a bunch of other things but frankly I teach first and so much because I love the opportunity to get up and speak to people about my favorite subjects and this is a topic that I have really enjoyed working on a project that I really enjoyed and you know I've got a couple of goals coming into this today I said you know I have an opportunity to

speak and in front of b-sides I was born in Massachusetts I've since transported to Rhode Island I'll always be a transplant and now Massachusetts people don't like me either but I feel like I'm home here like I like this place and and and I love Boston and you know I love besides everything that a stands for everything that you know it serves the community to do and I thought you know I want to do a couple things here number one on my agenda today is to entertain you I want you to laugh I want you to enjoy this presentation I want you to think back and say man I really learned a lot and I

really had fun and even know I could do both together so that's really what I'm hoping I want you to laugh at enjoy this presentation and I'm hoping that you leave here with some skills that you might not have known before so this presentation is called ghost in the Droid and it started last year when I started doing some Android application in our office and I've been doing that for several years but I wanted to get much better at Android app analysis and you know customers come to me and they bring their applications and I do work on that and that's great but I really wanted to get remarkably better at app analysis so I came up with this project

idea and it helps if I plug this little stick in okay I was watching a TV show with my daughter called a haunting she loves all these TV shows they be seen a haunting before this there's all these TV shows on like Discovery Network and it's about haunted places and things like that and I learned about this thing called a ghost box which I had never heard of before so I you know stole this clip totally k so I thought I would play for you so you can see what I saw but one evening Darren has a lapse in judgment he ignores Stephens warning and downloads a ghost box my cousin had passed away and I was a little upset

I've downloaded this app from my phone and I don't think you not only had whatever there's anybody here talk to me hi [Music] only one person the world called a Baldy and it was him watch the vid jumps down ready

[Music] all right so I watched that video and I couldn't believe that there's a thing called a Ghost Box app okay so yes there are hundreds of apps in the Android Marketplace that claim to detect the presence of the supernatural that have all these capabilities to detect ghosts so I came up with this idea I'm going to spend $200 on crappy Android applications I'm not going to get anything that's free I'm only going to get stuff that is actually marketed as Pro ghost detection and I want to evaluate what do they really do by reverse engineering all these apps and they fell into four categories electromagnetic frequency analysis tools electronic voice phenomenon or EVP tools

ghost radar and visual identification and ghost communication tools and then for all these apps I would use them in areas that I thought would be the most likely when I would experience the supernatural in cemeteries late at night in a cabin in the woods you get the idea okay and so I used all these apps and then I reverse engineered them to find out you know are these apps really doing what they claimed or are they full of crap okay and these are the five apps that I chose here okay they range between $1 and $30 for these applications gang and only the apps that were Pro in genuine ghost detection nothing that was meant for entertainment

so we're going to talk about these five apps that I pulled apart and what I learned in the process the first half that I looked at is an app called the ghost hunter this is published by Intel attack it was 99 cents 3.6 stars 10 to 50,000 downloads it is your all-in-one go to ghost detection app it does EMF scanning electronic voice phenomenon analysis visual decoding and it even has a spirit board which is a category I didn't even cover I love the coach and you read these evals and I think they're fascinating Julie gave this app a four star rating I use a lot of ghost hunting apps I have tested my phone against the

equipment used by pros and his work I could tell a fake app when I see it well Julie I don't really know if that's true okay so this is what the app does and the app has like electromagnetic frequency detection where it records these XY and you know that supposed to be Z I think that's a typo I'm not really sure okay it's got this like histogram thing it even gives you a Google map with ghost locations where hauntings have been reported to have happened which frankly I found rather useful I kind of liked that that was the only useful thing here okay so I took a little video of what this application does and I wanted to

show you this is this is what it does now I want you to watch closely because you there may be evidence of ghost activity here okay so well I'll show you now that it makes in it scanning again

now watch closely Green is no ghost but red red is warning

did you see it oh the spectral phenomenon right there those are those are ghosts ladies and gentlemen those and you can see on the graph those are ghosts that are being reported at the moment and this is what this application does okay so on my rooted android device i connected over USB cable with debug mode turned on and i used the Android debug bridge tool that comes with the development tools to identify what was the app name and then I downloaded it from my Android device so now I have the android APK you can just go to APK monk calm and download any APK you want including this one it's a little on the sketchy side because they do sell it but

you know if it's for research I'm sure that's okay okay now apk files are just zip files you just unzip them and so I unzip this file and I see all these things like a you know layout Android audio main to XML audio recorder draw XML EMF XML and these are all the application activities in Android which are the screens and Android and then a whole bunch of these images read scan one read scan to read skin to read scan 21 tons and tons of different graphic images so I'm like oh well that looks interesting what's going on with that and then I opened up Explorer and I realized the app is just eight static

images of white blobs that are actual goes okay and that's that's not is that's all it does and then when you look at the source code it does a bunch of random number generation here and the random number generator says things like you know generate a random number that's between zero and ten if it's less than four then it's going to be green but then do another random number and if it's zero to 100 if it's greater than 70 then it's a ghostly image and it draws that so you know about you know thirty percent of the time you're going to get ghosts out of the experience game so you know looking at this I'm going to say

this is busted I'm going to say this is not actually doing any ghost detection activity this is just not cool it's just a bunch of static images random numbers no I'm just going to go with this is not okay so I cross that off the the next step I looked at is Joe's ghost box okay now Joe's ghost box is written by a guy named Steve Holt a which is apparently one of the original Joe's disciples now Joe was well known in the ghost hunting field he actually produced not an app but a real electronic device in like a beige kind of box that looks almost exactly like that and then you would tune it and adjust the speed and

it was electronic voice phenomenon analysis where it would pick up spectral activity out of the airwaves and then play it on the speaker and then you could hear what the ghosts were saying to you this was $1.00 at 11 cents 65 ratings 5,000 downloads I loved iflores comment here I was just looking at my dad's picture in my head telling him that I missed him then on my third try using the app I hear I love u2 in Spanish which is the language he spoke clearly there's a connection there okay so clearly you know that that's what's going on so this is an app you can get for Android where you can install it and

then get this kind of activity so the app is very simple that's good old Joe who's now sadly departed from us is little bust up there at the top but in the application here you just turn it on and it starts playing audio and it claims the decode audio it extracts that electronic voice phenomenon information it's getting this audio from somewhere you control the speed of playback and then you can ask it questions and then it responds would answer okay so you know I download this application and and I'm taking a look at it here and it looks just like this and I took a little audio recording and I want you to hear what I heard on this to

make it faster

and that's all it does okay so people listen to the application and then they strain to hear some message and they ask questions and they listen for responses to try to find out is this app really communicating with the dead and sometimes they hear things like a flurries here okay so again with this application it's just an apk file so I unzipped it and interestingly there were 14,000 mp3 files embedded in this application and I thought that's curious isn't it that's that's interesting so there are certain look at the source code I saw code like this there's a try block and what it does is it generates a new random value based off of the number of songs that

are registered like between 0 and 14,000 and then it chooses a random value and then it plays that value and then it initializes the counter all it does is play random one second clips over and over and over again and you can make it play faster or slower but because there's so many clips it doesn't really ever sound like the same experience twice you're very unlikely to decode one specific sound repeating multiple times or if you are able to do that you'll likely attributed to some kind of a ghostly activity now I have a I don't know I'm going to call it a stroke of compassion here and then I had a question that I wasn't sure I knew the

answer to can ghost influence the random number generator on Android devices I'm not really sure but I'm going to call this plausible I'm going to say that this could be the case I'm not really positive but I think this could be the real deal here okay all right the third app I want to talk about is an app called the psb7 ghost box application and this is published by Luna spirit detection it's $15 okay now as far as apps go unless it's like keno or something you know final cut I don't pay $15 for moblab very often okay but but but I got this application I downloaded it here okay it has 11 ratings 2.9 stars

it's an EVP app and it claims to decode am/fm radio frequency waves and it does noise cancellation now I'm getting all kinds of suspicious here because I'm pretty sure my Android devices not have an am/fm radio in it yeah and it's claiming to capture and decode an FM radio waves I'm not saying that they couldn't be doing some magic SDR thing but I'm getting a little doubtful here okay Billy Allen here gave it a five star rating says I own a real PBS b7 this is just the app version of it and not excited to compare this to my to it to my surprise they picked up nearly exactly the same readings I highly recommend this app okay I don't

know what I have to say about the real PS v7 software on the you know they actually sell that it's a hardware device you can buy it on Amazon I think it's like $400 or something okay so you can buy the real deal or you could just get this app $15 and now it seems like a real bargain at this okay so so so far we've been looking at applications where you know I unzip it and the answers just fell into my lap okay the first app had the ghostly images in it the second apps had the 15,000 mp3 files and I showed you some source code associated with those apps but I want to show you how to

get at that source code so you can do the same kind of analysis sometimes unzipping an app is all you need to do and then you look at preference files XML files images files you unzip Pokemon go and every pokemon that ever exists is there okay sometimes all it does is an unzip and that's all you need but there are other ways that we can do this as well so with this app you just press the on button that's the only functionality in this application if the instructions say tap on and then wait two to three minutes for calibration for best results I'm like okay well that seems like a big lie but okay I'm going to go with that

array that psb7 will cancel out noise and AM FM frequency waves and it's proven to work on many accounts and it's even featured on the Travel Channel no it's nice okay so I've started taking a look at this app and when you click the on button here which I'm going to do in this video you'll see what it does did you guys hear it listen to the post

I let it run for two three minutes I'm not going to put you through that but that's about all I heard though that was about the entirety of the response that I got from the psb7 Ghost Box app so I started doing some reverse engineering now I wanted to talk about Android app compilation now if you're doing mobile application analysis you don't have to be a programmer and a lot of the students and I talked to a lot of people they say you know what I'm just not a programmer I think people when they did computer science in college had you know they were doing Pascal or god forbid objective-c and they just had a really

bad experience okay and like a you know a bubble sort I just can't do that anymore and people just a shoe coating and like no I'm not doing that okay well you don't have to be a coder to do app reverse engineering but you need to be able to look at code okay now what is involved with looking at code well we're going to look at some tools but even when you got the source code all that's involved looking at code is a lot of Google and Stack Overflow okay and that's really yes okay I'm convinced that's the best programmers spend 90% of their day just looking stuff up on Stack Overflow I'm convinced that's what programmers do ok that's

what I do you need to have some comfort and familiarity with the Android software development kit you need to be able to understand what these different API calls do and how they actually function but besides use googling things and a little bit of patience you can understand code now android apk files are like java jar files okay now java jar files are popular because like for instance on how many be overrun burp suite before okay when you run burp suite what platform do you wrote on windows linux mac yes because it's a jar file and you have a java runtime engine that will interpret that jar file and turn it into executable code android apps are the same way most

android phones are armed where there's also mips and risk and x86 intel mix android phones and they're not using ARM processors so there's all these different processor architectures so program is running android apps are not distributing apps compiled for a single platform not very frequently okay what they're typically doing is writing the code in Java and then they compile it into an intermediary bytecode format called the dalvik executive or Dex file okay a Dalek executive is essentially a Java jar file and you can use it with the dalvik interpreter on an Android device whether it's Armour x86 or some other kind of processor type so this is very convenient for Android programmers one programming language Java I compile

my app and it runs on all these Android devices that exist out there it's also very very convenient for us doing reverse engineering like a Java jar file Android X files are not compiled for native processors so there are reverse engineering tools that we can take this APK file or the dex file which is inside the APK file and then open it up in a reverse engineering tool and then get source code sometimes the source code isn't perfect but there's a great way for us to learn about these applications just very quickly by understanding some of these tools now historically the process is you take an android APK file that you download from the Google Play

Store or apk monk or you get it from a rooted Android device you run Dex to jar on it it converts into a Java jar file and then you use a JD GUI to reverse engineer it and that's been the classic Android reverse engineering device I'm here to tell you to stop using JD GUI if you're using JD GUI just stopped Dexter jar does not do a really great job converting from apk to jar and JD GUI is not being maintained anymore a far far superior reverse engineering tool for Android is jad X jad X written by sky lot you don't even need extra jari more you just open up an APK file and now you have source code right so

this is the decompiled Ghost Box app literally all I did was take this psb7 app download it for my rooted device and then I opened it up injects and then I get source code that looks like this and on the Left you can navigate to the different Android packages and on the right there Java code now the Java code is not perfect but it is fairly readable and we can look at this to try to understand what's going on in the application so when I started looking at it I started seeing things like this media player dot create this r dot raw ghost now R in Android is a package which is a resource lookup so all of those mp3 files in the

Joe's ghost box application all of that stuff those are all resources and R is a package name that's used to map resources that exist the file system - how I can reference them programmatically ok so r dot R odd that's the broad directory ghost and I thought well what is r dot R a ghost and what does it have to do with a media player right so again I went back to unzipping my files and I unzipped it and in the rod directory is a Ghost Dog okay and I was like oh Ghost Dog let's let's go stop OGG

now I'll save you the extended experience because there's nothing else to hear it is literally a two minute of 2 minute static OGG file like an mp3 file different compression format that just looks over and over and over again and it's $15 that people are selling this for and yet it does just as well it's the $400 version you can get on Amazon so I'm going to call this one busted I'm going to say this is not actually detecting ghosts here I'm really not done with this application then I mentioned $15 the next app is the ghost speaker app and when I saw this app I was thrilled because it was my first opportunity not just to hear from

the supernatural but to communicate with the supernatural and I could speak to the ghosts that are near me okay so in this application here you it's a $3 403 ratings it is an EVP app so it does electronic voice phenomenon again claims to decode am/fm radio does frequency waves noise noise cancellation awesome okay but the thing that's so awesome is you type into this application and then it responds so you can ask a questions it will actually respond with different keywords and decode that from the electronic voice area Joe Joe gave it a five star rating got names that a cemetery George for one turned around was standing in front of a George's headstone this app is real and can

manipulate it by spirit okay so so I was thrilled about this so I was really excited to see what's going on here okay so with this application the values are processed through what they call the speech translation software you actually type in little questions here on the bottom it calculates the energy of paranormal entities that might be projecting in the area so I've started talking with ghosts and I set out you know hello its me I was wondering if after all these gee is you'd like to meet okay to go over everything they say that times supposed to heal ya okay and then it responded loud and I was like oh okay but I ain't done much healing periwinkle

oil hello from the other side okay so it's gonna Dell song all right so it responds well to Adele okay so I thought alright well what's going on with this application I don't normally sing that when I do this talk okay so when I open this application again I'm going back to jad X and I'm doing application source code reverse engineering here I opened up the apk file in Jagex and I was a little disappointed normally when you get an Android application and you open it a reverse engineering tool you will get a lot of contextual information that helps you reverse engineer the data essentially the variable names the package names the class names the method names that the

programmer chose are embedded inside the application itself so that is very useful to me because now there's a variable called Arad ghost and that is the file that existed on the file system for the psb7 application but for this application it was a little different when I open the application I saw all of the stuff on the left a a a a b b c d e f g and then if you go into the G class there's something called abcdefgh IgA and then even inside of this code all the variables have names that are sensible anymore now some of the code is preserved the actual method names like set adapter add is directory those

actual API names cannot be removed because they have to be present for the code to know what to do but anything that can be uniquely selected by a programmer variable names method names class names package names those are all obfuscated when the developer wrote this application before he distributed it he turned on what's called an Android obfuscation tool the Android up the skater allows the programmer to still look at the source code and see all the original variable names but when it compiles the app all those original names go away and this is designed to thwart reverse engineering it's one of the things that we would recommend for our customers when we're doing an app assessment if

you're doing Android apps and you're not doing occupation you should because it makes it much harder to reverse engineer the code so here I have a whole bunch of code this app was probably 15,000 lines of Java okay but it's all obvious catted so now it's difficult for me to try to understand what's actually going on so I needed to figure out a way where I could understand what's happening in this app to find that out is it really detecting ghosts okay so one of the great features of jad X is not just the GUI tool that we can use that gives us the interactive view to look at the source code but also a command line tool where you can create

a directory here I create a directory called ghost speaker and then I ran jad XD ghost speaker and then the apk file and what that does is instead of just showing me the decompiled code in the GUI it takes all the code D compiles all of it and then save it in the directory tree that I've specified now this is super helpful if you're searching for strings you d compile it grep - r and then a string or select string and powershell or fine string from cmd.exe whatever tool you like to use now you can search all of that content for a URL for any string reference that might be interesting things like that but I found

an even better way to use this you can actually take that decompiled code and import it right into Android studio now Android studio is not a hacking tool Android studio is the iv'e that Google makes available for programmers to write Android apps you would download Android studio installed on your system and start pounding out your code in Java right from Android studio but when we reverse engineer it we can actually take the code and bring it right back into Android studio from reverse engineering content now it's not perfect you can't import into Android studio say compile and then you get the exact same application that will never happen the decompilers are not that good but it's good enough where

we'll import right into Android studio and allow me to now start editing annotating renaming and refactoring what's going on inside the application right so here's Android studio where I've now imported the application in literally an Android studio it's file import project and then I just hit next next next next next next finish there might be one more next in there I'm never sure if it's five or six but literally that's all I do and now it's in Android studio okay now the great thing here is that we get syntax color highlighting which is a little better than what you get in jad X but we can edit this code we can add our own comments we can rename things and we

could start analyzing the application now the code is still obfuscated so it doesn't make a lot of sense yet but I'm going to give you several recommendations now to turn the nonsensical into sensible okay my recommendation is to start small the people that I talk to that say I tried reverse engineering and I could make heads or tail of it because you go and you try to understand the big picture too quickly when you're doing reverse engineering your goal is to understand small pieces a lot okay and then as you understand more and more small pieces as you had comments that explains to yourself what this actually does and you start renaming things and now it starts

to make sense that's what we reverse engineering analysts do nobody opens up a you know hex dump and says blonde brunette nobody does that it's all understanding little pieces and then putting together all the little pieces to form a really big picture so what I did here was I started looking at these different variables so for example because it's obfuscated you'll see variables like this dot as AF I mean this afk that's something else Kay this dot AF equal secure dot get string get content resolver Android ID okay now what does get content resolver actually do I have no idea but who knows Google but but more to the point stackoverflow no okay there is a

reference out there developer.android.com knows what that is okay so it returns a context for the activity which is the screen that you're using in basically it's a way to refer to yourself in an open application okay and it's returning a constant string called Android ID so what do you think if the programmer we're choosing that variable he would have called it not this dot AF but what probably Android ID that would make more sense and I can rename that variable now don't just type over this AF highlight it right click and go to refactor rename then enter the new name string Android ID because I know it's a type string and now I think it's something related to Android ID

why do you refactor insider' typing in the new name because Android studio will rename every other reference net variable at the same time instead of you just typing over one and then seeing this dot AF later and not even knowing if it's the same variable allow Android studio to do that work for you right click refactor rename this AF becomes this string Android ID okay now it doesn't seem like much it's just a little improvement in the source code but when you do that a thousand times it becomes much more legible okay so strings are always valuable to rename hey also logging messages are super valuable logging messages in code will often give you a hint as to what's going

on look at this code this is private int B okay I don't know what it does and I have no idea what that is okay preferences put int L counts okay and it commits catch throwable and here it is lada II which means give me an error log with the string ghost speaker update bad license count okay now I don't know what this method really does but by looking at the contextual string detail now I can rename that so instead of int B now it's in set bad license count again highlight right-click refactor rename why are we doing that because every other place in the code that calls this method will now have the new name

now the other methods I look at that have this name suddenly make a lot more sense because it's dealing with something relating to license management and license handling okay so you keep doing this process you keep going through okay now in Android we have a lot of what we call complex Android types there's simple types string and float things like that but there's also complex types things like a text-to-speech P image button Q okay now if you saw the variable P later you would have no idea what it means I don't know what it's used for but I can give it a much better name than P or Q so here I'll rename them just based off of

the complex object types that they are so instead of P and Q it becomes text-to-speech or image body and now again because I'm refactoring it I'm adding little contextual details just by making little tiny changes and now the whole code is starting to come together okay I saw this weird array that looked like this new byte array 20 ok and I looked at it and I went that's weird there's only 8 to there's only 19 variables here ok byte array 17 is missing out of this array of course you start at 0 goes to 19 but 17 is missing I didn't know what it was so I renamed it weird 20 byte array missing by 17 I have no idea what

it does but by doing that later I saw that reference and I saw other context and I went oh that's a sha-1 hash it just happened to have byte 17 as zero so it was omitted because it was compiled out because the optimizer said you don't need to set it it's already zero now stuff is starting to come together and now I see all these different fields and they make sense as we're going through it ok so I probably spent I don't know six hours doing that and I probably did it a lot more than I needed to but I got super excited about it because as I kept doing it and adding more pieces and every little change that you

make now the other stuff starts making sense to me and now this August gated application is no longer obfuscated now it's sensible and I can read it like any other Java code and then our sadducees code that looks like this okay and so I don't know what this why was I never really looked at it but mag filled reading equals float math dot square root sensor data two times sensor data two plus sensor data one and you know what is L dot n ldlr well it turns out that it's type magnetic field type orientation and type azimuth okay so looking at this code we see things that look like this this ghost speaker dot a equals mass

square root double of whatever sensor data to is time sensor data to and sensor data to is pitch which is I'm sorry's roll which is at rotation around the y axis plus sensor data 0 which is azimuth plus sensor data 1 which is the pitch all it's doing is it's getting the GPS coordinates from the phone and that's what it's using to make that little graph that says how far away the ghost is so as you're walking around in doing this you're changing the pitch the X the Y the azimuth and it's taking those values it's just multiplying them into some big number and that's how it's saying how far away the ghost is ok so I

started seeing close it looks like this speak dictionary word handler integer I okay and I was like alright what's that about okay it looks like it has something called array of dictionary words ok get size keep adding array of dictionary words and then it uses something called text-to-speech cue add Android apps have a text-to-speech feature where can actually speak words to you ok and then I started seeing things like this ok this dot array of dictionary words add a dictionary word but more importantly up here open dictionary okay from get assets and I went all right this is not cool okay what is this up doing it is a file called dictionary it randomly picks a word from that

dictionary and then speaks it to you using text-to-speech software so this was definitely busted all over the place and they try to hide for me but there was a lot of interesting stuff that I learned about this let me see so I grabbed the dictionary file here and it had a bunch of word that look like this scream headstone sit oh that's not what I wanted oh it L yeah that's a I do love that image

that's better okay all right so it has all these words in there Hong Kong fixed semies which I think it's an anti-semitic word I'm not really sure okay IIIi don't really know I didn't mean that as a joke I mean it's probably like that because sometimes ghosts or angry I mean I don't know but you know nothing okay Danielle Tourmaline cabin Jacob okay so um sorry totally yeah George is totally in there yeah George is in there so I'm just to have a little fun with this I wrote an app okay a little Python script and it uses the stay command which will speak any text from the command line and it uses the scary voices that come with the say

command and what it does is it picks four words and it just says them right in a row okay and so you know just like this thrust master blue smoke right so you like you know oh you know it's just like uh-uh no I just I just do this all day so what Lamberty where is he no no he's gone okay all right leverage is not here all right so yeah that's all that's all this is there's a little script to say those words okay now the last step I analyzed is what is an online Ouija board application though we Lakai ssin this is published by red work board it was $3 84 cents converse with ghosts and

spirits right from your phone how convenient okay MOOC test says connected with the spirit named P naturally this app should be strictly prohibited to cold-hearted users that sentence doesn't really grok for me but I'm just going to let that go I couldn't sleep last night and I feel like I am possessed now okay bye yeah so I want that okay so this era is actually using a little Ouija board okay so you actually type into the little with a little keyboard okay what have you done and then the pancetta bear kind of animates and then it says that's for me to know and for you to find out okay and I love like the app authors now this

was again not a pretend app this is not a game this is professional ghost detection tools for which they say no spirits were hurt during the involved development of this project okay well that's nice okay though it smells good I'm glad about that now here's the thing when you start this application you get this big splash page unity okay now a lot of developers that are working for mobile applications don't want to make an Android app in iOS app so they go to one of the third-party app development platforms unity is a big one PhoneGap is another one xamarin is Adobe's product okay and they have third party platforms where you write the app in the third-party language and then you

say build Android build iOS and you maintain one app but it spits out the application for all these different platforms and unity is one platform we see lots and lots of mobile games a developer can choose to write in blue or c-sharp or JavaScript and they produce an app that will then run on iOS or Android right so again this is an APK file so I just unzipped it and I saw a bunch of files Android manifest XML which is where you see permission declarations things like that classes.dex this is the Android executive all but it's just a stub all it does is launch the unity runtime engine and then start to run the unity application the really

interesting stuff was in assets been data that's in like shaders and textures and other graphics used for unity applications and also assets bin data manage assembly star DLL yes it's time of the apocalypse we're running dll's on Android devices now okay the world's coming to an end okay so these dll's are installed with this application but they're just interpreted by the unity engine okay now here's the good thing you're the apps are not compiled again if you're going to run on you have to support x86 and MIPS an arm and all these other processor types so you can't distribute them as compiled code your the apps are what's called a CIL file a common intermediate language

format I couldn't ever the acronym okay a common intermediate language format which is just like a Java jar file but different okay so fortunately this wee chap was written in C sharp so you can take a C sharp D compilation tool which is also CIL based an intermediate bytecode format like jar files or Dex files and the one I used is JetBrains dot peak and there's many others as well you open up the file and now you have your source code now I'm not a c-sharp programmer I don't really know c-sharp I wrote a c-sharp app a long time ago and I don't really remember any of it but again it's just Google once you understand the

fundamentals of programming loops variables methods parameters overloads classes packages it's all the same no matter what language except Objective C Objective C is where everything goes crazy okay now if you know Objective C I'm sorry because your life is worse for it okay it's just like you know it's just not a good time but everything else is pretty sensible okay so I started taking a look at this code and I saw something called the spirit AI class okay in the Miss purity I class I saw code that looks like chatter bot factory equals new chatterbox factory Pandora balls chatterbox factory create Pandora bot with some kind of a key that later became useful and I'm not gonna talk

about today okay so you know little things like that okay and then I started looking at the chatterbox factory code and I saw stuff that looks like this shadowbot factory's new cleverbot HTTP colon slash slash cleverbot comm huh Jabberwocky dot-com like whoa what what is clever blah what is Jabberwocky and so I went there and it's like an AI bought like you asked questions you know is there a spirit present there is always some spirit in the machine are you a bot I'm all you're balling it's just stupid you know so when you ask this Ouija board questions it's just talking to a back-end web server it's asking the AI question and it's getting the response

back and showing it to you but still it was weird because I asked a questions like are you a bot and it says I am NOT a ghost I'm as real as you and I went that was not my question that was weird because very strange so I started digging into a little more and the only thing it does is it has a function called replace words an in replace words if you ask it if it's a BA it chooses spirit ghosts psyche or soul as a response okay they thought of everything this is amazing right like wow so much word right and then all it does is you know choose random words and send them back to you and clearly this

is uh this is not ghost activity either

yeah well yes I mean you know I mean you know you could see somebody to the gentleman's comments right if I could paraphrase right it's sending that conversations we use this thing like you know data I'm so sorry that I never confessed that you know you know I killed the dog like you know I'm sorry you know I I always feel guilty about it you know I you know I used to I used to always you know pee on the floor I don't know whatever I'll be able to keep looking Sasuke whatever thing what if the Nerds can control the web server one thing that's interesting is that as far as I could tell these are all HTTP based

transactions here so so yeah there's all sorts of fun stuff but like imagine like the domain registration expired on cleverbot like imagine the fun that you could have with that right and all the applications that use that that would be so wonderful like I would quit my job just to do that full-time like I think that that would be a easing think of the entertainment value okay so I evaluated 20 different Android apps and I can't talk about all of them for signs of otherworldly experience okay you know obfuscated apps took me four plus hours okay you know many apps took less than an hour and what I came out with was 18 apps that were clearly

busted tooth I was like feeling generous and I said plausible mostly because I don't know ghosts control an Android random number generator okay and no confirmed right I wanted I was hoping there would be some confirmed apps I was really going to be thrilled about that but no okay so the question is was this a colossal waste of my time okay what is just like a complete fool's errand that I should not have done this and my answer is absolutely not okay here's the critical things that I learned that if you've paid attention to nothing else in this presentation I want you to live with these couple of facts okay for Android apps you can learn a lot just by

unzipping the apk file system analysis revealed so many secrets to me in so many of these applications okay secondly jaw Dex is a superior tool thank goodness for Scylla in the open source community that makes tools like this possible we use tools like Firefox on a regular basis and what would we do without them you know we just take for granted that they're free but they're amazing and I'm so thankful that we have these tools available to us okay using jad xqe to browse the source using the gen-x command line and then searching what graph or select string or fine string whatever you like to use Android studio is essential with Android studio now I'm not looking at a read-only copy

of the code in jad X I can edit it I can annotate it I can factor in the rename even for code that's not obfuscated being able to put variables in there or be able to put comments this function does this I figured it out after an hour and I never want to forget that having a way to edit and annotate is very very useful and finally cross-platform app development frameworks you need xamarin for gap app for things like that they are not that much different and you can attack those platforms as well although the tools change a little bit with these different platforms so how should you apply this what do you do next

okay how can you apply this kind of work here's a couple of things start evaluating your own apps patrick said to me Josh we're starting up the DC for one group again presence around them from Rhode Island okay and so we're going to start doing that again and I said here's what we're going to do we're going to put ten apps we're gonna put them on USB drives throw them on the table and then we're just going to tear them apart and find out what makes them tick okay that is a really really informative exercise okay just on itself understand the API is how to do up analysis how the tools work and even just as importantly how

the tools fail you write your own app okay again you don't have to be a programmer I'm not a programmer people would say Josh you're a programmer and I say no I'm not because it would be wrong to admit that okay I don't do it professionally I can code but it's just because I want to get something done okay get an idea in your head what other industry do you work in do you work in you know fashion or retail or healthcare you know do you have a passion for automotive photography or things like that find something that marries that together that you love that will motivate you and write an app but doesn't have to be complicated make an

IP subnet calculator that doesn't suck I've never found one when you make it please let me know okay that will help you understand what programmers really do and will make you a better analyst as well okay become a better pen tester by building skills and put them into action I spent $200 on ghost boss at Ghost Box apps and I think it was well spent okay none of the apps conclusively communicated with the Dead but file system analysis reverse engineering D obfuscation and third party platform analysis gave me the answers that I was looking for and I want to leave you with a message from our friend Darren here there's someone here with me how are you

doing is that ghosts or even putting up the mess around with stuff like that we have a baby get rid of it

thank you very much