- Rooted android device or emulator witout Play Store
- Proxyman
- Frida
- Signal-Android apk
- Pixel 6 API 35 - Android 8.0 x86
- Signal-Android-website-prod-universal-release-7.25.0.apk
- frida-server-16.5.7-android-x86
pip install frida-tools- Export proxyman certificate
- certificate > Export > Root Certificate as DER > Save as
cert-der-proxyman.crt
- certificate > Export > Root Certificate as DER > Save as
- Drag and drop
cert-der-proxyman.crtinto emulator- Install in settings
CA Certificates.
- Install in settings
- Drag and drop
Signal-Android APKinto emulator to install - Send frida-server to device
adb shell getprop ro.product.cpu.abito get archadb push frida-server-16.5.7-android-x86 /data/local/tmp/frida-serveradb shell chmod 755 /data/local/tmp/frida-server
- Set proxy hostname and proxy port in android
In /frida-interception-and-unpinning/config.js
- Set
CERT_PEMto content ofcert-der-proxyman.crt - Set
PROXY_HOSTandPROXY_PORTto match Proxyman
Disable SSL pinning for Signal-Android to view decrypted HTTPS packages and log websocket data
- Open Proxyman
- Run
emulator -avd Pixel_6_API_35
Start frida-server
adb root
adb shell /data/local/tmp/frida-serverExecute scripts using frida-server
- Get Signal identifyer
frida-ps -Ua
frida -U \
-l ./frida-interception-and-unpinning/config.js \
-l ./frida-interception-and-unpinning/native-connect-hook.js \
-l ./frida-interception-and-unpinning/native-tls-hook.js \
-l ./frida-interception-and-unpinning/android/android-proxy-override.js \
-l ./frida-interception-and-unpinning/android/android-system-certificate-injection.js \
-l ./frida-interception-and-unpinning/android/android-certificate-unpinning.js \
-l ./frida-interception-and-unpinning/android/android-certificate-unpinning-fallback.js \
-l ./scripts/android/android-hook_websocket.js \
-f org.thoughtcrime.securesmsProxyman shows decrypted HTTPS request/response
- Get websocket log from android device
adb pull /storage/emulated/0/signal-websocket.log .