There are two central problems that I faced with Slack:
1. Slack feels like I am developing in Eclipse, in a Windows VM, on an old Linux laptop. Where does all the bloat come from? It can't even have more than one channel open at a time!
2. In some cases, Slack can [force you to log out][SlackTimeout] after 12 hours, say. I understand why you would check that box as an IT admin, but I will show you that Slack is currently not enforcing this policy, and so I'd prefer to not be subject to it. 😼
## Good Slack Clients
The first problem is rather easy to solve, you simply use an alternative client. There are three options I am aware of:
- Using [WeeChat][] with the [WeeSlack][] plugin. I also recommend the [WeeEdit][] plugin to post multi line messages, especially for those code blocks. Finally, I use [WeeAutosort][] because the list of slack channels in WeeChat is a little confusing otherwise. This client is certainly your best option if your top priority is to go open source, to get it for free, or to use it on the command line. And it is a really good way to use Slack, too. I like it very much.
- You can use [Pidgin][] with the [slack-libpurple][SlackLibPurple] plugin. Unfortunately, I have to say that this works rather poorly and I mention it here only to be complete. I thoroughly recommend WeeChat if you are absolutely not willing to use a commercial and closed source program; it is better to use WeeChat with [WeeSlack][] in a terminal for Slack than to use the Pidgin plugin.
- If you are willing to pay $20 for your happiness, you should buy [Ripcord][] (Win/Linux/Mac supported). Even though it is in Alpha, it is the best Slack (and Discord!) client I have used. It supports Slack features in a more natural way because it is built specifically to do so, where in WeeChat some things may be awkward (inline images, navigating threads, etc). It is fast, has a low memory footprint, feels snappy, and gives you tabs for channels, DM's and threads. It is my weapon of choice.
[AndroidEmulator]: https://developer.android.com/studio/run/emulator
[AndroidEmulatorNetworking]: https://developer.android.com/studio/run/emulator-networking
[Ripcord]: https://cancel.fm/ripcord/
[MITMProxy]: https://mitmproxy.org/
[Pidgin]: https://pidgin.im/
[HAR]: https://en.wikipedia.org/wiki/HAR_(file_format)
[SlackLibPurple]: https://github.com/dylex/slack-libpurple
[WeeChat]: https://weechat.org/
[WeeSlack]: https://github.com/wee-slack/wee-slack
[WeeSlackSecure]: https://github.com/wee-slack/wee-slack#4-add-your-slack-api-keys
[SlackTimeout]: https://slack.com/intl/en-de/help/articles/115005223763-Manage-session-duration-?eu_nc=1
[SlackAPI]: https://api.slack.com/web
[SlackOverflow]: https://stackoverflow.com/questions/11012976/how-do-i-get-the-apk-of-an-installed-app-without-root-access
[NougatChanges]: https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html
[WeeEdit]: https://raw.githubusercontent.com/keith/edit-weechat/master/edit.py
[WeeAutosort]: https://raw.githubusercontent.com/de-vri-es/weechat-autosort/master/autosort.py
[WeeOTR]: https://raw.githubusercontent.com/mmb/weechat-otr/master/weechat_otr.py
## Loot Slack Tokens from Mobile
Now if you want to come along and get around periodic logouts in Slack with me, let's get started. So Slack be like
> For added security, you can limit how long your members are signed in to Slack on their desktop (we call this a session duration). When you set a session duration, your members will have to sign back in periodically.
But then Slack adds some small print like:
> **Note:** Session duration only applies to the Slack on the desktop app and in a web browser. With session duration turned on, members won't be signed out of their Slack mobile apps.
And well, it seemed to me that there is really [only one web API that handles all of these][SlackAPI]. And it uses tokens for authentication. And that sounded to me like I could just generate an immortal token on my mobile app and use that in any of the above clients to live happily ever after.
**TL/DR: Yea, that totally works.**
What I have *not* done is try to stuff that token into my browser cache and see if I can prevent the original Slack client from logging me out periodically. I didn't do that because I couldn't care less about the original Slack client, I can never go back to it after using [Ripcord][]. Once we have looted a token from mobile, it is _rather_ easy to use it with the alternative clients I listed above. Both [Pidgin][] and [WeeChat][]/[WeeSlack][] require a token to log in to Slack, and you can just give them the mobile token. With [Ripcord][] there's just a tiny bit of work involved, but I will get to that later.
Let's do the fun part first: Looting an immortal Slack token from the Slack mobile app! I am sure there are several ways to go about this, but I chose to use SSL MITM sniffing:
1. Install Slack in an [Android emulator][AndroidEmulator].
2. Log in to Slack.
3. Hook that emulator to a [MITMProxy][].
4. Sniff that Slack traffic as it logs in.
5. Loot. That. Token.
So yea, that works. I know that others were successful in extracting the token from the data stored by Slack on the Android device, but you need to have root for that. Here's a step by step guide for how I did it:
1. Install the emulator for sniffing **like this**:
sdkmanager emulator platform-tools tools "system-images;android-23;google_apis;x86_64"
avdmanager create avd --device "Nexus 5" -f -n C3PO -k "system-images;android-23;google_apis;x86_64"
android-23 API here because using a later image will make it unbearably hard for you to use [MITMProxy][]: [Starting with Android 7, user certificates are no longer trusted by apps][NougatChanges].
2. You can now run your emulator with emulator -avd C3PO, but it will not have a PlayStore.
3. You can get a Slack APK from some website that pretends to scrape the PlayStore, but I do not like that idea. To get a gem mint original copy of the latest Slack APK, I recommend installing a **second** emulator as follows:
sdkmanager "system-images;android-29;google_apis_playstore;x86_64"
avdmanager create avd --device "Nexus 5" -f -n R2D2 -k "system-images;android-29;google_apis_playstore;x86_64"
adb shell pm list packages -f | grep Slack
adb shell pm path com.Slack
adb pull that APK, push it to C3PO and install that sweet, fresh, original Slack. I have a little Python script that should do this for you automagically:
#!/usr/bin/env python3
import re, sys, subprocess as sp
query = subprocess.run(['adb', 'shell', 'pm', 'path', 'com.Slack'],
capture_output=True).stdout.decode(sys.stdout.encoding)
path = re.match('^package:(.*?/base.apk)\s*$', query).group(1)
subprocess.run(['adb', 'pull', path, 'slack.apk'])
xoxs-111111111111-222222222222-333333333333-baadf00dbaadf00dbaadf00dbaadf00dbaadf00dbaadf00dbaadf00dbaadf00d
xox[a-z]-\d{12}-\d{12}-\d{12}-[a-fA-F0-9]{64}
slack.har simply replace every occurrence of something that looks like a token with the one you looted. For example, you could do this:
token=xoxs-111111111111-222222222222-333333333333-baadf00dbaadf00dbaadf00dbaadf00dbaadf00dbaadf00dbaadf00dbaadf00d
sed -e "s/xox[a-z]\(-[0-9]\{12\}\)\{3\}-[a-fA-F0-9]\{64\}/$token/g" slack.har > slack.immortal.har
slack.immortal.har.
google_apis_playstorenot supported withandroid-23or why did you use two emulator instances?system-images;android-24;google_apis_playstore;x86.