Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Stop the security theater!
Search
Pratul Kalia
October 07, 2017
Programming
0
240
Stop the security theater!
Pratul Kalia
October 07, 2017
Tweet
Share
More Decks by Pratul Kalia
See All by Pratul Kalia
The special case of Mobile DevOps
pratul
2
19
Reldex: measuring the effectiveness of your app release process
pratul
0
8
Simplifying Software Estimation
pratul
1
190
Effective and efficient mobile engineering
pratul
0
150
Designing future-proof Android applications
pratul
0
140
Android - an introduction for developers
pratul
3
210
Semantic Content Repositories
pratul
1
110
How To Become A Hacker
pratul
3
300
Other Decks in Programming
See All in Programming
CSC509 Lecture 14
javiergs
PRO
0
130
htmxって知っていますか?次世代のHTML
hiro_ghap1
0
330
range over funcの使い道と非同期N+1リゾルバーの夢 / about a range over func
mackee
0
110
短期間での新規プロダクト開発における「コスパの良い」Goのテスト戦略」 / kamakura.go
n3xem
2
170
[JAWS-UG横浜 #76] イケてるアップデートを宇宙いち早く紹介するよ!
maroon1st
0
450
今からはじめるAndroidアプリ開発 2024 / DevFest 2024
star_zero
0
1k
良いユニットテストを書こう
mototakatsu
4
1.8k
数十万行のプロジェクトを Scala 2から3に完全移行した
xuwei_k
0
260
ブラウザ単体でmp4書き出すまで - muddy-web - 2024-12
yue4u
2
460
testcontainers のススメ
sgash708
1
120
今年のアップデートで振り返るCDKセキュリティのシフトレフト/2024-cdk-security-shift-left
tomoki10
0
190
Haze - Real time background blurring
chrisbanes
1
510
Featured
See All Featured
Statistics for Hackers
jakevdp
796
220k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
365
25k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Building an army of robots
kneath
302
44k
Rails Girls Zürich Keynote
gr2m
94
13k
Visualization
eitanlees
146
15k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Speed Design
sergeychernyshev
25
670
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
2
290
GraphQLとの向き合い方2022年版
quramy
44
13k
The Language of Interfaces
destraynor
154
24k
GitHub's CSS Performance
jonrohan
1030
460k
Transcript
Stop the security theater! pratul kalia @prxtl uncommon.is
“the practice of investing in countermeasures intended to provide the
feeling of improved security while doing little or nothing to achieve it.”
None
Cost-benefit analysis • Imperative to all security discussions • Security
of personal app vs business-critical app
Password rules are pointless • You’re not using a modern
password-hashing algorithm • Only length matters!
Do it right! • bcrypt • bcrypt • bcrypt whoops...
- zomato
Stop “inventing” your own security practices • Security is very,
very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong
Don’t try to “save” your API endpoints • Your backend
should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”
Stop client-side encryption • Don’t place your key under the
doormat • Security by obscurity is weak whoops... - “Double encryption!”
Anything part of your APK can be read • This
includes all API keys • … access tokens • … anything else hard-coded
Auth token in SharedPreferences • No problems! • Other apps
on the system cannot read your app’s data
Data you don’t have, cannot be stolen • Store user
data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”
What about rooted devices? • All. • bets. • are.
• off.
Remember alternate attack vectors • Bribe a security guard? •
Bribe an employee?
Time for something real.
Insecure data storage • Anything in “private” storage cannot be
read by other apps in the system • … but anything in “external” storage can be read by anyone!
Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1
is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!
Please break your own systems • Please! • Pay for
it!
fin