Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stop the security theater!

Pratul Kalia
October 07, 2017
Programming
0
210

Stop the security theater!

Pratul Kalia

October 07, 2017
Tweet

More Decks by Pratul Kalia

See All by Pratul Kalia
Simplifying Software Estimation
pratul
0
71
Effective and efficient mobile engineering
pratul
0
73
Designing future-proof Android applications
pratul
0
84
Android - an introduction for developers
pratul
3
180
Semantic Content Repositories
pratul
1
66
How To Become A Hacker
pratul
3
260

Other Decks in Programming

See All in Programming
iOS ライブラリをセルフサービスで生成する仕組み
junkpiano
2
200
今更だけどUIKitで型パラメータのインジェクトを利用してViewのレイアウトをしてみよう
martysuzuki
0
260
I shall define this only once
freekmurze
0
210
どのくらい速くなるの?Laravel MixとViteを性能比較してみました!
akitotsukahara
0
170
watchOS におけるバックグラウンドタスクの限界
yamannnu
2
200
モバイルアプリの行動ログの「仕込み」を快適にする / iOSDC Japan 2022 - Mobile App Logging
yujif
1
1.9k
Kotlin Multiplatform Mobile でiOSとAndroidの実装差異を無くす
teamlab
PRO
0
140
マルチテナントで GraphQL を使う際の工夫
mizdra
0
1.3k
SASユーザー総会2022:Time-varying treatmentsに対するIPTW法による因果効果の推定
norihirosuzuki
0
220
react-reconcilerでオレオレReact Nativeを作ろう!
kwzr
0
260
php-conference-japan-2022
tasuku43
1
120
入門SQLi / Introduction of SQLi
satoki
2
830

Featured

See All Featured
The Brand Is Dead. Long Live the Brand.
mthomps
47
2.8k
Code Reviewing Like a Champion
maltzj
507
37k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
8
1.1k
Making the Leap to Tech Lead
cromwellryan
113
7.5k
Web Components: a chance to create the future
zenorocha
303
40k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6k
Why You Should Never Use an ORM
jnunemaker
PRO
48
7.7k
5 minutes of I Can Smell Your CMS
philhawksworth
196
18k
Large-scale JavaScript Application Architecture
addyosmani
499
110k
Mobile First: as difficult as doing things right
swwweet
213
7.6k
Keith and Marios Guide to Fast Websites
keithpitt
404
21k
For a Future-Friendly Web
brad_frost
166
7.6k

Transcript

  1. Stop the security theater! pratul kalia @prxtl uncommon.is

  2. “the practice of investing in countermeasures intended to provide the

    feeling of improved security while doing little or nothing to achieve it.”
  3. None

  4. Cost-benefit analysis • Imperative to all security discussions • Security

    of personal app vs business-critical app

  5. Password rules are pointless • You’re not using a modern

    password-hashing algorithm • Only length matters!

  6. Do it right! • bcrypt • bcrypt • bcrypt whoops...

    - zomato

  7. Stop “inventing” your own security practices • Security is very,

    very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong

  8. Don’t try to “save” your API endpoints • Your backend

    should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”

  9. Stop client-side encryption • Don’t place your key under the

    doormat • Security by obscurity is weak whoops... - “Double encryption!”

  10. Anything part of your APK can be read • This

    includes all API keys • … access tokens • … anything else hard-coded

  11. Auth token in SharedPreferences • No problems! • Other apps

    on the system cannot read your app’s data

  12. Data you don’t have, cannot be stolen • Store user

    data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”

  13. What about rooted devices? • All. • bets. • are.

    • off.

  14. Remember alternate attack vectors • Bribe a security guard? •

    Bribe an employee?

  15. Time for something real.

  16. Insecure data storage • Anything in “private” storage cannot be

    read by other apps in the system • … but anything in “external” storage can be read by anyone!

  17. Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1

    is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!

  18. Please break your own systems • Please! • Pay for

    it!

  19. fin