Lock in $30 Savings on PRO—Offer Ends Soon! ⏳

Stop the security theater!

Avatar for Pratul Kalia Pratul Kalia
October 07, 2017
Programming
0
290

Stop the security theater!

Avatar for Pratul Kalia

Pratul Kalia

October 07, 2017
Tweet

More Decks by Pratul Kalia

See All by Pratul Kalia
The special case of Mobile DevOps
Avatar for Pratul Kalia pratul
2
42
Reldex: measuring the effectiveness of your app release process
Avatar for Pratul Kalia pratul
0
20
Simplifying Software Estimation
Avatar for Pratul Kalia pratul
1
260
Effective and efficient mobile engineering
Avatar for Pratul Kalia pratul
0
190
Designing future-proof Android applications
Avatar for Pratul Kalia pratul
0
180
Android - an introduction for developers
Avatar for Pratul Kalia pratul
3
250
Semantic Content Repositories
Avatar for Pratul Kalia pratul
1
160
How To Become A Hacker
Avatar for Pratul Kalia pratul
3
310

Other Decks in Programming

See All in Programming
これならできる!個人開発のすゝめ
Avatar for Tsubasa SEKIGUCHI tinykitten
PRO
0
110
Microservices rules: What good looks like
Avatar for Chris Richardson cer
PRO
0
1.5k
JETLS.jl ─ A New Language Server for Julia
Avatar for abap34 abap34
1
410
AWS CDKの推しポイントN選
Avatar for アキキー akihisaikeda
1
240
ハイパーメディア駆動アプリケーションとIslandアーキテクチャ: htmxによるWebアプリケーション開発と動的UIの局所的適用
Avatar for Ryota Nakamura nowaki28
0
420
S3 VectorsとStrands Agentsを利用したAgentic RAGシステムの構築
Avatar for とすり tosuri13
6
320
AtCoder Conference 2025「LLM時代のAHC」
Avatar for Yuki Imajuku imjk
2
510
ローターアクトEクラブ アメリカンナイト:川端 柚菜 氏(Japan O.K. ローターアクトEクラブ 会長):2720 Japan O.K. ロータリーEクラブ2025年12月1日卓話
Avatar for 2720 Japan O.K. ロータリーEクラブ 2720japanoke
0
730
AIエンジニアリングのご紹介 / Introduction to AI Engineering
Avatar for r-kagaya rkaga
8
2.9k
認証・認可の基本を学ぼう後編
Avatar for kaza kouyuume
0
240
【CA.ai #3】Google ADKを活用したAI Agent開発と運用知見
Avatar for Kazuki Hara harappa80
0
320
The Past, Present, and Future of Enterprise Java
Avatar for ivargrimstad ivargrimstad
0
130

Featured

See All Featured
Practical Orchestrator
Avatar for Shlomi Noach shlominoach
190
11k
Fireside Chat
Avatar for paigeccino paigeccino
41
3.7k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
34
2.6k
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
304
21k
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
27k
A Tale of Four Properties
Avatar for Chris Coyier chriscoyier
162
23k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
31
3k
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
698
190k
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
225
10k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
10
730
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
55
3.1k

Transcript

  1. Stop the security theater! pratul kalia @prxtl uncommon.is

  2. “the practice of investing in countermeasures intended to provide the

    feeling of improved security while doing little or nothing to achieve it.”
  3. None

  4. Cost-benefit analysis • Imperative to all security discussions • Security

    of personal app vs business-critical app

  5. Password rules are pointless • You’re not using a modern

    password-hashing algorithm • Only length matters!

  6. Do it right! • bcrypt • bcrypt • bcrypt whoops...

    - zomato

  7. Stop “inventing” your own security practices • Security is very,

    very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong

  8. Don’t try to “save” your API endpoints • Your backend

    should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”

  9. Stop client-side encryption • Don’t place your key under the

    doormat • Security by obscurity is weak whoops... - “Double encryption!”

  10. Anything part of your APK can be read • This

    includes all API keys • … access tokens • … anything else hard-coded

  11. Auth token in SharedPreferences • No problems! • Other apps

    on the system cannot read your app’s data

  12. Data you don’t have, cannot be stolen • Store user

    data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”

  13. What about rooted devices? • All. • bets. • are.

    • off.

  14. Remember alternate attack vectors • Bribe a security guard? •

    Bribe an employee?

  15. Time for something real.

  16. Insecure data storage • Anything in “private” storage cannot be

    read by other apps in the system • … but anything in “external” storage can be read by anyone!

  17. Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1

    is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!

  18. Please break your own systems • Please! • Pay for

    it!

  19. fin