Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Stop the security theater!

Avatar for Pratul Kalia Pratul Kalia
October 07, 2017
Programming
0
290

Stop the security theater!

Avatar for Pratul Kalia

Pratul Kalia

October 07, 2017
Tweet

More Decks by Pratul Kalia

See All by Pratul Kalia
The special case of Mobile DevOps
Avatar for Pratul Kalia pratul
2
42
Reldex: measuring the effectiveness of your app release process
Avatar for Pratul Kalia pratul
0
20
Simplifying Software Estimation
Avatar for Pratul Kalia pratul
1
260
Effective and efficient mobile engineering
Avatar for Pratul Kalia pratul
0
190
Designing future-proof Android applications
Avatar for Pratul Kalia pratul
0
180
Android - an introduction for developers
Avatar for Pratul Kalia pratul
3
250
Semantic Content Repositories
Avatar for Pratul Kalia pratul
1
160
How To Become A Hacker
Avatar for Pratul Kalia pratul
3
310

Other Decks in Programming

See All in Programming
Graviton と Nitro と私
Avatar for maroon1st maroon1st
0
120
ローターアクトEクラブ アメリカンナイト:川端 柚菜 氏(Japan O.K. ローターアクトEクラブ 会長):2720 Japan O.K. ロータリーEクラブ2025年12月1日卓話
Avatar for 2720 Japan O.K. ロータリーEクラブ 2720japanoke
0
740
ハイパーメディア駆動アプリケーションとIslandアーキテクチャ: htmxによるWebアプリケーション開発と動的UIの局所的適用
Avatar for Ryota Nakamura nowaki28
0
440
LLM Çağında Backend Olmak: 10 Milyon Prompt'u Milisaniyede Sorgulamak
Avatar for Selçuk Usta selcukusta
0
130
DevFest Android in Korea 2025 - 개발자 커뮤니티를 통해 얻는 가치
Avatar for Suhyeon Kim wisemuji
0
160
「コードは上から下へ読むのが一番」と思った時に、思い出してほしい話
Avatar for HideyukiKitao panda728
PRO
39
26k
複数人でのCLI/Infrastructure as Codeの暮らしを良くする
Avatar for Shoma Okamoto shmokmt
5
2.3k
re:Invent 2025 のイケてるサービスを紹介する
Avatar for maroon1st maroon1st
0
140
TestingOsaka6_Ozono
Avatar for O3(ozono) o3
0
170
新卒エンジニアのプルリクエスト with AI駆動
Avatar for Yuta Fukunaga fukunaga2025
0
230
Kotlin Multiplatform Meetup - Compose Multiplatform 외부 의존성 아키텍처 설계부터 운영까지
Avatar for Suhyeon Kim wisemuji
0
110
20251212 AI 時代的 Legacy Code 營救術 2025 WebConf
Avatar for mouson(墨嗓) mouson
0
200

Featured

See All Featured
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
25
1.7k
Redefining SEO in the New Era of Traffic Generation
Avatar for Szymon szymonslowik
1
160
AI Search:
Where Are We & What Can We Do About It?
Avatar for Aleyda Solis aleyda
0
6.7k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
413
23k
Noah Learner - AI + Me: how we built a GSC Bulk Export data pipeline
Avatar for Tech SEO Connect techseoconnect
PRO
0
72
Impact Scores and Hybrid Strategies: The future of link building
Avatar for Tamara Novitovic tamaranovitovic
0
170
Discover your Explorer Soul
Avatar for Emna emna__ayadi
2
1k
Building an army of robots
Avatar for Kyle Neath kneath
306
46k
Ethics towards AI in product and experience design
Avatar for Skipper Chong Warson skipperchong
1
140
HU Berlin: Industrial-Strength Natural Language Processing with spaCy and Prodigy
Avatar for Ines Montani inesmontani
PRO
0
94
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
379
70k
Amusing Abliteration
Avatar for ianozsvald ianozsvald
0
63

Transcript

  1. Stop the security theater! pratul kalia @prxtl uncommon.is

  2. “the practice of investing in countermeasures intended to provide the

    feeling of improved security while doing little or nothing to achieve it.”
  3. None

  4. Cost-benefit analysis • Imperative to all security discussions • Security

    of personal app vs business-critical app

  5. Password rules are pointless • You’re not using a modern

    password-hashing algorithm • Only length matters!

  6. Do it right! • bcrypt • bcrypt • bcrypt whoops...

    - zomato

  7. Stop “inventing” your own security practices • Security is very,

    very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong

  8. Don’t try to “save” your API endpoints • Your backend

    should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”

  9. Stop client-side encryption • Don’t place your key under the

    doormat • Security by obscurity is weak whoops... - “Double encryption!”

  10. Anything part of your APK can be read • This

    includes all API keys • … access tokens • … anything else hard-coded

  11. Auth token in SharedPreferences • No problems! • Other apps

    on the system cannot read your app’s data

  12. Data you don’t have, cannot be stolen • Store user

    data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”

  13. What about rooted devices? • All. • bets. • are.

    • off.

  14. Remember alternate attack vectors • Bribe a security guard? •

    Bribe an employee?

  15. Time for something real.

  16. Insecure data storage • Anything in “private” storage cannot be

    read by other apps in the system • … but anything in “external” storage can be read by anyone!

  17. Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1

    is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!

  18. Please break your own systems • Please! • Pay for

    it!

  19. fin