Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Stop the security theater!
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Pratul Kalia
October 07, 2017
Programming
310
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Stop the security theater!
Pratul Kalia
October 07, 2017
More Decks by Pratul Kalia
See All by Pratul Kalia
The special case of Mobile DevOps
pratul
2
51
Reldex: measuring the effectiveness of your app release process
pratul
0
41
Simplifying Software Estimation
pratul
1
280
Effective and efficient mobile engineering
pratul
0
210
Designing future-proof Android applications
pratul
0
210
Android - an introduction for developers
pratul
3
270
Semantic Content Repositories
pratul
1
190
How To Become A Hacker
pratul
3
320
Other Decks in Programming
See All in Programming
Language Server 使ってる? 〜VSCode と Zed の場合〜 / Are you using a Language Server? ~For VS Code and Zed~
handlename
0
830
【SRE NEXT 2026 Lunch Session】一人目専任SREの立ち上げを加速する ― AIと進めたオンボーディングで2分を0.04秒にした話
pkshadeck
PRO
0
1.6k
これからAgentCoreを触る方へトレンドはGatewayです
har1101
6
480
Developing with AI Agents — Codex, Claude Code & Cowork Practical Guide
x5gtrn
PRO
0
1.3k
Observability in Practice:Grafana 與 Edge Device SRE 的那些事
blueswen
0
190
その問い、本当に正しいですか?AI時代のエンジニアに必要な哲学と認知科学 / ai-philosophy-cognitive-science
minodriven
14
6.7k
Even G2とAWSで推しのエージェントを召喚しよう!
har1101
1
140
過去最大のMCPアップデート! 2026-07-28 RC版の謎に迫る
licux
6
460
Snowflake Summitでの新機能 CoCo / CoWork / snowflake-summit-2026-overall-what-new-coco
tatsuhiro
1
220
LLMによるContent Moderationの本番運用の裏側と品質担保への挑戦
suikabar
3
830
TAKTでAI駆動開発の品質を設計する
j5ik2o
7
1.7k
Skillsは効率化、Agentsは"自分の拡張"——Builder時代のエージェント編成(CC Night 2026)
wemra
1
200
Featured
See All Featured
Lightning Talk: Beautiful Slides for Beginners
inesmontani
PRO
2
600
The World Runs on Bad Software
bkeepers
PRO
72
12k
[RailsConf 2023] Rails as a piece of cake
palkan
59
6.7k
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
aleyda
1
1.3k
The Hidden Cost of Media on the Web [PixelPalooza 2025]
tammyeverts
2
340
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
46
2.9k
GraphQLとの向き合い方2022年版
quramy
50
15k
AI in Enterprises - Java and Open Source to the Rescue
ivargrimstad
0
1.4k
The browser strikes back
jonoalderson
0
1.4k
Leadership Guide Workshop - DevTernity 2021
reverentgeek
1
320
End of SEO as We Know It (SMX Advanced Version)
ipullrank
3
4.3k
It's Worth the Effort
3n
188
29k
Transcript
Stop the security theater! pratul kalia @prxtl uncommon.is
“the practice of investing in countermeasures intended to provide the
feeling of improved security while doing little or nothing to achieve it.”
None
Cost-benefit analysis • Imperative to all security discussions • Security
of personal app vs business-critical app
Password rules are pointless • You’re not using a modern
password-hashing algorithm • Only length matters!
Do it right! • bcrypt • bcrypt • bcrypt whoops...
- zomato
Stop “inventing” your own security practices • Security is very,
very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong
Don’t try to “save” your API endpoints • Your backend
should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”
Stop client-side encryption • Don’t place your key under the
doormat • Security by obscurity is weak whoops... - “Double encryption!”
Anything part of your APK can be read • This
includes all API keys • … access tokens • … anything else hard-coded
Auth token in SharedPreferences • No problems! • Other apps
on the system cannot read your app’s data
Data you don’t have, cannot be stolen • Store user
data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”
What about rooted devices? • All. • bets. • are.
• off.
Remember alternate attack vectors • Bribe a security guard? •
Bribe an employee?
Time for something real.
Insecure data storage • Anything in “private” storage cannot be
read by other apps in the system • … but anything in “external” storage can be read by anyone!
Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1
is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!
Please break your own systems • Please! • Pay for
it!
fin