Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Stop the security theater!
Search
Pratul Kalia
October 07, 2017
Programming
0
270
Stop the security theater!
Pratul Kalia
October 07, 2017
Tweet
Share
More Decks by Pratul Kalia
See All by Pratul Kalia
The special case of Mobile DevOps
pratul
2
40
Reldex: measuring the effectiveness of your app release process
pratul
0
16
Simplifying Software Estimation
pratul
1
250
Effective and efficient mobile engineering
pratul
0
180
Designing future-proof Android applications
pratul
0
170
Android - an introduction for developers
pratul
3
240
Semantic Content Repositories
pratul
1
150
How To Become A Hacker
pratul
3
300
Other Decks in Programming
See All in Programming
開発生産性を上げるための生成AI活用術
starfish719
3
1.6k
20251016_Rails News ~Rails 8.1の足音を聴く~
morimorihoge
2
650
All About Angular's New Signal Forms
manfredsteyer
PRO
0
200
Devoxx BE 2025 Loom lab
josepaumard
0
110
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
520
monorepo の Go テストをはやくした〜い!~最小の依存解決への道のり~ / faster-testing-of-monorepos
convto
2
520
Claude Agent SDK を使ってみよう
hyshu
0
1.3k
Devoxx BE - Local Development in the AI Era
kdubois
0
130
CSC305 Lecture 08
javiergs
PRO
0
270
コード生成なしでモック処理を実現!ovechkin-dm/mockioで学ぶメタプログラミング
qualiarts
0
220
Flutterで分数(Fraction)を表示する方法
koukimiura
0
140
Developer Joy - The New Paradigm
hollycummins
1
310
Featured
See All Featured
XXLCSS - How to scale CSS and keep your sanity
sugarenia
249
1.3M
A Tale of Four Properties
chriscoyier
161
23k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
46
2.5k
Raft: Consensus for Rubyists
vanstee
140
7.2k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Designing Experiences People Love
moore
142
24k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.9k
Building Better People: How to give real-time feedback that sticks.
wjessup
369
20k
Fireside Chat
paigeccino
40
3.7k
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.2k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
15k
Java REST API Framework Comparison - PWX 2021
mraible
34
8.9k
Transcript
Stop the security theater! pratul kalia @prxtl uncommon.is
“the practice of investing in countermeasures intended to provide the
feeling of improved security while doing little or nothing to achieve it.”
None
Cost-benefit analysis • Imperative to all security discussions • Security
of personal app vs business-critical app
Password rules are pointless • You’re not using a modern
password-hashing algorithm • Only length matters!
Do it right! • bcrypt • bcrypt • bcrypt whoops...
- zomato
Stop “inventing” your own security practices • Security is very,
very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong
Don’t try to “save” your API endpoints • Your backend
should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”
Stop client-side encryption • Don’t place your key under the
doormat • Security by obscurity is weak whoops... - “Double encryption!”
Anything part of your APK can be read • This
includes all API keys • … access tokens • … anything else hard-coded
Auth token in SharedPreferences • No problems! • Other apps
on the system cannot read your app’s data
Data you don’t have, cannot be stolen • Store user
data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”
What about rooted devices? • All. • bets. • are.
• off.
Remember alternate attack vectors • Bribe a security guard? •
Bribe an employee?
Time for something real.
Insecure data storage • Anything in “private” storage cannot be
read by other apps in the system • … but anything in “external” storage can be read by anyone!
Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1
is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!
Please break your own systems • Please! • Pay for
it!
fin