Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stop the security theater!

Stop the security theater!

Pratul Kalia

October 07, 2017

More Decks by Pratul Kalia

Other Decks in Programming


  1. Stop the security theater! pratul kalia @prxtl uncommon.is

  2. “the practice of investing in countermeasures intended to provide the

    feeling of improved security while doing little or nothing to achieve it.”
  3. None
  4. Cost-benefit analysis • Imperative to all security discussions • Security

    of personal app vs business-critical app
  5. Password rules are pointless • You’re not using a modern

    password-hashing algorithm • Only length matters!
  6. Do it right! • bcrypt • bcrypt • bcrypt whoops...

    - zomato
  7. Stop “inventing” your own security practices • Security is very,

    very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong
  8. Don’t try to “save” your API endpoints • Your backend

    should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”
  9. Stop client-side encryption • Don’t place your key under the

    doormat • Security by obscurity is weak whoops... - “Double encryption!”
  10. Anything part of your APK can be read • This

    includes all API keys • … access tokens • … anything else hard-coded
  11. Auth token in SharedPreferences • No problems! • Other apps

    on the system cannot read your app’s data
  12. Data you don’t have, cannot be stolen • Store user

    data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”
  13. What about rooted devices? • All. • bets. • are.

    • off.
  14. Remember alternate attack vectors • Bribe a security guard? •

    Bribe an employee?
  15. Time for something real.

  16. Insecure data storage • Anything in “private” storage cannot be

    read by other apps in the system • … but anything in “external” storage can be read by anyone!
  17. Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1

    is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!
  18. Please break your own systems • Please! • Pay for

  19. fin