Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stop the security theater!

Avatar for Pratul Kalia Pratul Kalia
October 07, 2017
Programming
0
300

Stop the security theater!

Avatar for Pratul Kalia

Pratul Kalia

October 07, 2017
Tweet

More Decks by Pratul Kalia

See All by Pratul Kalia
The special case of Mobile DevOps
Avatar for Pratul Kalia pratul
2
43
Reldex: measuring the effectiveness of your app release process
Avatar for Pratul Kalia pratul
0
28
Simplifying Software Estimation
Avatar for Pratul Kalia pratul
1
260
Effective and efficient mobile engineering
Avatar for Pratul Kalia pratul
0
200
Designing future-proof Android applications
Avatar for Pratul Kalia pratul
0
180
Android - an introduction for developers
Avatar for Pratul Kalia pratul
3
260
Semantic Content Repositories
Avatar for Pratul Kalia pratul
1
170
How To Become A Hacker
Avatar for Pratul Kalia pratul
3
310

Other Decks in Programming

See All in Programming
RAGでハマりがちな"Excelの罠"を、データの構造化で突破する
Avatar for harumi harumiweb
8
2.3k
Railsの気持ちを考えながらコントローラとビューを整頓する/tidying-rails-controllers-and-views-as-rails-think
Avatar for MOROHASHI Kyosuke moro
4
360
go directiveを最新にしすぎないで欲しい話──あるいは、Go 1.26からgo mod initで作られるgo directiveの値が変わる話 / Go 1.26 リリースパーティ
Avatar for Arthur arthur1
2
420
AI巻き込み型コードレビューのススメ
Avatar for Nealle nealle
2
2.5k
24時間止められないシステムを守る-医療ITにおけるランサムウェア対策の実際
Avatar for kouki.miura koukimiura
2
180
Go Conference mini in Sendai 2026 : Goに新機能を提案し実装されるまでのフロー徹底解説
Avatar for Takahito Yamatoya yamatoya
0
490
AHC061解説
Avatar for Shun_PI shun_pi
0
280
「ブロックテーマでは再現できない」は本当か?
Avatar for Takashi Kitajima inc2734
0
1.1k
CSC307 Lecture 10
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
1
690
Claude Code、ちょっとした工夫で開発体験が変わる
Avatar for Toranosuke Minamikawa tigertora7571
0
190
登壇資料を作る時に意識していること #登壇資料_findy
Avatar for konifar konifar
5
2.1k
atmaCup #23でAIコーディングを活用した話
Avatar for ML_Bear ml_bear
4
720

Featured

See All Featured
[SF Ruby Conf 2025] Rails X
Avatar for Vladimir Dementyev palkan
2
800
KATA
Avatar for Megan Lloyd mclloyd
PRO
35
15k
SEO for Brand Visibility & Recognition
Avatar for Aleyda Solis aleyda
0
4.3k
VelocityConf: Rendering Performance Case Studies
Avatar for Addy Osmani addyosmani
333
24k
Money Talks: Using Revenue to Get Sh*t Done
Avatar for Nikki Halliwell nikkihalliwell
0
170
The Art of Delivering Value - GDevCon NA Keynote
Avatar for David Neal reverentgeek
16
1.9k
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
82
6.2k
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
27k
Impact Scores and Hybrid Strategies: The future of link building
Avatar for Tamara Novitovic tamaranovitovic
0
220
Avoiding the “Bad Training, Faster” Trap in the Age of AI
Avatar for Mike Taylor tmiket
0
95
Visualization
Avatar for Eitan Lees eitanlees
150
17k
Breaking role norms: Why Content Design is so much more than writing copy - Taylor Woolridge
Avatar for UX Y'all uxyall
0
190

Transcript

  1. Stop the security theater! pratul kalia @prxtl uncommon.is

  2. “the practice of investing in countermeasures intended to provide the

    feeling of improved security while doing little or nothing to achieve it.”
  3. None

  4. Cost-benefit analysis • Imperative to all security discussions • Security

    of personal app vs business-critical app

  5. Password rules are pointless • You’re not using a modern

    password-hashing algorithm • Only length matters!

  6. Do it right! • bcrypt • bcrypt • bcrypt whoops...

    - zomato

  7. Stop “inventing” your own security practices • Security is very,

    very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong

  8. Don’t try to “save” your API endpoints • Your backend

    should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”

  9. Stop client-side encryption • Don’t place your key under the

    doormat • Security by obscurity is weak whoops... - “Double encryption!”

  10. Anything part of your APK can be read • This

    includes all API keys • … access tokens • … anything else hard-coded

  11. Auth token in SharedPreferences • No problems! • Other apps

    on the system cannot read your app’s data

  12. Data you don’t have, cannot be stolen • Store user

    data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”

  13. What about rooted devices? • All. • bets. • are.

    • off.

  14. Remember alternate attack vectors • Bribe a security guard? •

    Bribe an employee?

  15. Time for something real.

  16. Insecure data storage • Anything in “private” storage cannot be

    read by other apps in the system • … but anything in “external” storage can be read by anyone!

  17. Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1

    is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!

  18. Please break your own systems • Please! • Pay for

    it!

  19. fin