Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Stop the security theater!
Search
Pratul Kalia
October 07, 2017
Programming
0
230
Stop the security theater!
Pratul Kalia
October 07, 2017
Tweet
Share
More Decks by Pratul Kalia
See All by Pratul Kalia
Simplifying Software Estimation
pratul
0
130
Effective and efficient mobile engineering
pratul
0
120
Designing future-proof Android applications
pratul
0
110
Android - an introduction for developers
pratul
3
190
Semantic Content Repositories
pratul
1
85
How To Become A Hacker
pratul
3
280
Other Decks in Programming
See All in Programming
Crafting a Own PHP - ウキウキ手作りミニマリストPHP
uzulla
4
1.1k
incrementalモデルの理解を深める
ikkimiyazaki
2
640
Building a Smaller App Binary
kateinoigakukun
2
210
とにかくHTTP3をライトニングに話す / Anyway, I'll talk to Lightning about HTTP3.
seike460
PRO
0
120
Migrating to Signals: A Practical Workshop
manfredsteyer
PRO
0
280
WinUI 3デモ - "CommunityToolkit.Mvvm"NuGetパッケージ編
andrewkeepcoding
0
130
どうしてこうなった命名集 ~🔥編~ / OOC 2024 LT
pictiny
4
2.9k
設計の知識と技能で駆動するソフトウェア開発
masuda220
PRO
18
11k
自作ソフト(VMagicMirror)がVRMA対応してる話+実装のTips
bakudreameater
0
110
【KMC春合宿2024】実装視点で見るNeural Radiance Fields
runningoutrate
0
150
脱・初心者!脱・マネコン!AWS CDKを使ってみませんか!?
har1101
0
160
Open Source Swift Workshop - Foundation and first party libraries
ikesyo
0
270
Featured
See All Featured
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
67
38k
Bash Introduction
62gerente
604
210k
Writing Fast Ruby
sferik
619
59k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
8
8.2k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
242
20k
Keith and Marios Guide to Fast Websites
keithpitt
407
22k
Creatively Recalculating Your Daily Design Routine
revolveconf
209
11k
Git: the NoSQL Database
bkeepers
PRO
421
63k
Robots, Beer and Maslow
schacon
PRO
154
7.9k
Code Reviewing Like a Champion
maltzj
512
39k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
124
32k
Transcript
Stop the security theater! pratul kalia @prxtl uncommon.is
“the practice of investing in countermeasures intended to provide the
feeling of improved security while doing little or nothing to achieve it.”
None
Cost-benefit analysis • Imperative to all security discussions • Security
of personal app vs business-critical app
Password rules are pointless • You’re not using a modern
password-hashing algorithm • Only length matters!
Do it right! • bcrypt • bcrypt • bcrypt whoops...
- zomato
Stop “inventing” your own security practices • Security is very,
very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong
Don’t try to “save” your API endpoints • Your backend
should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”
Stop client-side encryption • Don’t place your key under the
doormat • Security by obscurity is weak whoops... - “Double encryption!”
Anything part of your APK can be read • This
includes all API keys • … access tokens • … anything else hard-coded
Auth token in SharedPreferences • No problems! • Other apps
on the system cannot read your app’s data
Data you don’t have, cannot be stolen • Store user
data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”
What about rooted devices? • All. • bets. • are.
• off.
Remember alternate attack vectors • Bribe a security guard? •
Bribe an employee?
Time for something real.
Insecure data storage • Anything in “private” storage cannot be
read by other apps in the system • … but anything in “external” storage can be read by anyone!
Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1
is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!
Please break your own systems • Please! • Pay for
it!
fin