Stop the security theater!
“the practice of investing in
countermeasures intended to provide the
feeling of improved security while doing
little or nothing to achieve it.”
● Imperative to all security discussions
● Security of personal app vs business-critical app
Password rules are pointless
● You’re not using a modern password-hashing algorithm
● Only length matters!
Do it right!
Stop “inventing” your own security practices
● Security is very, very hard to get right
● You’re not that smart!
● It is easier to do the known right thing... than to know
what you’re doing wrong
Don’t try to “save” your API endpoints
● Your backend should not get affected by a rogue client
● MITM all the way
● Certificate pinning does not solve this!
- “Basic HTTP auth over TLS”
Stop client-side encryption
● Don’t place your key under the doormat
● Security by obscurity is weak
- “Double encryption!”
Anything part of your APK can be read
● This includes all API keys
● … access tokens
● … anything else hard-coded
Auth token in SharedPreferences
● No problems!
● Other apps on the system cannot read your app’s data
Data you don’t have, cannot be stolen
● Store user data with utmost caution
● You’re a user too!
- “Who else in my Contacts uses this app?”
What about rooted devices?
Remember alternate attack vectors
● Bribe a security
● Bribe an employee?
Time for something real.
Insecure data storage
● Anything in “private” storage cannot be read by other
apps in the system
● … but anything in “external” storage can be read by
Insecure TLS usage
● Always TLS v1.2!
○ TLS v1.1 is acceptable… but don’t!
● Disable SSL v2 and SSL v3, disable RC4
● Use OkHttp!!1!1!
Please break your own systems
● Pay for it!