Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Stop the security theater!
Search
Pratul Kalia
October 07, 2017
Programming
0
240
Stop the security theater!
Pratul Kalia
October 07, 2017
Tweet
Share
More Decks by Pratul Kalia
See All by Pratul Kalia
The special case of Mobile DevOps
pratul
2
15
Reldex: measuring the effectiveness of your app release process
pratul
0
6
Simplifying Software Estimation
pratul
1
180
Effective and efficient mobile engineering
pratul
0
140
Designing future-proof Android applications
pratul
0
130
Android - an introduction for developers
pratul
3
200
Semantic Content Repositories
pratul
1
99
How To Become A Hacker
pratul
3
290
Other Decks in Programming
See All in Programming
CPython 인터프리터 구조 파헤치기 - PyCon Korea 24
kennethanceyer
0
220
go.mod、DockerfileやCI設定に分散しがちなGoのバージョンをまとめて管理する / Go Connect #3
arthur1
10
2.3k
OpenTelemetryでRailsのパフォーマンス分析を始めてみよう(KoR2024)
ymtdzzz
3
1k
ActiveRecordの力でDBのメタデータを迅速に解析する
lnit
5
2.2k
Re:proS_案内資料
rect
0
260
リリース8年目のサービスの1800個のERBファイルをViewComponentに移行した方法とその結果
katty0324
2
2.8k
Vue.js学習の振り返り
hiro_xre
2
130
プロジェクト新規参入者のリードタイム短縮の観点から見る、品質の高いコードとアーキテクチャを保つメリット
d_endo
1
950
[PyCon Korea 2024 Keynote] 커뮤니티와 파이썬, 그리고 우리
beomi
0
110
Honoの来た道とこれから
yusukebe
19
3k
CSC509 Lecture 07
javiergs
PRO
0
140
Kaigi on Rails 2024 - Rails APIモードのためのシンプルで効果的なCSRF対策 / kaigionrails-2024-csrf
corocn
4
2.8k
Featured
See All Featured
Designing for Performance
lara
604
68k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2k
Typedesign – Prime Four
hannesfritz
39
2.4k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
13
1.9k
A Philosophy of Restraint
colly
203
16k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
770
GraphQLとの向き合い方2022年版
quramy
43
13k
Making the Leap to Tech Lead
cromwellryan
132
8.9k
The Power of CSS Pseudo Elements
geoffreycrofte
72
5.3k
Building Better People: How to give real-time feedback that sticks.
wjessup
363
19k
A better future with KSS
kneath
238
17k
Transcript
Stop the security theater! pratul kalia @prxtl uncommon.is
“the practice of investing in countermeasures intended to provide the
feeling of improved security while doing little or nothing to achieve it.”
None
Cost-benefit analysis • Imperative to all security discussions • Security
of personal app vs business-critical app
Password rules are pointless • You’re not using a modern
password-hashing algorithm • Only length matters!
Do it right! • bcrypt • bcrypt • bcrypt whoops...
- zomato
Stop “inventing” your own security practices • Security is very,
very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong
Don’t try to “save” your API endpoints • Your backend
should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”
Stop client-side encryption • Don’t place your key under the
doormat • Security by obscurity is weak whoops... - “Double encryption!”
Anything part of your APK can be read • This
includes all API keys • … access tokens • … anything else hard-coded
Auth token in SharedPreferences • No problems! • Other apps
on the system cannot read your app’s data
Data you don’t have, cannot be stolen • Store user
data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”
What about rooted devices? • All. • bets. • are.
• off.
Remember alternate attack vectors • Bribe a security guard? •
Bribe an employee?
Time for something real.
Insecure data storage • Anything in “private” storage cannot be
read by other apps in the system • … but anything in “external” storage can be read by anyone!
Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1
is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!
Please break your own systems • Please! • Pay for
it!
fin