Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stop the security theater!

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Pratul Kalia Pratul Kalia
October 07, 2017
Programming
310
0

Stop the security theater!

Avatar for Pratul Kalia

Pratul Kalia

October 07, 2017

More Decks by Pratul Kalia

See All by Pratul Kalia
The special case of Mobile DevOps
Avatar for Pratul Kalia pratul
2
49
Reldex: measuring the effectiveness of your app release process
Avatar for Pratul Kalia pratul
0
37
Simplifying Software Estimation
Avatar for Pratul Kalia pratul
1
270
Effective and efficient mobile engineering
Avatar for Pratul Kalia pratul
0
210
Designing future-proof Android applications
Avatar for Pratul Kalia pratul
0
210
Android - an introduction for developers
Avatar for Pratul Kalia pratul
3
270
Semantic Content Repositories
Avatar for Pratul Kalia pratul
1
180
How To Become A Hacker
Avatar for Pratul Kalia pratul
3
320

Other Decks in Programming

See All in Programming
Agentic UI
Avatar for Manfred Steyer manfredsteyer
PRO
0
150
正しくソフトウェアを作る、前提を疑うための認知の視点 / doubt-premise
Avatar for MinoDriven minodriven
21
6.5k
Oxcを導入して開発体験が向上した話
Avatar for Yuji Yamaguchi yug1224
4
310
LLM Plugin for Node-REDの利用方法と開発について
Avatar for 404background 404background
0
170
並列実装の現場、2ヶ月間実務でAIを使い倒したAIもPCも私も限界が近い
Avatar for ming ming_ayami
0
130
不変条件と整合性境界—ビジネスが決める設計判断と実現パターン / Invariants and Consistency Boundaries
Avatar for nrs nrslib
13
3.6k
技術記事、AIに書かせるか、自分で書くか? 〜それでも私が自分の手で書く理由〜 / #QiitaConference
Avatar for Junichi Ito jnchito
2
1.4k
さぁV100、メモリをお食べ・・・
Avatar for nilpe nilpe
0
140
The Arts and Crafts of Work in the AI Era — Toward Mastery in Software Development
Avatar for Yoshihito Kuranuki / 倉貫義人 kuranuki
1
750
Oxlintのカスタムルールの現況
Avatar for syumai syumai
6
1.1k
Spec Driven Development | AI Summit Lisbon
Avatar for Daniel Sogl danielsogl
PRO
0
180
運用エージェントは "作る" から "育てる" へ - 記憶と自己進化の3層設計パターン / self-evolving-agents-three-layer-agent-design
Avatar for geeawa gawa
12
3.6k

Featured

See All Featured
Odyssey Design
Avatar for Ryan Kendrick rkendrick25
PRO
2
690
Marketing to machines
Avatar for Jono Alderson jonoalderson
1
5.4k
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
Avatar for Umar Saidu Auna auna
0
160
Why Our Code Smells
Avatar for Brandon Keepers bkeepers
PRO
340
58k
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
281
24k
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
Avatar for Andy Polaine apolaine
1
350
Technical Leadership for Architectural Decision Making
Avatar for Kenny Baas-Schwegler baasie
3
400
The SEO Collaboration Effect
Avatar for Kristina Bergwall kristinabergwall1
1
480
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
Avatar for Mfonobong Umondia mfonobong
2
430
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.9k
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.7k
Building Adaptive Systems
Avatar for Chris Keathley keathley
44
3k

Transcript

  1. Stop the security theater! pratul kalia @prxtl uncommon.is

  2. “the practice of investing in countermeasures intended to provide the

    feeling of improved security while doing little or nothing to achieve it.”
  3. None

  4. Cost-benefit analysis • Imperative to all security discussions • Security

    of personal app vs business-critical app

  5. Password rules are pointless • You’re not using a modern

    password-hashing algorithm • Only length matters!

  6. Do it right! • bcrypt • bcrypt • bcrypt whoops...

    - zomato

  7. Stop “inventing” your own security practices • Security is very,

    very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong

  8. Don’t try to “save” your API endpoints • Your backend

    should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”

  9. Stop client-side encryption • Don’t place your key under the

    doormat • Security by obscurity is weak whoops... - “Double encryption!”

  10. Anything part of your APK can be read • This

    includes all API keys • … access tokens • … anything else hard-coded

  11. Auth token in SharedPreferences • No problems! • Other apps

    on the system cannot read your app’s data

  12. Data you don’t have, cannot be stolen • Store user

    data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”

  13. What about rooted devices? • All. • bets. • are.

    • off.

  14. Remember alternate attack vectors • Bribe a security guard? •

    Bribe an employee?

  15. Time for something real.

  16. Insecure data storage • Anything in “private” storage cannot be

    read by other apps in the system • … but anything in “external” storage can be read by anyone!

  17. Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1

    is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!

  18. Please break your own systems • Please! • Pay for

    it!

  19. fin