Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stop the security theater!

Pratul Kalia
October 07, 2017
Programming
0
250

Stop the security theater!

Pratul Kalia

October 07, 2017
Tweet

More Decks by Pratul Kalia

See All by Pratul Kalia
The special case of Mobile DevOps
pratul
2
20
Reldex: measuring the effectiveness of your app release process
pratul
0
9
Simplifying Software Estimation
pratul
1
200
Effective and efficient mobile engineering
pratul
0
150
Designing future-proof Android applications
pratul
0
150
Android - an introduction for developers
pratul
3
220
Semantic Content Repositories
pratul
1
120
How To Become A Hacker
pratul
3
300

Other Decks in Programming

See All in Programming
ASP.NET Core の OpenAPIサポート
h455h1
0
160
自分ひとりから始められる生産性向上の取り組み #でぃーぷらすオオサカ
irof
8
2.2k
サーバーゆる勉強会 DBMS の仕組み編
kj455
1
360
Kanzawa.rbのLT大会を支える技術の裏側を変更する Ruby on Rails + Litestream 編
muryoimpl
0
120
チームの立て直し施策をGoogleの 『効果的なチーム』と見比べてみた
maroon8021
0
270
traP の部内 ISUCON とそれを支えるポータル / PISCON Portal
ikura_hamu
0
230
為你自己學 Python
eddie
0
540
非ブラウザランタイムとWeb標準 / Non-Browser Runtimes and Web Standards
petamoriken
0
450
ファインディの テックブログ爆誕までの軌跡
starfish719
1
780
最近のVS Codeで気になるニュース 2025/01
74th
1
240
rails newと同時に型を書く
aki19035vc
6
740
SwiftUIで単方向アーキテクチャを導入して得られた成果
takuyaosawa
0
140

Featured

See All Featured
4 Signs Your Business is Dying
shpigford
182
22k
Writing Fast Ruby
sferik
628
61k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Done Done
chrislema
182
16k
Building a Scalable Design System with Sketch
lauravandoore
460
33k
Making Projects Easy
brettharned
116
6k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
39
1.9k
How STYLIGHT went responsive
nonsquared
96
5.3k
The Invisible Side of Design
smashingmag
299
50k
Scaling GitHub
holman
459
140k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
33
2.8k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
28
4.5k

Transcript

  1. Stop the security theater! pratul kalia @prxtl uncommon.is

  2. “the practice of investing in countermeasures intended to provide the

    feeling of improved security while doing little or nothing to achieve it.”
  3. None

  4. Cost-benefit analysis • Imperative to all security discussions • Security

    of personal app vs business-critical app

  5. Password rules are pointless • You’re not using a modern

    password-hashing algorithm • Only length matters!

  6. Do it right! • bcrypt • bcrypt • bcrypt whoops...

    - zomato

  7. Stop “inventing” your own security practices • Security is very,

    very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong

  8. Don’t try to “save” your API endpoints • Your backend

    should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”

  9. Stop client-side encryption • Don’t place your key under the

    doormat • Security by obscurity is weak whoops... - “Double encryption!”

  10. Anything part of your APK can be read • This

    includes all API keys • … access tokens • … anything else hard-coded

  11. Auth token in SharedPreferences • No problems! • Other apps

    on the system cannot read your app’s data

  12. Data you don’t have, cannot be stolen • Store user

    data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”

  13. What about rooted devices? • All. • bets. • are.

    • off.

  14. Remember alternate attack vectors • Bribe a security guard? •

    Bribe an employee?

  15. Time for something real.

  16. Insecure data storage • Anything in “private” storage cannot be

    read by other apps in the system • … but anything in “external” storage can be read by anyone!

  17. Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1

    is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!

  18. Please break your own systems • Please! • Pay for

    it!

  19. fin