Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stop the security theater!

Pratul Kalia
October 07, 2017
Programming
0
250

Stop the security theater!

Pratul Kalia

October 07, 2017
Tweet

More Decks by Pratul Kalia

See All by Pratul Kalia
The special case of Mobile DevOps
pratul
2
23
Reldex: measuring the effectiveness of your app release process
pratul
0
11
Simplifying Software Estimation
pratul
1
210
Effective and efficient mobile engineering
pratul
0
160
Designing future-proof Android applications
pratul
0
150
Android - an introduction for developers
pratul
3
220
Semantic Content Repositories
pratul
1
120
How To Become A Hacker
pratul
3
300

Other Decks in Programming

See All in Programming
SwiftUI API Design Lessons
niw
1
270
自分のために作ったアプリが、グローバルに使われるまで / Indie App Development Lunch LT
pixyzehn
1
150
Day0 初心者向けワークショップ 実践!ソフトウェアテストの第一歩
satohiroyuki
0
830
Memory API : Patterns, Performance et Cas d'Utilisation
josepaumard
0
110
Signal-Based Data Fetching With the New httpResource
manfredsteyer
PRO
0
170
Being an ethical software engineer
xgouchet
PRO
0
210
PHP で学ぶ OAuth 入門
azuki
1
140
ミリしらMCP勉強会
watany
4
740
リアクティブシステムの変遷から理解するalien-signals / Learning alien-signals from the evolution of reactive systems
yamanoku
3
1.2k
Kubernetesで実現できるPlatform Engineering の現在地
nwiizo
3
1.9k
MCP世界への招待: AIエンジニアが創る次世代エージェント連携の世界
gunta
4
890
サービスレベルを管理してアジャイルを加速しよう!! / slm-accelerate-agility
tomoyakitaura
1
170

Featured

See All Featured
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
13
1.4k
The Cult of Friendly URLs
andyhume
78
6.3k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
12k
Producing Creativity
orderedlist
PRO
344
40k
Side Projects
sachag
452
42k
Site-Speed That Sticks
csswizardry
5
480
Product Roadmaps are Hard
iamctodd
PRO
52
11k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
13
660
Stop Working from a Prison Cell
hatefulcrawdad
268
20k
It's Worth the Effort
3n
184
28k
The Pragmatic Product Professional
lauravandoore
33
6.5k
Art, The Web, and Tiny UX
lynnandtonic
298
20k

Transcript

  1. Stop the security theater! pratul kalia @prxtl uncommon.is

  2. “the practice of investing in countermeasures intended to provide the

    feeling of improved security while doing little or nothing to achieve it.”
  3. None

  4. Cost-benefit analysis • Imperative to all security discussions • Security

    of personal app vs business-critical app

  5. Password rules are pointless • You’re not using a modern

    password-hashing algorithm • Only length matters!

  6. Do it right! • bcrypt • bcrypt • bcrypt whoops...

    - zomato

  7. Stop “inventing” your own security practices • Security is very,

    very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong

  8. Don’t try to “save” your API endpoints • Your backend

    should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”

  9. Stop client-side encryption • Don’t place your key under the

    doormat • Security by obscurity is weak whoops... - “Double encryption!”

  10. Anything part of your APK can be read • This

    includes all API keys • … access tokens • … anything else hard-coded

  11. Auth token in SharedPreferences • No problems! • Other apps

    on the system cannot read your app’s data

  12. Data you don’t have, cannot be stolen • Store user

    data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”

  13. What about rooted devices? • All. • bets. • are.

    • off.

  14. Remember alternate attack vectors • Bribe a security guard? •

    Bribe an employee?

  15. Time for something real.

  16. Insecure data storage • Anything in “private” storage cannot be

    read by other apps in the system • … but anything in “external” storage can be read by anyone!

  17. Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1

    is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!

  18. Please break your own systems • Please! • Pay for

    it!

  19. fin