Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Stop the security theater!
Search
Pratul Kalia
October 07, 2017
Programming
0
270
Stop the security theater!
Pratul Kalia
October 07, 2017
Tweet
Share
More Decks by Pratul Kalia
See All by Pratul Kalia
The special case of Mobile DevOps
pratul
2
40
Reldex: measuring the effectiveness of your app release process
pratul
0
15
Simplifying Software Estimation
pratul
1
240
Effective and efficient mobile engineering
pratul
0
180
Designing future-proof Android applications
pratul
0
160
Android - an introduction for developers
pratul
3
240
Semantic Content Repositories
pratul
1
150
How To Become A Hacker
pratul
3
300
Other Decks in Programming
See All in Programming
Oracle Database Technology Night 92 Database Connection control FAN-AC
oracle4engineer
PRO
1
460
奥深くて厄介な「改行」と仲良くなる20分
oguemon
1
550
Android端末で実現するオンデバイスLLM 2025
masayukisuda
1
160
AIでLINEスタンプを作ってみた
eycjur
1
230
もうちょっといいRubyプロファイラを作りたい (2025)
osyoyu
1
450
250830 IaCの選定~AWS SAMのLambdaをECSに乗り換えたときの備忘録~
east_takumi
0
400
スケールする組織の実現に向けた インナーソース育成術 - ISGT2025
teamlab
PRO
1
120
GitHubとGitLabとAWS CodePipelineでCI/CDを組み比べてみた
satoshi256kbyte
4
240
意外と簡単!?フロントエンドでパスキー認証を実現する WebAuthn
teamlab
PRO
2
770
MCPでVibe Working。そして、結局はContext Eng(略)/ Working with Vibe on MCP And Context Eng
rkaga
5
2.3k
go test -json そして testing.T.Attr / Kyoto.go #63
utgwkk
3
310
Amazon RDS 向けに提供されている MCP Server と仕組みを調べてみた/jawsug-okayama-2025-aurora-mcp
takahashiikki
1
110
Featured
See All Featured
Measuring & Analyzing Core Web Vitals
bluesmoon
9
580
Statistics for Hackers
jakevdp
799
220k
Into the Great Unknown - MozCon
thekraken
40
2k
Build your cross-platform service in a week with App Engine
jlugia
231
18k
Bash Introduction
62gerente
615
210k
Raft: Consensus for Rubyists
vanstee
140
7.1k
Building Applications with DynamoDB
mza
96
6.6k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
31
2.2k
How to Think Like a Performance Engineer
csswizardry
26
1.9k
Thoughts on Productivity
jonyablonski
70
4.8k
Why You Should Never Use an ORM
jnunemaker
PRO
59
9.5k
Git: the NoSQL Database
bkeepers
PRO
431
66k
Transcript
Stop the security theater! pratul kalia @prxtl uncommon.is
“the practice of investing in countermeasures intended to provide the
feeling of improved security while doing little or nothing to achieve it.”
None
Cost-benefit analysis • Imperative to all security discussions • Security
of personal app vs business-critical app
Password rules are pointless • You’re not using a modern
password-hashing algorithm • Only length matters!
Do it right! • bcrypt • bcrypt • bcrypt whoops...
- zomato
Stop “inventing” your own security practices • Security is very,
very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong
Don’t try to “save” your API endpoints • Your backend
should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”
Stop client-side encryption • Don’t place your key under the
doormat • Security by obscurity is weak whoops... - “Double encryption!”
Anything part of your APK can be read • This
includes all API keys • … access tokens • … anything else hard-coded
Auth token in SharedPreferences • No problems! • Other apps
on the system cannot read your app’s data
Data you don’t have, cannot be stolen • Store user
data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”
What about rooted devices? • All. • bets. • are.
• off.
Remember alternate attack vectors • Bribe a security guard? •
Bribe an employee?
Time for something real.
Insecure data storage • Anything in “private” storage cannot be
read by other apps in the system • … but anything in “external” storage can be read by anyone!
Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1
is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!
Please break your own systems • Please! • Pay for
it!
fin