Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Stop the security theater!
Search
Pratul Kalia
October 07, 2017
Programming
0
230
Stop the security theater!
Pratul Kalia
October 07, 2017
Tweet
Share
More Decks by Pratul Kalia
See All by Pratul Kalia
Simplifying Software Estimation
pratul
0
170
Effective and efficient mobile engineering
pratul
0
130
Designing future-proof Android applications
pratul
0
120
Android - an introduction for developers
pratul
3
200
Semantic Content Repositories
pratul
1
94
How To Become A Hacker
pratul
3
290
Other Decks in Programming
See All in Programming
さきがけから振り返るアーキテクチャ刷新 / Reflecting on the Architectural Renewal from the Vanguard
nrslib
2
780
【Go言語】golangci-lintの使い方
tomo1227
0
280
日付と正規化
megmogmog1965
0
140
CSC307 Lecture 14
javiergs
PRO
0
220
なぜ宣言的 UI は壊れにくいのか / Why declarative UI is less fragile
uenitty
29
13k
CSC307 Lecture 05
javiergs
PRO
0
210
유연한 Composable 설계
l2hyunwoo
0
380
CSC307 Lecture 10
javiergs
PRO
0
310
Google's Recipe for Scaling (Web) Security – LocoMocoSec 2024
lweichselbaum
0
170
[After Kotlin Fest 2024 LT Night @ Sansan] もっともっとKotlinを好きになる!K2 Compiler Pluginで遊んでみよう!
kitakkun
2
260
From Spring Boot 2 to Spring Boot 3 with Java 22 and Jakarta EE
ivargrimstad
0
1.9k
企業向け生成AIアプリの 開発から得られた知見
takaakikakei
0
310
Featured
See All Featured
Fireside Chat
paigeccino
25
2.8k
Designing Experiences People Love
moore
136
23k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
78
15k
A Tale of Four Properties
chriscoyier
155
22k
A Modern Web Designer's Workflow
chriscoyier
689
190k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
26
1.8k
The Language of Interfaces
destraynor
151
23k
Automating Front-end Workflow
addyosmani
1362
200k
Docker and Python
trallard
37
2.9k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
19k
Making the Leap to Tech Lead
cromwellryan
127
8.7k
Designing the Hi-DPI Web
ddemaree
276
34k
Transcript
Stop the security theater! pratul kalia @prxtl uncommon.is
“the practice of investing in countermeasures intended to provide the
feeling of improved security while doing little or nothing to achieve it.”
None
Cost-benefit analysis • Imperative to all security discussions • Security
of personal app vs business-critical app
Password rules are pointless • You’re not using a modern
password-hashing algorithm • Only length matters!
Do it right! • bcrypt • bcrypt • bcrypt whoops...
- zomato
Stop “inventing” your own security practices • Security is very,
very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong
Don’t try to “save” your API endpoints • Your backend
should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”
Stop client-side encryption • Don’t place your key under the
doormat • Security by obscurity is weak whoops... - “Double encryption!”
Anything part of your APK can be read • This
includes all API keys • … access tokens • … anything else hard-coded
Auth token in SharedPreferences • No problems! • Other apps
on the system cannot read your app’s data
Data you don’t have, cannot be stolen • Store user
data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”
What about rooted devices? • All. • bets. • are.
• off.
Remember alternate attack vectors • Bribe a security guard? •
Bribe an employee?
Time for something real.
Insecure data storage • Anything in “private” storage cannot be
read by other apps in the system • … but anything in “external” storage can be read by anyone!
Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1
is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!
Please break your own systems • Please! • Pay for
it!
fin