Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stop the security theater!

Stop the security theater!

Pratul Kalia

October 07, 2017
Tweet

More Decks by Pratul Kalia

Other Decks in Programming

Transcript

  1. Stop the security theater! pratul kalia @prxtl uncommon.is

  2. “the practice of investing in countermeasures intended to provide the

    feeling of improved security while doing little or nothing to achieve it.”
  3. None
  4. Cost-benefit analysis • Imperative to all security discussions • Security

    of personal app vs business-critical app
  5. Password rules are pointless • You’re not using a modern

    password-hashing algorithm • Only length matters!
  6. Do it right! • bcrypt • bcrypt • bcrypt whoops...

    - zomato
  7. Stop “inventing” your own security practices • Security is very,

    very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong
  8. Don’t try to “save” your API endpoints • Your backend

    should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”
  9. Stop client-side encryption • Don’t place your key under the

    doormat • Security by obscurity is weak whoops... - “Double encryption!”
  10. Anything part of your APK can be read • This

    includes all API keys • … access tokens • … anything else hard-coded
  11. Auth token in SharedPreferences • No problems! • Other apps

    on the system cannot read your app’s data
  12. Data you don’t have, cannot be stolen • Store user

    data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”
  13. What about rooted devices? • All. • bets. • are.

    • off.
  14. Remember alternate attack vectors • Bribe a security guard? •

    Bribe an employee?
  15. Time for something real.

  16. Insecure data storage • Anything in “private” storage cannot be

    read by other apps in the system • … but anything in “external” storage can be read by anyone!
  17. Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1

    is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!
  18. Please break your own systems • Please! • Pay for

    it!
  19. fin