$30 off During Our Annual Pro Sale. View Details »

Stop the security theater!

Pratul Kalia
October 07, 2017
Programming
0
210

Stop the security theater!

Pratul Kalia

October 07, 2017
Tweet

More Decks by Pratul Kalia

See All by Pratul Kalia
Simplifying Software Estimation
pratul
0
110
Effective and efficient mobile engineering
pratul
0
100
Designing future-proof Android applications
pratul
0
98
Android - an introduction for developers
pratul
3
190
Semantic Content Repositories
pratul
1
74
How To Become A Hacker
pratul
3
280

Other Decks in Programming

See All in Programming
技術書を読む技術(JJUG CCC 2023 Fall)
yonetty
1
270
未定義動作でFizz Buzz / Undefined Fizz Buzz
kaityo256
PRO
1
330
Next.js App Router での MPA フロントエンド刷新
mugi_uno
28
9.4k
Bun がメジャーリリースされたけど、本当にBun はNode.js に取って代わるのか?をAWS Lambda で検証してみた
smt7174
1
2.1k
Introducing Kotlin Multiplatform in an existing mobile app - Workshop Edition | DevFest Berlin 23
prof18
0
230
「defineCustomElement」を活用した サービス共通のUIコンポーネントライブラリ
piyoppi
0
230
DIY Python Debugger
parttimenerd
0
960
ポイントサービス設計の異常な挑戦 または我々は如何にして心配するのを止めてドメイン駆動設計を愛するようになったか - NIFTY Tech Day 2023
niftycorp
0
130
個人から始める開発生産性向上
takamin55
1
220
Expo Router は Expo 導入の決め手となるか フロントエンドカンファレンス沖縄2023 @Kaito-Dogi
doggy
3
1.7k
クソアプリを作ってみた💩 / kusojaku
uhooi
0
180
The Secret Ingredient: How to Understand and Resolve Just about Any Flaky Test
aridlehoover
PRO
1
240

Featured

See All Featured
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
215
12k
Adopting Sorbet at Scale
ufuk
66
8.2k
Three Pipe Problems
jasonvnalue
89
9.3k
Music & Morning Musume
bryan
38
5.2k
Facilitating Awesome Meetings
lara
37
5.2k
10 Git Anti Patterns You Should be Aware of
lemiorhan
645
57k
BBQ
matthewcrist
76
8.5k
How GitHub Uses GitHub to Build GitHub
holman
467
280k
Statistics for Hackers
jakevdp
788
220k
Designing Experiences People Love
moore
133
23k
Practical Orchestrator
shlominoach
179
9.4k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.3k

Transcript

  1. Stop the security theater!
    pratul kalia
    @prxtl
    uncommon.is

    View Slide

  2. “the practice of investing in
    countermeasures intended to provide the
    feeling of improved security while doing
    little or nothing to achieve it.”

    View Slide

  3. View Slide

  4. Cost-benefit analysis
    ● Imperative to all security discussions
    ● Security of personal app vs business-critical app

    View Slide

  5. Password rules are pointless
    ● You’re not using a modern password-hashing algorithm
    ● Only length matters!

    View Slide

  6. Do it right!
    ● bcrypt
    ● bcrypt
    ● bcrypt
    whoops...
    - zomato

    View Slide

  7. Stop “inventing” your own security practices
    ● Security is very, very hard to get right
    ● You’re not that smart!
    ● It is easier to do the known right thing... than to know
    what you’re doing wrong

    View Slide

  8. Don’t try to “save” your API endpoints
    ● Your backend should not get affected by a rogue client
    ● MITM all the way
    ● Certificate pinning does not solve this!
    whoops...
    - “Basic HTTP auth over TLS”

    View Slide

  9. Stop client-side encryption
    ● Don’t place your key under the doormat
    ● Security by obscurity is weak
    whoops...
    - “Double encryption!”

    View Slide

  10. Anything part of your APK can be read
    ● This includes all API keys
    ● … access tokens
    ● … anything else hard-coded

    View Slide

  11. Auth token in SharedPreferences
    ● No problems!
    ● Other apps on the system cannot read your app’s data

    View Slide

  12. Data you don’t have, cannot be stolen
    ● Store user data with utmost caution
    ● You’re a user too!
    example...
    - “Who else in my Contacts uses this app?”

    View Slide

  13. What about rooted devices?
    ● All.
    ● bets.
    ● are.
    ● off.

    View Slide

  14. Remember alternate attack vectors
    ● Bribe a security
    guard?
    ● Bribe an employee?

    View Slide

  15. Time for something real.

    View Slide

  16. Insecure data storage
    ● Anything in “private” storage cannot be read by other
    apps in the system
    ● … but anything in “external” storage can be read by
    anyone!

    View Slide

  17. Insecure TLS usage
    ● Always TLS v1.2!
    ○ TLS v1.1 is acceptable… but don’t!
    ● Disable SSL v2 and SSL v3, disable RC4
    ● Use OkHttp!!1!1!

    View Slide

  18. Please break your own systems
    ● Please!
    ● Pay for it!

    View Slide

  19. fin

    View Slide