$30 off During Our Annual Pro Sale. View Details »
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Stop the security theater!
Search
Pratul Kalia
October 07, 2017
Programming
0
240
Stop the security theater!
Pratul Kalia
October 07, 2017
Tweet
Share
More Decks by Pratul Kalia
See All by Pratul Kalia
The special case of Mobile DevOps
pratul
2
19
Reldex: measuring the effectiveness of your app release process
pratul
0
8
Simplifying Software Estimation
pratul
1
190
Effective and efficient mobile engineering
pratul
0
140
Designing future-proof Android applications
pratul
0
140
Android - an introduction for developers
pratul
3
210
Semantic Content Repositories
pratul
1
110
How To Become A Hacker
pratul
3
290
Other Decks in Programming
See All in Programming
[Do iOS '24] Ship your app on a Friday...and enjoy your weekend!
polpielladev
0
230
イマのCSSでできる インタラクション最前線 + CSS最新情報
clockmaker
5
3.8k
Remix on Hono on Cloudflare Workers
yusukebe
2
390
TypeScript でバックもやるって実際どう? 実運用で困ったこと3選
yuichiro_serita
17
7.5k
TypeScriptでライブラリとの依存を限定的にする方法
tutinoko
3
850
5分ぐらいで分かる、トリミング機能の作り方
tsutsuitakumi
0
190
Welcome JSConf.jp 2024
yosuke_furukawa
PRO
0
3k
新規学習のハードルを下げる方法とは?/ How to Make Learning Something New Easier?
nobuoooo
1
130
Seamless Flutter Native Integration: FFI & Pigeon - Dreamwalker (JaichangPark / 박제창) @FlutterKaigi2024
itsmedreamwalker
0
110
CSC509 Lecture 13
javiergs
PRO
0
150
最新TCAキャッチアップ
0si43
0
250
プロダクトの品質に コミットする / Commit to Product Quality
pekepek
1
610
Featured
See All Featured
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
94
17k
Designing for humans not robots
tammielis
250
25k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Speed Design
sergeychernyshev
25
650
What's in a price? How to price your products and services
michaelherold
243
12k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
17
2.2k
The Invisible Side of Design
smashingmag
298
50k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Transcript
Stop the security theater! pratul kalia @prxtl uncommon.is
“the practice of investing in countermeasures intended to provide the
feeling of improved security while doing little or nothing to achieve it.”
None
Cost-benefit analysis • Imperative to all security discussions • Security
of personal app vs business-critical app
Password rules are pointless • You’re not using a modern
password-hashing algorithm • Only length matters!
Do it right! • bcrypt • bcrypt • bcrypt whoops...
- zomato
Stop “inventing” your own security practices • Security is very,
very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong
Don’t try to “save” your API endpoints • Your backend
should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”
Stop client-side encryption • Don’t place your key under the
doormat • Security by obscurity is weak whoops... - “Double encryption!”
Anything part of your APK can be read • This
includes all API keys • … access tokens • … anything else hard-coded
Auth token in SharedPreferences • No problems! • Other apps
on the system cannot read your app’s data
Data you don’t have, cannot be stolen • Store user
data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”
What about rooted devices? • All. • bets. • are.
• off.
Remember alternate attack vectors • Bribe a security guard? •
Bribe an employee?
Time for something real.
Insecure data storage • Anything in “private” storage cannot be
read by other apps in the system • … but anything in “external” storage can be read by anyone!
Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1
is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!
Please break your own systems • Please! • Pay for
it!
fin