Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Stop the security theater!
Search
Pratul Kalia
October 07, 2017
Programming
0
270
Stop the security theater!
Pratul Kalia
October 07, 2017
Tweet
Share
More Decks by Pratul Kalia
See All by Pratul Kalia
The special case of Mobile DevOps
pratul
2
40
Reldex: measuring the effectiveness of your app release process
pratul
0
15
Simplifying Software Estimation
pratul
1
240
Effective and efficient mobile engineering
pratul
0
180
Designing future-proof Android applications
pratul
0
160
Android - an introduction for developers
pratul
3
240
Semantic Content Repositories
pratul
1
150
How To Become A Hacker
pratul
3
300
Other Decks in Programming
See All in Programming
MCPでVibe Working。そして、結局はContext Eng(略)/ Working with Vibe on MCP And Context Eng
rkaga
5
2.2k
OSS開発者という働き方
andpad
5
1.7k
Kiroで始めるAI-DLC
kaonash
2
580
Navigating Dependency Injection with Metro
zacsweers
3
240
Ruby Parser progress report 2025
yui_knk
1
430
はじめてのMaterial3 Expressive
ym223
2
260
奥深くて厄介な「改行」と仲良くなる20分
oguemon
1
520
Tool Catalog Agent for Bedrock AgentCore Gateway
licux
6
2.4k
アセットのコンパイルについて
ojun9
0
120
RDoc meets YARD
okuramasafumi
4
170
ProxyによるWindow間RPC機構の構築
syumai
3
1.2k
JSONataを使ってみよう Step Functionsが楽しくなる実践テクニック #devio2025
dafujii
1
520
Featured
See All Featured
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
229
22k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
112
20k
Building an army of robots
kneath
306
46k
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.1k
GraphQLの誤解/rethinking-graphql
sonatard
72
11k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
1.5k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Agile that works and the tools we love
rasmusluckow
330
21k
How STYLIGHT went responsive
nonsquared
100
5.8k
GitHub's CSS Performance
jonrohan
1032
460k
Transcript
Stop the security theater! pratul kalia @prxtl uncommon.is
“the practice of investing in countermeasures intended to provide the
feeling of improved security while doing little or nothing to achieve it.”
None
Cost-benefit analysis • Imperative to all security discussions • Security
of personal app vs business-critical app
Password rules are pointless • You’re not using a modern
password-hashing algorithm • Only length matters!
Do it right! • bcrypt • bcrypt • bcrypt whoops...
- zomato
Stop “inventing” your own security practices • Security is very,
very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong
Don’t try to “save” your API endpoints • Your backend
should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”
Stop client-side encryption • Don’t place your key under the
doormat • Security by obscurity is weak whoops... - “Double encryption!”
Anything part of your APK can be read • This
includes all API keys • … access tokens • … anything else hard-coded
Auth token in SharedPreferences • No problems! • Other apps
on the system cannot read your app’s data
Data you don’t have, cannot be stolen • Store user
data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”
What about rooted devices? • All. • bets. • are.
• off.
Remember alternate attack vectors • Bribe a security guard? •
Bribe an employee?
Time for something real.
Insecure data storage • Anything in “private” storage cannot be
read by other apps in the system • … but anything in “external” storage can be read by anyone!
Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1
is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!
Please break your own systems • Please! • Pay for
it!
fin