Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stop the security theater!

Avatar for Pratul Kalia Pratul Kalia
October 07, 2017
Programming
0
260

Stop the security theater!

Avatar for Pratul Kalia

Pratul Kalia

October 07, 2017
Tweet

More Decks by Pratul Kalia

See All by Pratul Kalia
The special case of Mobile DevOps
Avatar for Pratul Kalia pratul
2
33
Reldex: measuring the effectiveness of your app release process
Avatar for Pratul Kalia pratul
0
14
Simplifying Software Estimation
Avatar for Pratul Kalia pratul
1
230
Effective and efficient mobile engineering
Avatar for Pratul Kalia pratul
0
170
Designing future-proof Android applications
Avatar for Pratul Kalia pratul
0
160
Android - an introduction for developers
Avatar for Pratul Kalia pratul
3
240
Semantic Content Repositories
Avatar for Pratul Kalia pratul
1
140
How To Become A Hacker
Avatar for Pratul Kalia pratul
3
300

Other Decks in Programming

See All in Programming
AI時代のソフトウェア開発を考える(2025/07版) / Agentic Software Engineering Findy 2025-07 Edition
Avatar for Takuto Wada twada
PRO
76
25k
Node-RED を(HTTP で)つなげる MCP サーバーを作ってみた
Avatar for High U highu
0
120
Hack Claude Code with Claude Code
Avatar for Akihiro Okuno choplin
3
890
PipeCDのプラグイン化で目指すところ
Avatar for Warashi warashi
1
270
PicoRuby on Rails
Avatar for makicamel makicamel
2
130
ruby.wasmで多人数リアルタイム通信ゲームを作ろう
Avatar for lni_T lnit
3
450
新メンバーも今日から大活躍!SREが支えるスケールし続ける組織のオンボーディング
Avatar for HonMarkHunt honmarkhunt
4
6.5k
Is Xcode slowly dying out in 2025?
Avatar for 上ちょ / uetyo uetyo
1
260
Claude Code + Container Use と Cursor で作る ローカル並列開発環境のススメ / ccc local dev
Avatar for Yuichi Maekawa kaelaela
5
2.4k
iOS 26にアップデートすると実機でのHot Reloadができない?
Avatar for Aoi Umigishi umigishiaoi
0
130
すべてのコンテキストを、 ユーザー価値に変える
Avatar for Michiru Kato applism118
3
1.2k
AIエージェントはこう育てる - GitHub Copilot Agentとチームの共進化サイクル
Avatar for Akira Kobori koboriakira
0
510

Featured

See All Featured
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
8
810
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
55
5.7k
Designing Experiences People Love
Avatar for Jonathan Moore moore
142
24k
Become a Pro
Avatar for Speaker Deck speakerdeck
PRO
28
5.4k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
Avatar for mongodb mongodb
46
9.6k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
614
210k
A better future with KSS
Avatar for Kyle Neath kneath
239
17k
Automating Front-end Workflow
Avatar for Addy Osmani addyosmani
1370
200k
Code Review Best Practice
Avatar for Trisha Gee trishagee
69
18k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
53
2.9k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
63
7.8k
Building Adaptive Systems
Avatar for Chris Keathley keathley
43
2.7k

Transcript

  1. Stop the security theater! pratul kalia @prxtl uncommon.is

  2. “the practice of investing in countermeasures intended to provide the

    feeling of improved security while doing little or nothing to achieve it.”
  3. None

  4. Cost-benefit analysis • Imperative to all security discussions • Security

    of personal app vs business-critical app

  5. Password rules are pointless • You’re not using a modern

    password-hashing algorithm • Only length matters!

  6. Do it right! • bcrypt • bcrypt • bcrypt whoops...

    - zomato

  7. Stop “inventing” your own security practices • Security is very,

    very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong

  8. Don’t try to “save” your API endpoints • Your backend

    should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”

  9. Stop client-side encryption • Don’t place your key under the

    doormat • Security by obscurity is weak whoops... - “Double encryption!”

  10. Anything part of your APK can be read • This

    includes all API keys • … access tokens • … anything else hard-coded

  11. Auth token in SharedPreferences • No problems! • Other apps

    on the system cannot read your app’s data

  12. Data you don’t have, cannot be stolen • Store user

    data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”

  13. What about rooted devices? • All. • bets. • are.

    • off.

  14. Remember alternate attack vectors • Bribe a security guard? •

    Bribe an employee?

  15. Time for something real.

  16. Insecure data storage • Anything in “private” storage cannot be

    read by other apps in the system • … but anything in “external” storage can be read by anyone!

  17. Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1

    is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!

  18. Please break your own systems • Please! • Pay for

    it!

  19. fin