$30 off During Our Annual Pro Sale. View Details »

Stop the security theater!

Stop the security theater!

Pratul Kalia

October 07, 2017
Tweet

More Decks by Pratul Kalia

Other Decks in Programming

Transcript

  1. Stop the security theater!
    pratul kalia
    @prxtl
    uncommon.is

    View Slide

  2. “the practice of investing in
    countermeasures intended to provide the
    feeling of improved security while doing
    little or nothing to achieve it.”

    View Slide

  3. View Slide

  4. Cost-benefit analysis
    ● Imperative to all security discussions
    ● Security of personal app vs business-critical app

    View Slide

  5. Password rules are pointless
    ● You’re not using a modern password-hashing algorithm
    ● Only length matters!

    View Slide

  6. Do it right!
    ● bcrypt
    ● bcrypt
    ● bcrypt
    whoops...
    - zomato

    View Slide

  7. Stop “inventing” your own security practices
    ● Security is very, very hard to get right
    ● You’re not that smart!
    ● It is easier to do the known right thing... than to know
    what you’re doing wrong

    View Slide

  8. Don’t try to “save” your API endpoints
    ● Your backend should not get affected by a rogue client
    ● MITM all the way
    ● Certificate pinning does not solve this!
    whoops...
    - “Basic HTTP auth over TLS”

    View Slide

  9. Stop client-side encryption
    ● Don’t place your key under the doormat
    ● Security by obscurity is weak
    whoops...
    - “Double encryption!”

    View Slide

  10. Anything part of your APK can be read
    ● This includes all API keys
    ● … access tokens
    ● … anything else hard-coded

    View Slide

  11. Auth token in SharedPreferences
    ● No problems!
    ● Other apps on the system cannot read your app’s data

    View Slide

  12. Data you don’t have, cannot be stolen
    ● Store user data with utmost caution
    ● You’re a user too!
    example...
    - “Who else in my Contacts uses this app?”

    View Slide

  13. What about rooted devices?
    ● All.
    ● bets.
    ● are.
    ● off.

    View Slide

  14. Remember alternate attack vectors
    ● Bribe a security
    guard?
    ● Bribe an employee?

    View Slide

  15. Time for something real.

    View Slide

  16. Insecure data storage
    ● Anything in “private” storage cannot be read by other
    apps in the system
    ● … but anything in “external” storage can be read by
    anyone!

    View Slide

  17. Insecure TLS usage
    ● Always TLS v1.2!
    ○ TLS v1.1 is acceptable… but don’t!
    ● Disable SSL v2 and SSL v3, disable RC4
    ● Use OkHttp!!1!1!

    View Slide

  18. Please break your own systems
    ● Please!
    ● Pay for it!

    View Slide

  19. fin

    View Slide