Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stop the security theater!

Avatar for Pratul Kalia Pratul Kalia
October 07, 2017
Programming
0
300

Stop the security theater!

Avatar for Pratul Kalia

Pratul Kalia

October 07, 2017
Tweet

More Decks by Pratul Kalia

See All by Pratul Kalia
The special case of Mobile DevOps
Avatar for Pratul Kalia pratul
2
43
Reldex: measuring the effectiveness of your app release process
Avatar for Pratul Kalia pratul
0
28
Simplifying Software Estimation
Avatar for Pratul Kalia pratul
1
260
Effective and efficient mobile engineering
Avatar for Pratul Kalia pratul
0
200
Designing future-proof Android applications
Avatar for Pratul Kalia pratul
0
180
Android - an introduction for developers
Avatar for Pratul Kalia pratul
3
260
Semantic Content Repositories
Avatar for Pratul Kalia pratul
1
170
How To Become A Hacker
Avatar for Pratul Kalia pratul
3
310

Other Decks in Programming

See All in Programming
Ruby x Terminal
Avatar for Akira Matsuda a_matsuda
5
550
Go 1.26でのsliceのメモリアロケーション最適化 / Go 1.26 リリースパーティ #go126party
Avatar for mazrean mazrean
1
320
Claude Codeと2つの巻き戻し戦略 / Two Rewind Strategies with Claude Code
Avatar for 果物リン fruitriin
0
200
「やめとこ」がなくなった — 1月にZennを始めて22本書いた AI共創開発のリアル
Avatar for atani atani14
0
340
Railsの気持ちを考えながらコントローラとビューを整頓する/tidying-rails-controllers-and-views-as-rails-think
Avatar for MOROHASHI Kyosuke moro
4
360
AIとペアプロして処理時間を97%削減した話 #pyconshizu
Avatar for Kashun Yoshida kashewnuts
1
180
AIに仕事を丸投げしたら、本当に楽になれるのか
Avatar for ディップ株式会社 dip_tech
PRO
0
170
go directiveを最新にしすぎないで欲しい話──あるいは、Go 1.26からgo mod initで作られるgo directiveの値が変わる話 / Go 1.26 リリースパーティ
Avatar for Arthur arthur1
2
420
TipKitTips
Avatar for Ryomm ktcryomm
0
150
New in Go 1.26 Implementing go fix in product development
Avatar for sunecosuri sunecosuri
0
120
登壇資料を作る時に意識していること #登壇資料_findy
Avatar for konifar konifar
5
2.1k
Claude Code、ちょっとした工夫で開発体験が変わる
Avatar for Toranosuke Minamikawa tigertora7571
0
190

Featured

See All Featured
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
32
2.3k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
55
12k
It's Worth the Effort
Avatar for 3n 3n
188
29k
Agile Actions for Facilitating Distributed Teams - ADO2019
Avatar for Mark Kilby mkilby
0
140
How to make the Groovebox
Avatar for あそなす asonas
2
2k
The SEO Collaboration Effect
Avatar for Kristina Bergwall kristinabergwall1
0
380
Design in an AI World
Avatar for tapps tapps
0
160
How to build a perfect <img>
Avatar for Jono Alderson jonoalderson
1
5.2k
The Psychology of Web Performance [Beyond Tellerrand 2023]
Avatar for Tammy Everts tammyeverts
49
3.3k
Taking LLMs out of the black box: A practical guide to human-in-the-loop distillation
Avatar for Ines Montani inesmontani
PRO
3
2.1k
Scaling GitHub
Avatar for Zach Holman holman
464
140k
The #1 spot is gone: here's how to win anyway
Avatar for Tamara Novitovic tamaranovitovic
2
970

Transcript

  1. Stop the security theater! pratul kalia @prxtl uncommon.is

  2. “the practice of investing in countermeasures intended to provide the

    feeling of improved security while doing little or nothing to achieve it.”
  3. None

  4. Cost-benefit analysis • Imperative to all security discussions • Security

    of personal app vs business-critical app

  5. Password rules are pointless • You’re not using a modern

    password-hashing algorithm • Only length matters!

  6. Do it right! • bcrypt • bcrypt • bcrypt whoops...

    - zomato

  7. Stop “inventing” your own security practices • Security is very,

    very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong

  8. Don’t try to “save” your API endpoints • Your backend

    should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”

  9. Stop client-side encryption • Don’t place your key under the

    doormat • Security by obscurity is weak whoops... - “Double encryption!”

  10. Anything part of your APK can be read • This

    includes all API keys • … access tokens • … anything else hard-coded

  11. Auth token in SharedPreferences • No problems! • Other apps

    on the system cannot read your app’s data

  12. Data you don’t have, cannot be stolen • Store user

    data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”

  13. What about rooted devices? • All. • bets. • are.

    • off.

  14. Remember alternate attack vectors • Bribe a security guard? •

    Bribe an employee?

  15. Time for something real.

  16. Insecure data storage • Anything in “private” storage cannot be

    read by other apps in the system • … but anything in “external” storage can be read by anyone!

  17. Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1

    is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!

  18. Please break your own systems • Please! • Pay for

    it!

  19. fin