Stop the security theater!

Stop the security theater! pratul kalia @prxtl uncommon.is

“the practice of investing in countermeasures intended to provide the
feeling of improved security while doing little or nothing to achieve it.”

Cost-benefit analysis • Imperative to all security discussions • Security
of personal app vs business-critical app

Password rules are pointless • You’re not using a modern
password-hashing algorithm • Only length matters!

Do it right! • bcrypt • bcrypt • bcrypt whoops...
- zomato

Stop “inventing” your own security practices • Security is very,
very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong

Don’t try to “save” your API endpoints • Your backend
should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”

Stop client-side encryption • Don’t place your key under the
doormat • Security by obscurity is weak whoops... - “Double encryption!”

Anything part of your APK can be read • This
includes all API keys • … access tokens • … anything else hard-coded

Auth token in SharedPreferences • No problems! • Other apps
on the system cannot read your app’s data

Data you don’t have, cannot be stolen • Store user
data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”

What about rooted devices? • All. • bets. • are.
• off.

Remember alternate attack vectors • Bribe a security guard? •
Bribe an employee?

Time for something real.

Insecure data storage • Anything in “private” storage cannot be
read by other apps in the system • … but anything in “external” storage can be read by anyone!

Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1
is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!

Please break your own systems • Please! • Pay for
it!

Stop the security theater!

Stop the security theater!

Pratul Kalia

More Decks by Pratul Kalia

Other Decks in Programming

Featured

Transcript

Stop the security theater! pratul kalia @prxtl uncommon.is

“the practice of investing in countermeasures intended to provide the

Cost-benefit analysis • Imperative to all security discussions • Security

Password rules are pointless • You’re not using a modern

Do it right! • bcrypt • bcrypt • bcrypt whoops...

Stop “inventing” your own security practices • Security is very,

Don’t try to “save” your API endpoints • Your backend

Stop client-side encryption • Don’t place your key under the

Anything part of your APK can be read • This

Auth token in SharedPreferences • No problems! • Other apps

Data you don’t have, cannot be stolen • Store user

What about rooted devices? • All. • bets. • are.

Remember alternate attack vectors • Bribe a security guard? •

Time for something real.

Insecure data storage • Anything in “private” storage cannot be

Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1

Please break your own systems • Please! • Pay for

fin