Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stop the security theater!

Avatar for Pratul Kalia Pratul Kalia
October 07, 2017
Programming
0
270

Stop the security theater!

Avatar for Pratul Kalia

Pratul Kalia

October 07, 2017
Tweet

More Decks by Pratul Kalia

See All by Pratul Kalia
The special case of Mobile DevOps
Avatar for Pratul Kalia pratul
2
40
Reldex: measuring the effectiveness of your app release process
Avatar for Pratul Kalia pratul
0
15
Simplifying Software Estimation
Avatar for Pratul Kalia pratul
1
240
Effective and efficient mobile engineering
Avatar for Pratul Kalia pratul
0
180
Designing future-proof Android applications
Avatar for Pratul Kalia pratul
0
160
Android - an introduction for developers
Avatar for Pratul Kalia pratul
3
240
Semantic Content Repositories
Avatar for Pratul Kalia pratul
1
150
How To Become A Hacker
Avatar for Pratul Kalia pratul
3
300

Other Decks in Programming

See All in Programming
Oracle Database Technology Night 92 Database Connection control FAN-AC
Avatar for oracle4engineer oracle4engineer
PRO
1
460
奥深くて厄介な「改行」と仲良くなる20分
Avatar for おぐえもん oguemon
1
550
Android端末で実現するオンデバイスLLM 2025
Avatar for Masayuki Suda masayukisuda
1
160
AIでLINEスタンプを作ってみた
Avatar for kmuto eycjur
1
230
もうちょっといいRubyプロファイラを作りたい (2025)
Avatar for osyoyu osyoyu
1
450
250830 IaCの選定~AWS SAMのLambdaをECSに乗り換えたときの備忘録~
Avatar for Takumi Abe east_takumi
0
400
スケールする組織の実現に向けた インナーソース育成術 - ISGT2025
Avatar for teamLab teamlab
PRO
1
120
GitHubとGitLabと AWS CodePipelineで CI/CDを組み比べてみた
Avatar for Satoshi Kaneyasu satoshi256kbyte
4
240
意外と簡単!?フロントエンドでパスキー認証を実現する WebAuthn
Avatar for teamLab teamlab
PRO
2
770
MCPでVibe Working。そして、結局はContext Eng(略)/ Working with Vibe on MCP And Context Eng
Avatar for r-kagaya rkaga
5
2.3k
go test -json そして testing.T.Attr / Kyoto.go #63
Avatar for utagawa kiki utgwkk
3
310
Amazon RDS 向けに提供されている MCP Server と仕組みを調べてみた/jawsug-okayama-2025-aurora-mcp
Avatar for Takahashi Ikki takahashiikki
1
110

Featured

See All Featured
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
9
580
Statistics for Hackers
Avatar for Jake VanderPlas jakevdp
799
220k
Into the Great Unknown - MozCon
Avatar for Noah Learner thekraken
40
2k
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
231
18k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
615
210k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
140
7.1k
Building Applications with DynamoDB
Avatar for Matt Wood mza
96
6.6k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
31
2.2k
How to Think Like a Performance Engineer
Avatar for Harry Roberts csswizardry
26
1.9k
Thoughts on Productivity
Avatar for Jon Yablonski jonyablonski
70
4.8k
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
59
9.5k
Git: the NoSQL Database
Avatar for Brandon Keepers bkeepers
PRO
431
66k

Transcript

  1. Stop the security theater! pratul kalia @prxtl uncommon.is

  2. “the practice of investing in countermeasures intended to provide the

    feeling of improved security while doing little or nothing to achieve it.”
  3. None

  4. Cost-benefit analysis • Imperative to all security discussions • Security

    of personal app vs business-critical app

  5. Password rules are pointless • You’re not using a modern

    password-hashing algorithm • Only length matters!

  6. Do it right! • bcrypt • bcrypt • bcrypt whoops...

    - zomato

  7. Stop “inventing” your own security practices • Security is very,

    very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong

  8. Don’t try to “save” your API endpoints • Your backend

    should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”

  9. Stop client-side encryption • Don’t place your key under the

    doormat • Security by obscurity is weak whoops... - “Double encryption!”

  10. Anything part of your APK can be read • This

    includes all API keys • … access tokens • … anything else hard-coded

  11. Auth token in SharedPreferences • No problems! • Other apps

    on the system cannot read your app’s data

  12. Data you don’t have, cannot be stolen • Store user

    data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”

  13. What about rooted devices? • All. • bets. • are.

    • off.

  14. Remember alternate attack vectors • Bribe a security guard? •

    Bribe an employee?

  15. Time for something real.

  16. Insecure data storage • Anything in “private” storage cannot be

    read by other apps in the system • … but anything in “external” storage can be read by anyone!

  17. Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1

    is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!

  18. Please break your own systems • Please! • Pay for

    it!

  19. fin