Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Stop the security theater!

Avatar for Pratul Kalia Pratul Kalia
October 07, 2017
Programming
0
280

Stop the security theater!

Avatar for Pratul Kalia

Pratul Kalia

October 07, 2017
Tweet

More Decks by Pratul Kalia

See All by Pratul Kalia
The special case of Mobile DevOps
Avatar for Pratul Kalia pratul
2
42
Reldex: measuring the effectiveness of your app release process
Avatar for Pratul Kalia pratul
0
19
Simplifying Software Estimation
Avatar for Pratul Kalia pratul
1
250
Effective and efficient mobile engineering
Avatar for Pratul Kalia pratul
0
190
Designing future-proof Android applications
Avatar for Pratul Kalia pratul
0
180
Android - an introduction for developers
Avatar for Pratul Kalia pratul
3
250
Semantic Content Repositories
Avatar for Pratul Kalia pratul
1
160
How To Become A Hacker
Avatar for Pratul Kalia pratul
3
310

Other Decks in Programming

See All in Programming
著者と進める!『AIと個人開発したくなったらまずCursorで要件定義だ!』
Avatar for yasuna yasunacoffee
0
120
Evolving NEWT’s TypeScript Backend for the AI-Driven Era
Avatar for Rodrigo Ramirez xpromx
0
270
UIデザインに役立つ 2025年の最新CSS / The Latest CSS for UI Design 2025
Avatar for IKEDA Yasunobu clockmaker
17
6.7k
DSPy Meetup Tokyo #1 - はじめてのDSPy
Avatar for Masahiro Nishimi masahiro_nishimi
1
150
無秩序からの脱却 / Emergence from chaos
Avatar for nrs nrslib
2
12k
ハイパーメディア駆動アプリケーションとIslandアーキテクチャ: htmxによるWebアプリケーション開発と動的UIの局所的適用
Avatar for Ryota Nakamura nowaki28
0
340
20251127_ぼっちのための懇親会対策会議
Avatar for kokamoto01 kokamoto01_metaps
2
410
Querying Design System デザインシステムの意思決定を支える構造検索
Avatar for ikuma-t ikumatadokoro
1
1.2k
AIコーディングエージェント(Manus)
Avatar for kondai kondai24
0
130
[堅牢.py #1] テストを書かない研究者に送る、最初にテストを書く実験コード入門 / Let's start your ML project by writing tests
Avatar for Shunsuke KITADA shunk031
11
6.9k
Herb to ReActionView: A New Foundation for the View Layer @ San Francisco Ruby Conference 2025
Avatar for Marco Roth marcoroth
0
240
MAP, Jigsaw, Code Golf 振り返り会 by 関東Kaggler会|Jigsaw 15th Solution
Avatar for s.konishi hasibirok0
0
210

Featured

See All Featured
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
55
9.3k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
26
3.2k
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
34
9k
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
379
70k
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
225
10k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
508
140k
Code Review Best Practice
Avatar for Trisha Gee trishagee
73
19k
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
234
17k
Leading Effective Engineering Teams in the AI Era
Avatar for Addy Osmani addyosmani
8
1.3k
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
25
1.6k
Thoughts on Productivity
Avatar for Jon Yablonski jonyablonski
73
5k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
Avatar for Rebecca Miller-Webster rmw
35
3.3k

Transcript

  1. Stop the security theater! pratul kalia @prxtl uncommon.is

  2. “the practice of investing in countermeasures intended to provide the

    feeling of improved security while doing little or nothing to achieve it.”
  3. None

  4. Cost-benefit analysis • Imperative to all security discussions • Security

    of personal app vs business-critical app

  5. Password rules are pointless • You’re not using a modern

    password-hashing algorithm • Only length matters!

  6. Do it right! • bcrypt • bcrypt • bcrypt whoops...

    - zomato

  7. Stop “inventing” your own security practices • Security is very,

    very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong

  8. Don’t try to “save” your API endpoints • Your backend

    should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”

  9. Stop client-side encryption • Don’t place your key under the

    doormat • Security by obscurity is weak whoops... - “Double encryption!”

  10. Anything part of your APK can be read • This

    includes all API keys • … access tokens • … anything else hard-coded

  11. Auth token in SharedPreferences • No problems! • Other apps

    on the system cannot read your app’s data

  12. Data you don’t have, cannot be stolen • Store user

    data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”

  13. What about rooted devices? • All. • bets. • are.

    • off.

  14. Remember alternate attack vectors • Bribe a security guard? •

    Bribe an employee?

  15. Time for something real.

  16. Insecure data storage • Anything in “private” storage cannot be

    read by other apps in the system • … but anything in “external” storage can be read by anyone!

  17. Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1

    is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!

  18. Please break your own systems • Please! • Pay for

    it!

  19. fin