Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Stop the security theater!
Search
Pratul Kalia
October 07, 2017
Programming
0
290
Stop the security theater!
Pratul Kalia
October 07, 2017
Tweet
Share
More Decks by Pratul Kalia
See All by Pratul Kalia
The special case of Mobile DevOps
pratul
2
43
Reldex: measuring the effectiveness of your app release process
pratul
0
26
Simplifying Software Estimation
pratul
1
260
Effective and efficient mobile engineering
pratul
0
190
Designing future-proof Android applications
pratul
0
180
Android - an introduction for developers
pratul
3
260
Semantic Content Repositories
pratul
1
170
How To Become A Hacker
pratul
3
310
Other Decks in Programming
See All in Programming
CSC307 Lecture 05
javiergs
PRO
0
490
インターン生でもAuth0で 認証基盤刷新が出来るのか
taku271
0
190
2年のAppleウォレットパス開発の振り返り
muno92
PRO
0
200
Oxlintはいいぞ
yug1224
5
1.2k
コントリビューターによるDenoのすゝめ / Deno Recommendations by a Contributor
petamoriken
0
200
humanlayerのブログから学ぶ、良いCLAUDE.mdの書き方
tsukamoto1783
0
170
re:Invent 2025 トレンドからみる製品開発への AI Agent 活用
yoskoh
0
710
フロントエンド開発の勘所 -複数事業を経験して見えた判断軸の違い-
heimusu
7
2.7k
0→1 フロントエンド開発 Tips🚀 #レバテックMeetup
bengo4com
0
530
公共交通オープンデータ × モバイルUX 複雑な運行情報を 『直感』に変換する技術
tinykitten
PRO
0
200
Grafana:建立系統全知視角的捷徑
blueswen
0
320
メルカリのリーダビリティチームが取り組む、AI時代のスケーラブルな品質文化
cloverrose
2
510
Featured
See All Featured
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
aleyda
2
9.5k
Leo the Paperboy
mayatellez
4
1.4k
A better future with KSS
kneath
240
18k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
128
55k
Leading Effective Engineering Teams in the AI Era
addyosmani
9
1.5k
Building Experiences: Design Systems, User Experience, and Full Site Editing
marktimemedia
0
400
SEO in 2025: How to Prepare for the Future of Search
ipullrank
3
3.3k
How to Talk to Developers About Accessibility
jct
2
120
Test your architecture with Archunit
thirion
1
2.1k
Google's AI Overviews - The New Search
badams
0
900
4 Signs Your Business is Dying
shpigford
187
22k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
508
140k
Transcript
Stop the security theater! pratul kalia @prxtl uncommon.is
“the practice of investing in countermeasures intended to provide the
feeling of improved security while doing little or nothing to achieve it.”
None
Cost-benefit analysis • Imperative to all security discussions • Security
of personal app vs business-critical app
Password rules are pointless • You’re not using a modern
password-hashing algorithm • Only length matters!
Do it right! • bcrypt • bcrypt • bcrypt whoops...
- zomato
Stop “inventing” your own security practices • Security is very,
very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong
Don’t try to “save” your API endpoints • Your backend
should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”
Stop client-side encryption • Don’t place your key under the
doormat • Security by obscurity is weak whoops... - “Double encryption!”
Anything part of your APK can be read • This
includes all API keys • … access tokens • … anything else hard-coded
Auth token in SharedPreferences • No problems! • Other apps
on the system cannot read your app’s data
Data you don’t have, cannot be stolen • Store user
data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”
What about rooted devices? • All. • bets. • are.
• off.
Remember alternate attack vectors • Bribe a security guard? •
Bribe an employee?
Time for something real.
Insecure data storage • Anything in “private” storage cannot be
read by other apps in the system • … but anything in “external” storage can be read by anyone!
Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1
is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!
Please break your own systems • Please! • Pay for
it!
fin
pratul
javiergs
taku271
muno92
yug1224
petamoriken
tsukamoto1783
yoskoh
heimusu
bengo4com
tinykitten
blueswen
cloverrose
aleyda
mayatellez
kneath
aki_iinuma
addyosmani
marktimemedia
ipullrank
jct
thirion
badams
shpigford
chriscoyier
