Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stop the security theater!

Pratul Kalia
October 07, 2017
Programming
0
240

Stop the security theater!

Pratul Kalia

October 07, 2017
Tweet

More Decks by Pratul Kalia

See All by Pratul Kalia
The special case of Mobile DevOps
pratul
2
18
Reldex: measuring the effectiveness of your app release process
pratul
0
8
Simplifying Software Estimation
pratul
1
180
Effective and efficient mobile engineering
pratul
0
140
Designing future-proof Android applications
pratul
0
130
Android - an introduction for developers
pratul
3
200
Semantic Content Repositories
pratul
1
100
How To Become A Hacker
pratul
3
290

Other Decks in Programming

See All in Programming
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
2
350
型付き API リクエストを実現するいくつかの手法とその選択 / Typed API Request
euxn23
8
2.2k
CSC509 Lecture 09
javiergs
PRO
0
140
Quine, Polyglot, 良いコード
qnighy
4
640
OSSで起業してもうすぐ10年 / Open Source Conference 2024 Shimane
furukawayasuto
0
100
ピラミッド、アイスクリームコーン、SMURF: 自動テストの最適バランスを求めて / Pyramid Ice-Cream-Cone and SMURF
twada
PRO
10
1.3k
C++でシェーダを書く
fadis
6
4.1k
Tauriでネイティブアプリを作りたい
tsucchinoko
0
370
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
540
リアーキテクチャxDDD 1年間の取り組みと進化
hsawaji
1
220
Webの技術スタックで マルチプラットフォームアプリ開発を可能にするElixirDesktopの紹介
thehaigo
2
1k
レガシーシステムにどう立ち向かうか 複雑さと理想と現実/vs-legacy
suzukihoge
14
2.2k

Featured

See All Featured
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Designing Experiences People Love
moore
138
23k
Building an army of robots
kneath
302
43k
10 Git Anti Patterns You Should be Aware of
lemiorhan
654
59k
Producing Creativity
orderedlist
PRO
341
39k
RailsConf 2023
tenderlove
29
900
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
Writing Fast Ruby
sferik
627
61k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Making the Leap to Tech Lead
cromwellryan
133
8.9k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k

Transcript

  1. Stop the security theater! pratul kalia @prxtl uncommon.is

  2. “the practice of investing in countermeasures intended to provide the

    feeling of improved security while doing little or nothing to achieve it.”
  3. None

  4. Cost-benefit analysis • Imperative to all security discussions • Security

    of personal app vs business-critical app

  5. Password rules are pointless • You’re not using a modern

    password-hashing algorithm • Only length matters!

  6. Do it right! • bcrypt • bcrypt • bcrypt whoops...

    - zomato

  7. Stop “inventing” your own security practices • Security is very,

    very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong

  8. Don’t try to “save” your API endpoints • Your backend

    should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”

  9. Stop client-side encryption • Don’t place your key under the

    doormat • Security by obscurity is weak whoops... - “Double encryption!”

  10. Anything part of your APK can be read • This

    includes all API keys • … access tokens • … anything else hard-coded

  11. Auth token in SharedPreferences • No problems! • Other apps

    on the system cannot read your app’s data

  12. Data you don’t have, cannot be stolen • Store user

    data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”

  13. What about rooted devices? • All. • bets. • are.

    • off.

  14. Remember alternate attack vectors • Bribe a security guard? •

    Bribe an employee?

  15. Time for something real.

  16. Insecure data storage • Anything in “private” storage cannot be

    read by other apps in the system • … but anything in “external” storage can be read by anyone!

  17. Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1

    is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!

  18. Please break your own systems • Please! • Pay for

    it!

  19. fin