Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Stop the security theater!
Search
Pratul Kalia
October 07, 2017
Programming
0
260
Stop the security theater!
Pratul Kalia
October 07, 2017
Tweet
Share
More Decks by Pratul Kalia
See All by Pratul Kalia
The special case of Mobile DevOps
pratul
2
33
Reldex: measuring the effectiveness of your app release process
pratul
0
14
Simplifying Software Estimation
pratul
1
230
Effective and efficient mobile engineering
pratul
0
170
Designing future-proof Android applications
pratul
0
160
Android - an introduction for developers
pratul
3
240
Semantic Content Repositories
pratul
1
140
How To Become A Hacker
pratul
3
300
Other Decks in Programming
See All in Programming
AI時代のソフトウェア開発を考える(2025/07版) / Agentic Software Engineering Findy 2025-07 Edition
twada
PRO
76
25k
Node-RED を(HTTP で)つなげる MCP サーバーを作ってみた
highu
0
120
Hack Claude Code with Claude Code
choplin
3
890
PipeCDのプラグイン化で目指すところ
warashi
1
270
PicoRuby on Rails
makicamel
2
130
ruby.wasmで多人数リアルタイム通信ゲームを作ろう
lnit
3
450
新メンバーも今日から大活躍!SREが支えるスケールし続ける組織のオンボーディング
honmarkhunt
4
6.5k
Is Xcode slowly dying out in 2025?
uetyo
1
260
Claude Code + Container Use と Cursor で作る ローカル並列開発環境のススメ / ccc local dev
kaelaela
5
2.4k
iOS 26にアップデートすると実機でのHot Reloadができない?
umigishiaoi
0
130
すべてのコンテキストを、 ユーザー価値に変える
applism118
3
1.2k
AIエージェントはこう育てる - GitHub Copilot Agentとチームの共進化サイクル
koboriakira
0
510
Featured
See All Featured
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
810
[RailsConf 2023] Rails as a piece of cake
palkan
55
5.7k
Designing Experiences People Love
moore
142
24k
Become a Pro
speakerdeck
PRO
28
5.4k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
46
9.6k
Bash Introduction
62gerente
614
210k
A better future with KSS
kneath
239
17k
Automating Front-end Workflow
addyosmani
1370
200k
Code Review Best Practice
trishagee
69
18k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
2.9k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.8k
Building Adaptive Systems
keathley
43
2.7k
Transcript
Stop the security theater! pratul kalia @prxtl uncommon.is
“the practice of investing in countermeasures intended to provide the
feeling of improved security while doing little or nothing to achieve it.”
None
Cost-benefit analysis • Imperative to all security discussions • Security
of personal app vs business-critical app
Password rules are pointless • You’re not using a modern
password-hashing algorithm • Only length matters!
Do it right! • bcrypt • bcrypt • bcrypt whoops...
- zomato
Stop “inventing” your own security practices • Security is very,
very hard to get right • You’re not that smart! • It is easier to do the known right thing... than to know what you’re doing wrong
Don’t try to “save” your API endpoints • Your backend
should not get affected by a rogue client • MITM all the way • Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”
Stop client-side encryption • Don’t place your key under the
doormat • Security by obscurity is weak whoops... - “Double encryption!”
Anything part of your APK can be read • This
includes all API keys • … access tokens • … anything else hard-coded
Auth token in SharedPreferences • No problems! • Other apps
on the system cannot read your app’s data
Data you don’t have, cannot be stolen • Store user
data with utmost caution • You’re a user too! example... - “Who else in my Contacts uses this app?”
What about rooted devices? • All. • bets. • are.
• off.
Remember alternate attack vectors • Bribe a security guard? •
Bribe an employee?
Time for something real.
Insecure data storage • Anything in “private” storage cannot be
read by other apps in the system • … but anything in “external” storage can be read by anyone!
Insecure TLS usage • Always TLS v1.2! ◦ TLS v1.1
is acceptable… but don’t! • Disable SSL v2 and SSL v3, disable RC4 • Use OkHttp!!1!1!
Please break your own systems • Please! • Pay for
it!
fin