Debasis Mohanty
With over 20 years in offensive and defensive security, Debasis has specialised in application security, infrastructure security, exploit development, and reverse engineering. Notable contributions include the MS08-067 Windows exploit and the Daksh SCRA tool, showcased at Blackhat USA 2023 Arsenal.
Thick client apps have been around a long time and can still be found in a wide range of businesses. With the hybrid work model of today, thick/fat client apps can be a lucrative target for hackers.
In this blog, we’re giving you a detailed view of thick client applications and their security. Read on to find out the steps involved in testing thick client apps. This blog was written with the help of our Principal Security Consultant, Debasis Mohanty.
A thick client, also known as a fat client, is a client application that can provide rich functionality, independent of the server in a network. Thick clients can perform the majority of their functions without a live connection to the server. While they do require a periodic connection to a network on the central server, they can work offline and may have resources that are stored locally.
A thin client on the other hand, is a client app or computer that cannot function without a connection to the server. Thin clients do as little processing as possible on their own and heavily depend on accessing the server every time to process or validate input data. Essentially, the thickness of a client refers to the amount of processing that is done by it and the data held on the client device versus the servers with which it communicates. As the data and processing increases, so does the thickness of the client app.
Take for instance, a gaming app that you have on your phone. Most of its functionalities are available even when you’re offline. However, to play socially and communicate with other people while playing, you may need to connect to a server. This is an example of a thick client application. Other examples of thick client apps include Google Talk, Yahoo Messenger, and Microsoft Outlook.
Thick and thin clients work in different ways and each have their own benefits and drawbacks. One of the major benefits of using thin clients over thick clients is the security they provide.
Thick client applications come with their own set of security challenges that are different from web apps. Unlike web apps, which run in a browser, thick clients run directly on your PC. The browser acts as a sandbox - it acts as a container for the app. So if a web app gets compromised, the database may be affected or the systems hosting the servers may get compromise, but not your PC.
Whereas if a thick client is compromised, attackers can get direct access to your system and any sensitive data stored there. While web apps usually need you to click on a link or download something malicious to get compromised, thick clients can be vulnerable even if you just open a harmful file within the app. Plus, thick clients don’t have the protective buffer that browsers provide, so if they get compromised, the threat can persist until you take specific actions to fix it.
Thin clients don’t have locally stored resources or removable media ports and that reduces their risk of malware infections and data losses.
Some of the major security flaws associated with thick clients include:
Browser-related security flaws don’t apply to thick client apps as they don’t depend on web browsers to function.
The penetration testing process for thick clients is carried out in 4 phases.
Client-side:
Network:
API / Web Services:
Once vulnerabilities are identified, the technical and business risks of each vulnerability are then estimated.
Many large enterprises continue to use legacy apps that haven’t been updated in a long time. They also rely on numerous thick client apps but often overlook the risks these pose because they aren’t regularly tested. There’s a common misconception that in-house developed apps are inherently safe and secure, but this isn’t the case. Any app, even those developed internally, can have security gaps that need to be tested.
"People think that because it's in-house, it's not exposed, it's not widely used outside the company, it's obscure from the outside world and nobody's going to exploit it. That's a wrong assumption," explained Debasis. "If somebody is already part of your network and sees a vulnerable thick client running on everyone's computers, they can access it, reverse-engineer it, and find bugs. And because it's trusted software, you’d have exceptions in your firewall to allow the traffic from this app to get through."
It’s not always the external threats that pose the biggest risk; sometimes it’s someone on the inside. A disgruntled employee or a malicious insider can leave a backdoor in the software when they leave the organization. They can then exploit this backdoor to snoop inside the network.
Enterprises often use third-party apps from various vendors, but they are typically blind to the security protocols of these vendors. Many companies don’t ask for proof of the security of these apps, assuming that the vendor has conducted thorough security testing, especially if the apps are from a popular vendor. However, popularity isn’t an indicator of security. Even widely used apps can have vulnerabilities that need to be thoroughly tested.
Thick client penetration testing must be a mix of automated and manual testing. Automated tools lack the capability and sophistication required to fully exploit thick client apps. Relying solely on automated tools won’t provide a complete and accurate picture of the risks.
"There isn't a robust tool yet for thick client pen testing; most of it is done manually," emphasised Debasis. "You need someone to set up the environment for testing, analyze reports, and make conscious decisions based on the findings. Tools just find the obvious. They're missing the human intelligence required to make informed decisions. So, automation must be guided by manual testing and human expertise. Automation can't replace manual testing; it can only complement it."
Thick client applications often don't get the security attention they need, with focus usually on web and mobile apps. But these applications can hide serious vulnerabilities that could compromise your entire system.
So don't wait any longer and get your apps tested right now. Our experts specialize in reverse engineering and thick client pen testing, providing thorough security assessments through real-world attack simulations to enhance your threat detection and response.
Still waiting? Book a demo with us now and discover how we can secure your thick client applications and keep your systems safe!
4o
