While thick client applications aren’t new, thick client application security testing isn’t as straightforward as the Web App Penetration testing. It’s commonly used in enterprises that have thick client applications for internal operations.
Now, there is an increase in thick client applications made by large companies. We’ll show you how to use this security application to your advantage. This will help your app function correctly and be useful for your target audience.
Now let’s begin!
What is a Thick Client Application?
Thick clients are large applications that involve installing the application on the user computer (client side). These applications run on computer resources and take up memory. This means that your application’s security is dependent on your local computer.
Thick clients are suited for public environments. To utilize a thick client, IT has to maintain all systems for upgrades, rather than keeping the same applications on the server. And thick clients need specific applications, which leads to more limitations and work for deployment.
Typical thick client examples are Yahoo Messenger, G-talk, online trading portals, etc.
Two Tier Client Applications
This application only requires the server and the computer. For this application, the client is installed on your client server and directly communicates with the server’s database. They usually involve legacy applications (ex: VB.Net application directly communicates with the database with Open Database Connectivity).
Three Tier Client Applications
These applications have three tiers, where the client uses the application server, which talks to the database. Communication throughout these applications uses HTTP/HTTPS. Common examples of these applications are Yahoo Messenger and G-talk.
This is an important step of penetration testing. Throughout this phase, we have to gather all of the important information about your target application.
Here are some things developers can do throughout the process.
Exploring The Application’s Functionality
It’s important to know the functionality of your application during the most pent. So look through your UI elements that are possible through credentials provided (Users: admin, raymond, rebecca).
Once you know the functionality during thick client application security testing, it can be used to assess the quality of your applications.
- Dynamic Testing (interjections, traffic interception, fuzzing)
- System Testing (checks for data files, logs, process threads, registry keys)
- Static Testing (binary analysis, reverse engineering)
Make sure to implement these testing ideas on your application. Doing so will help you spot for any bugs so that your IT team can remove them immediately.
Info Leakage/ Error Handling
The tester tries to extract verbose messages error messages that give information about application code, log details, and the underlying framework. So do this to ensure that your code runs properly.
Secure Traffic Analysis
The testing for this situation involves looking if encryption is applied for important data on the wire (ex: clear text data transmission can be a vulnerability).
To conclude, thick client application security testing is great for launching your apps. In fact, we suggest that you go through the testing process multiple times. Doing so will ensure that your app is complete and enhances the user experience.