The majority of thick client applications fail to undergo rigorous testing since the focus is usually on web and mobile applications. However, these apps can be vulnerable to serious security issues, like memory corruption, injection, and client-side trust issues. Vulnerabilities like this make it possible to completely compromise systems where the thick client software is installed, and allow access to server-side data. Application programs with thick clients typically use both local and server-side processing, as well as proprietary communication protocols. Additionally, they may contain multiple client-side components that are run at different trust levels.
Scanners are not sufficient for vulnerability assessment. We perform thick client tests with an app-specific approach, so they are all different. Analyzing the thick client’s APIs and the thick client itself is the first step in evaluating your thick client application. The information obtained here, along with a list of your business risks, will help us create a blueprint for testing thick client software.