Thick Client Security

Trendsoft begins its Thick client security by understanding each applicant's complexities and functionality. These are installed locally on a user’s desktop/ Laptop that can run independently not connected to the internet, unlike web applications, which need an internet connection. Examples of Thick client applications include computer games, web browsers, Music players, and video and chat tools like Zoom, Slack, etc.

Here we introduce the pen-testing methodology which involves reverse engineering to identify hard-coded secrets and ensure comprehensive coverage. This specific approach to testing the applications is followed after understanding the application in terms of the technologies used, functionality, behavior, entry points for user inputs, core security mechanism used by the application, frameworks, and languages.

Top 10 vulnerability standards we follow under OWASP during Thick client penetration testing

Hardcoded sensitive data and authentication tokens (private keys, passwords, etc..)
Application workflow analysis between GUI elements
Assembly accumulation of security flags
Use of insecure and carving algorithms
Programmed encryption materials (Keys, IVS, etc.…)
WMI subscription, Application service, provider, and other permissions.
Application file, folder, and listing permissions, changes including creation, modification, and deletion of keys and values.
Database connections, user roles, and permissions, Authentication, and authorization controls.
Network protocols used by an application (SMB, FTP, TFTP, etc.)
Service account roles and permissions (database server, application server, client)

Thick Client Testing Process

Identify application architecture
Catalogue the platform
Identify language and programs
Network traffic analysis
Local files/ registry analysis
Reverse engineering / GUI tampering

Why US?

In-depth- Reverse engineering
Sensitive information discovery
Extensive binary extortion checklist
Customized approach
Actionable remediations
Expert Support