Client applications: a ticking time bomb?

Cybersecurity today is one of the most important topics on the agenda of board members and CEOs. After all, hacker attacks often cause immense damage and can affect companies of all sizes. The bad news is that there is no 100% protection. But there is also good news: sound cybersecurity strategies significantly reduce risk.

What are client applications?

A good cybersecurity strategy comprises various levels, with a key task being the implementation of security analyses to identify potential attack surfaces – especially those hidden in client (rich client, thick client or fat client) applications waiting to be discovered. Client applications are software that runs on a device connected to a network and works with or without a network connection, such as your web browser or word processor.

The complexity of client applications is often underestimated although they offer cybercriminals various points of attack: bypassing authentication and authorization measures, accessing and/or modifying data and in a worst-case scenario taking over entire systems. Employees within enterprises use client applications on daily basis to do their job. Some of these applications might have been written in-house, while others are developed and maintained by third parties. In most cases, they are not subject to any kind of public scrutiny, which means that potential vulnerabilities remain under the radar and it takes a security analysis or a security incident to discover them, whichever comes first!

When to conduct a security analysis of the client applications?

In an early stage of development and/or when the source code is available, it is best to conduct a security code review. Code reviews allow an in-depth analysis and understanding of the client application, which a black box test scenario cannot always guarantee. Sometimes the code is proprietary, meaning it can only be used on a manufacturer’s own computer model, or the development of the applications dates back many years. Perhaps the source code is no longer available. Or the costs of a code review are simply beyond the budget. That is when a security analysis of the client application is the preferred option.

Recognizing risk: Where do cybercriminals attack?

Attackers usually target the weakest link in a chain – in-house developed client applications. The reason behind that is simple: these applications are usually developed by small teams, or in a worst case, by a single developer. Small budgets unfortunately mean that security is not given enough priority. Next, attackers look for applications developed exclusively for the target enterprise. As a last resort, attackers turn to the last class of client applications: programs for corporate and home users, such as Microsoft Office applications, Adobe Acrobat, web browsers, etc. Since these usually go through extensive testing and are available to anyone, vulnerabilities are very hard to uncover. But if a vulnerability is found, it usually entails a very high risk.

Companies of all sizes may be affected by vulnerabilities in client applications. Experts from TÜV Rheinland recently discovered a security vulnerability in an IBM product that allows a local attacker to extend their privileges to the maximum level, giving them full control over the attacked system. The vulnerability affecting IBM’s end customers has been assigned the CVE ID (CVE-2021-20532).

How does the security analysis of client applications work?

For a sound security analysis, TÜV Rheinland first collects information on the application as a “normal user”. Next, the testers of TÜV Rheinland attempt to identify as many vulnerabilities as possible that have a negative impact on the overall security of the application, the underlying operating system and other applications. Manual and semi-automatic tests are used to systematically detect security vulnerabilities that could be exploited for attacks.

What is typically tested?

Because every application is unique, TÜV Rheinland does NOT go through a standardized checklist. However, the following topics are typically tested and for each topic, multiple attack scenarios are examined. These are examples of specific questions that can be used to detect potential attack surfaces:

Authentication and access controls.

Could an attacker bypass the login windows and/or gain more privileges than intended?

Secure communication protocols.

Is communication with other systems exchanged securely?

Credential management and information disclosure.

Does the application or one of its artifacts contain information that could help an attacker access other systems or other users’ data?

Why TÜV Rheinland?

Cybersecurity is a serious and complex issue. Testing client applications requires a solid understanding of how an application works. Different programming languages, frameworks and operating systems also provide attackers with different attack surfaces. Detecting logic errors and design failures to exploit a difficult-to-identify vulnerability is something that requires a keen eye of an experienced tester. Our security analysts are experienced programmers with a great passion for finding exotic vulnerabilities. This is exactly what puts TÜV Rheinland ahead of the competition.



Sounds interesting?

Author

Shadi Habbal

senior security analyst

Shadi Habbal works as a senior security analyst at TÜV Rheinland. He is a certified, professional penetration tester and reverse code engineer with more than ten years of experience. Using his knowledge of various programming languages and system administration, he manages to identify exotic security vulnerabilities and logic errors – and he does it with passion. His strengths include curiosity and a sense of humor. When he is not busy as a hacker, he usually sleeps.

More Posts