Penetration testing for desktop apps

​​​​Penetration testing for desktop apps​

For desktop applications, we are not afraid to go down to the source code using decompilation, including modifying it so we can identify security risks, sensitive data or other flaws in the authorization or the actual transmission between the client application and the server.

 
 

Our story 

We were approached by our client to conduct a penetration test on an extensive enterprise application delivered by a third party. There was a real suspicion of leakage of sensitive data concerning employee’s wages and unauthorized access to this information. The entire application consisted of hundreds of sub-files and libraries, providing complex services for running various divisions, and it was necessary to define and focus on critical input vectors, representing a potential path to sensitive data, including parts of the application that should only be accessible to specific privileged users.
By analysing the ongoing communication in association with the possibilities for the decompilation, modification and reverse compilation of binary files, we immediately managed to identify several critical vulnerabilities that directly threaten the security of the entire application and its data. The application’s remote update feature allowed additional SQL queries to be inserted into the database, allowing an external attacker to interact with the client's database. Likewise, it was found that it was possible to escalate an employee's normal permissions to the highest level of a super user by partially modifying the software on the part of the attacker. This was because additional controls were also missing on the server side of the application. 
All of our findings helped the customer to identify and recognize potential risks, which also put them in a good position to resolve the deficiencies with the software supplier and, in the end, helped to raise the security level of the third-party software for other clients who will become their customers in the future.

D​etailed description

In many ways penetration tests for desktop applications are quite specific compared to penetration tests on web applications. They require comprehensive knowledge of secure authentication, access authorization and working with sensitive data, as well as in-depth knowledge of programming languages including assembler, working in dissembler, debugger with direct use of instruction set codes (opcodes). 

The result is a verification that the application is secure, suitable for production use, and does not suffer from any obvious security weakness that could pose a direct security risk to the application itself, its users and/or the data. 

The following is a more detailed list of areas that, based on our many years of experience, tend to be critical from the perspective of a desktop application’s security. This is not a complete list, but it does give a clearer idea of the scope and complexity of penetration testing for desktop applications, whether it concerns developing your own solution or deploying a third-party solution into your environment. We are more than happy to help you with security solutions.

Critical areas for desktop application security​ 

  • The application stores sensitive data in an unencrypted form, 
  • the files it creates are assigned high access rights, 
  • poor control of inputs on the server side, 
  • vulnerabilities in the communication gateway, 
  • possible DoS tests of the communication gateway, 
  • sensitive data are sent over an unencrypted communication channel, 
  • SSL/TLS flaws (versions, algorithms, key lengths, certificate validity), 
  • a proprietary communication protocol is used, 
  • flaws in mutual channel authentication, 
  • long timeouts when waiting for a server response, 
  • insufficient control of client inputs, 
  • ways to get round the authentication scheme, 
  • not using multi-factor authentication, 
  • the possibility of a brute-force attack on authentication data, 
  • a weak password policy, 
  • executables are not signed, 
  • session tokens are not generated with enough entropy, 
  • the user session has a long duration, 
  • no automatic logout during inactivity, 
  • sensitive information stored in the memory cache, 
  • sensitive information stored in log files, 
  • the cryptography used when storing data is not secure, 
  • the executable code contains sensitive data, 
  • the program contains sensitive business logic, 
  • developer comments in the program files, 
  • code obfuscators are not used, 
  • there is sensitive data in the memory, 
  • the application has business logic deficiencies.

​Source code analysis 

  • ​A combination of static analysis using automated tools and a manual code review,
  • JAVA, C#, or other languages upon request.

Why​ AEC?​​​

  • We are an established Czech security company that has been successfully operating on the market for over 30 years.
  • ​We have more than 15 years of experience in the field of desktop application security.
  • Our team is composed of specialists with experience from hundreds of sub- projects.
  • We hold eMAPT, CISSP, OSCP, OSCE, CEH and many other certifications.
  • We run our own hacking lab for research in a number of areas dealing with the security of various solutions.
  • We listen to our clients and adapt our tests to their needs and the time they have available.
  • We follow modern trends in desktop application security.
  • We emphasize a manual approach whilst testing, which, when compared to automated tools, leads to more errors being detected, especially in business logic applications.

References 

  • ​ČMSS, a.s. 
  • Komerční banka a.s. 
  • Eurowag s.r.o. 
  • Konica Minolta Business Solutions Czech, spol. s r.o. 
  • Quadient Technologies Czech s.r.o.

Contact Us


Check: 

​​