Author: Ng Wee Kai

What is a Rich Client?

A web application is an application which is accessed via a web browser over a network. A rich client application is an application in a client-server architecture network which typically provides rich functionality independent of the central server. A rich client requires network connection to the central server, but it is typically able to perform many of its functions without a network connection to the central server. This is the most obvious difference between a web application and a rich client application.

Many of the organizations today have deployed rich client application for ERP, finance, human resource and payroll. These back-room applications are usually neglected in security design considerations. This article offer security perspective to recommend and correct some of the oversights and misconceptions in rich client design.

Rich Client Shares the Same Class of Vulnerability as Web Client

There are several misconceptions, some are contradicting, about a rich client application:

1. Client-side attack cannot be prevent if a rich client is use – because malicious attempt can be achieved by modifying the rich client. Effort to prevent attack require is to make rich client application not hack-able – which usually involve a lot of effort or beyond justifications
2. Attack on rich client applications always involve higher skill, knowledge or access to technical details of the implementation
   

There is a distinct difference in protecting the application versus the asset that the server is managing. It may not be easy or necessary to protect the rich client application. It is, on the other hand, essential to be able to protect the assets and information that the server managed. Malicious modifications or reverse engineering on the rich client application can happen, however, as long as the server-side assets are not affected by these attempts these attacks would be in vain.

In this context, the vulnerabilities a rich client application faces are the same as that of a web application – one should approach the security design by never trust the client completely.

Common Security Oversight in Client-Server Design

Designers of rich client applications often make trade-offs in their implementation of rich client applications due to time constraint and the limited technical competency of the developer. These trade-offs often bring certain security risks to the rich client applications. The usual defects present in the design of rich client applications are the lack of protection of the communication channel, the lack of protection of request data integrity, and the lack of authorization verification.

Communications between Client and Server is Insecure

Many rich clients use socket library for their implementation of network communication between client and server. They do not usually protect much on this level as they use their own data structure and feel that it is safe since no one knows their data format. Even if encryption is employed, it is usually some simple encryption and the encryption key is unlikely to change during the lifetime of the connection. Compared to well-known protocol such as SSL, the communication encryption is usually less sophisticated. A common vulnerability faced by rich client application is the insecure communication between server and client. For applications which do not even encrypt the communication channel, their servers are open to attack by anyone who knows the data format to formulate the request.

Client Request to Server is Easily Tampered

In the design of rich client applications, the client is normally responsible for making requests to the server. These requests often contain actions which the server needs to perform. It could be a complete SQL statement that the server needs to execute after paring the request. In this kind of design, the server does not determine if the action requested by the client is a valid one, since all the logic processing is performed by the client. Since the server does not perform verification checks on requests, there is total compromise on server security.

[Example: A rich client application formulates a request to the server by passing a request “SELECT SALARY of EMPLOYEE_ID=123”. A belligerent modification of request to “SELECT SALARY of EMPLOYEE_ID!=123” will return everyone’s salary except for the original intended employee with ID 123!]

Authorization Bypass

Designers of rich client applications will often process requests from the clients according to their authorized administrative privileges. Rich client applications are seldom designed for role-based access. It is often possible for hackers to try to make belligerent administrative request to the server in search of potential oversight in the checks for authorization. Many client-server designs do not maintain network connection(s) between client and server at time gaps between communications of data – to reduce the maintenance costs of concurrent connection(s) to the server, the client disconnects after its request has been made. The server might use an ID to identify an authenticated client. If this ID is not well protected, it could be sniffed from the network and be used by a hacker to formulate illegal requests to the server. This, coupled with the server’s inability to verify the authenticity of a request, implies that the server will not be able to stop anyone from spoofing identity.

Conclusion

Without proper design consideration, a rich client is vulnerable to the similar kind of attacks and threats which are possible on web applications. Security audit and assessment should be consistently apply on these class of applications.

In several of our security assessments on such rich client applications like some back-room HR and finance systems, astonishing findings unveiling critical security flaws were common. Some of the findings were as serious as the integrity of the system and its data were fully compromised. Organizations may at times present with no other alternatives as cost of fixing or changing the system is not possible in near- or mid-term. Migrations and acceptance of risk may be the remaining viable considerations. Essentially, it is always important for any organization to weigh in security risks and considerations before investing good money into implementation of any application system, regardless rich clients are involved or not. Advice and assessment from security-domain experts are critical components of any evaluation for a sound and robust application system.