Thick and Thin Client Application Security

What is Thin Client application?

A thin client is designed to be especially small so that the bulk of the data processing occurs on the server. Although the term thin client often refers to software, it is increasingly used for the computers, such as network computers and Net PCs, that are designed to serve as the clients for client/server architectures. A thin client is a network computer without a hard disk drive. They act as a simple terminal to the server and require constant communication with the server as well.

Thin clients provide a desktop experience in environments where the end user has a well-defined and regular number of tasks for which the system is used. Thin clients can be found in medical offices, airline ticketing, schools, governments, manufacturing plants and even call centres. Along with being easy to install, thin clients also offer a lower total cost of ownership over thick clients.

In contrast to a thin client, a fat or rich client is a computer with many locally stored programs and resources and little dependence on network resources. By further comparison, a fat client balances program dependence locally with a hard/connected drive and device resources, while a thin client balances program dependence with a network server’s hard/connected drive and device resources.

A system designer determines this balance, depending on whether lengthy computations must be performed by the client or server. For example, a computer that handles most of a simple drawing’s editing with sophisticated software stored on a network server may be considered a thin client. A computer that handles most of a complex drawing’s editing with locally stored and sophisticated software may be a fat client. Editing or viewing accessibility to the drawing and editing software is determined by the system designer.

Thin client Pros and cons:
  • Easy to deploy as they require no extra or specialized software installation.
  • Needs to validate with the server after data capture.
  • If the server goes down, data collection is halted as the client needs constant communication with the server.
  • Cannot be interfaced with other equipment. (in plants or factory settings for example)
  • Clients run only and exactly as specified by the server.
  • More downtime.
  • Portability in that all applications are on the server so any workstation can access.
  • Opportunity to use older, outdated PCs as clients.
  • Reduced security threat.
What is thick client application?

A thick client, also known as Fat Client is a client in client–server architecture or network and typically provides rich functionality, independent of the server. In these types of applications, the major processing is done at the client side and involves only aperiodic connection to the server.

The thick clients are heavy applications which normally involve the installation of application on the client side (user computer). These applications take up memory and run completely on the computer’s resources. This means that the security of the application is dependent on the local computer.

Thick clients are often not well-suited for public environments. To maintain a thick client, IT needs to maintain all systems for software deployment and upgrades, rather than just maintaining the applications on the server. Additionally, thick clients often require specific applications, again posing more work and limitations for deployment.

Typical examples of thick clients are G-Talk, Yahoo Messenger, Microsoft Outlook, online trading portals, etc…

The thick client applications are made of two types:

Two tier thick client application:

The two-tier thick client application consists of the user computer and the server. In this type, the application is installed on the client side, which directly communicates with the database on the server. These usually involve legacy applications. (E.g. – The VB.NET application directly communicating with the database using Open Database Connectivity)


Three tier thick client application:

These kinds of thick client applications involve three tiers, wherein the client talks to the application server, which in turn talks to the database. The communication in these applications is carried out using HTTP/HTTPS. Examples of these applications involve G-Talk or Yahoo Messenger


Security Assessment of Thick client applications:

Application security assessments of thin client applications are comparatively easier than thick client application, as these are web-based applications which can be intercepted easily and major processing takes place at the server side. Since the thick client applications include both local and server side processing, it requires a different approach for security assessment.

The table below distinguishes the vulnerabilities faced by a web based and a thick client application:

Vulnerabilities Web based vulnerabilities Thick Client based vulnerabilities
1. Improper error handling Applicable Applicable
2. SQL Injection Applicable Applicable
3. Cross Site Scripting Applicable Not applicable – browser-based vulnerability
4. Clickjacking attacks Applicable Not applicable – browser-based vulnerability
5. Parameter Tampering Applicable Applicable
6. Insecure Storage Applicable Applicable
7. Denial of Service Applicable Applicable
8. Reverse engineering Not Applicable Applicable
9. Broken access control Applicable Applicable
10. Session management Applicable Applicable

List of tools that can used intercepting thick client applications:

  1. Echo Mirage
  2. Ethereal/Wireshark
  3. Interactive TCP Relay
  4. JAVA Snoop
  5. Memory Analysis using Win Hex Tool

Conclusion: As of now we came across with a thick and thin client application and how they were build and what and all the features they contain based on the company needs and requirement’s they will choose thick or thin client but now a days most of the companies moving towards thin client because of reduced security threat