Researcher Login
Client Login
THICK CLIENT · DESKTOP APP PEN TESTING

CREST-Certified Thick Client and Desktop Application Penetration Testing for UK Businesses

Thick client penetration testing (also called desktop application or fat client testing) covers Windows, macOS, and Linux desktop apps. We test .NET, Electron, Java FX, Qt, native C++, and modern frameworks. Reverse engineering, IPC abuse, local privilege escalation, registry / file system tampering, and binary protection assessment.

CREST Member · Verify ↗
Thick Client & Desktop App Testing
WINDOWS · MACOS · LINUX
.NET · Electron · Qt · JavaFX
REVERSE ENGINEERING
IDA · Ghidra · dnSpy · Frida
CREST
Approved Provider
THICK
Client Coverage
FREE
Retest Included
24h
Scope to Active Test
85%
of thick clients ship without code obfuscation. Decompilation reveals hardcoded API credentials, custom auth, embedded business logic.

Web app pen testing covers the browser. Mobile covers the device. Thick client covers the desktop.

Many regulated UK businesses still rely on thick-client desktop applications: banking back-office tools, claims-processing software, legal practice management, healthcare clinical systems, manufacturing operations consoles. These applications face attack surfaces unfamiliar to web/mobile testing — local privilege escalation, IPC abuse, registry tampering, DLL hijacking, embedded credentials, and custom binary protocol attacks.

Our thick client penetration testing covers Windows (.NET, Electron, native C++, Qt), macOS (Swift, AppKit, Electron), and Linux (Qt, Electron, GTK) desktop applications. Reverse engineering with IDA Pro, Ghidra, dnSpy. Runtime instrumentation with Frida. Network protocol analysis for custom binary protocols. Local privilege escalation testing. Reports satisfy ISO 27001 A.14.2, PCI DSS Req 6.5, and FCA SYSC requirements for desktop-deployed applications.

THICK CLIENT TEST CATEGORIES

What We Test in Thick Client Penetration Testing

Twelve categories spanning binary, runtime, IPC, network, and operating-system layer attacks.

TC-1

Reverse Engineering

IDA Pro / Ghidra / dnSpy decompilation. Binary structure analysis. Hardcoded credentials extraction. Custom obfuscation defeat.

TC-2

Runtime Instrumentation

Frida runtime hooking. Method tracing. Memory analysis. Live modification of executable state. Protection bypass validation.

TC-3

IPC & Named Pipes

Inter-Process Communication abuse. Named pipe authentication, Unix socket permissions, COM/DCOM access, D-Bus security.

TC-4

Local Privilege Escalation

Service account exploitation, DLL hijacking, registry / file permission abuse, scheduled task injection, privileged service vulnerability.

TC-5

Network Protocol

Custom binary protocol analysis (Wireshark dissectors), MITM, protocol fuzzing, certificate validation, mutual TLS bypass.

TC-6

Local Storage

Encrypted local database review (SQLite, LevelDB, IndexedDB), encryption-key extraction, sensitive data residue.

TC-7

Auto-Update Mechanism

Update channel security, signed-binary validation, update server impersonation, downgrade attacks, auto-update RCE chains.

TC-8

Authentication

Local authentication bypass, credential storage review (Credential Manager, Keychain), single sign-on integration, MFA enforcement.

TC-9

Configuration Storage

Registry / plist / config file security, encrypted configuration validation, configuration tampering detection.

TC-10

Dependency Audit

DLL / Frameworks / .NET assembly dependency review, supply chain risk, outdated component CVEs, vulnerable runtime versions.

TC-11

Anti-Tampering

Code signing validation, anti-debug measures, runtime integrity checks, anti-RE protection effectiveness, custom packer defeat.

TC-12

Side-Channel

Memory dumping, swap-file residue, process-memory inspection, Windows ETW / macOS unified logging exposure.

FOUR-PHASE METHODOLOGY

Thick Client Pen Testing — From Binary to Backend

Multi-layer thick-client testing requires reverse engineering, runtime analysis, IPC review, and backend integration assessment.

1

Recon & Static Analysis

Binary inventory, dependency audit, file/registry installation footprint, signing certificate review, automated AV detection.
2

Reverse Engineering

IDA Pro / Ghidra / dnSpy decompilation. Hardcoded credential extraction. Custom protocol analysis. Anti-debug measure assessment.
3

Runtime & IPC

Frida instrumentation, IPC enumeration, local privilege escalation testing, network protocol fuzzing, MITM where TLS used.
4

Backend & Report

Server-side validation testing, custom-protocol replay, CVSS-scored findings, executive + technical reports, free retest within 30 days.

Verified Accreditations Auditors Accept

Every accreditation independently issued by a recognised UK certification body. Click CREST to verify our membership.

ISO 9001
ISO 27001
UK Cyber Security Council
Crown Commercial Service Supplier
COMPLIANCE READY

Thick Client Reports Mapped to Every Framework

Findings tagged to OWASP ASVS verification IDs (where applicable) and your specific compliance framework controls.

OWASP ASVS V14

Configuration architecture and dependency requirements particularly relevant for desktop applications.

ISO 27001

Annex A.12.6.1 vulnerability management and A.14.2 secure development for desktop-deployed apps.

PCI DSS

Req 6.5 secure development including thick-client payment applications. Req 11.3 testing scope.

FCA SYSC

Operational Resilience evidence for desktop-deployed financial applications, particularly relevant for treasury / trading systems.

NHS DSPT

Clinical desktop systems, EHR thick clients, NHS-supplier desktop applications.

SOC 2 Type II

CC7.1 vulnerability identification and CC8.1 change management for desktop-deployed software.

TRANSPARENT PRICING

Transparent Thick Client Penetration Testing Pricing

All tiers include reverse engineering and runtime instrumentation. Price varies by application complexity and platform breadth.

SMALL
£5,000 – £9,000
Depends on app complexity

Single platform (Windows OR macOS), basic application, ≤5 IPC interfaces, single backend integration. Typically 5-7 day engagement.

  • Free retests included
  • Free rescheduling
  • No cancellation fees
  • 24-hour scope to active testing
  • Live findings to client portal
  • Executive + technical report
  • 60-min walkthrough call
  • Letter of attestation
MOST COMMISSIONED
GROWTH
£9,000 – £18,000
Depends on app complexity

Multi-platform (Windows + macOS), complex application with custom protocols, multiple IPC, auto-update mechanism. Typically 8-12 day engagement.

  • Free retests included
  • Free rescheduling
  • No cancellation fees
  • 24-hour scope to active testing
  • Live findings to client portal
  • Executive + technical report
  • 60-min walkthrough call
  • Letter of attestation
ENTERPRISE
£18,000+
Depends on app complexity

Enterprise desktop (Windows + macOS + Linux), complex business logic, custom binary protocols, hardware integration. Typically 12-15+ day engagement.

  • Free retests included
  • Free rescheduling
  • No cancellation fees
  • 24-hour scope to active testing
  • Live findings to client portal
  • Executive + technical report
  • 60-min walkthrough call
  • Letter of attestation

Thick Client Pen Testing for Your Sector

Desktop applications remain critical in regulated industries. We test the controls each sector specifically requires.

FINTECH

Fintech

Treasury / trading desktop platforms, banking back-office tools, payment-terminal middleware, FCA SYSC alignment.
SAAS

SaaS

B2B desktop clients (Slack, Notion-style apps), Electron apps, productivity SaaS thick clients.
HEALTHCARE

Healthcare

Clinical systems, EHR thick clients, PACS imaging, NHS-supplier desktop applications.
INSURANCE

Insurance

Claims-processing desktop tools, broker workstation applications, underwriting platforms.
LAW FIRMS

Law

Practice management software, document review platforms, conveyancing desktop tools.
PUBLIC SECTOR

Public Sector

Government desktop applications, internal tools, citizen-facing kiosk applications, SC-cleared testing.

What You Actually Get

Five things that distinguish our service from automated scans and box-tick competitors.

🎯

What You Get From Thick Client Testing

Reverse engineering, runtime instrumentation, IPC abuse testing, local privilege escalation, custom protocol analysis, free retest within 30 days.
🔬

Reverse Engineering Specialism

IDA Pro, Ghidra, dnSpy, Frida. Custom obfuscation defeat. Anti-tamper bypass. Hardcoded credential extraction across .NET, C++, Java, Electron stacks.
🛡

Multi-Platform Coverage

Windows (.NET, native, Electron), macOS (Swift, AppKit, Electron), Linux (Qt, GTK, Electron). Where applicable, all three platforms in one engagement.
📋

OWASP ASVS V14 Aligned

Findings pre-mapped to ASVS verification IDs. Audit-grade evidence for ISO 27001 A.14.2 and PCI DSS Req 6.5.
🇬🇧

UK CREST + IASME + ISO 27001 + ISO 9001

Independently accredited. UK-based reverse-engineering specialists. Reports accepted by FCA, NHS, and regulated-financial auditors.

Frequently Asked

What is thick client penetration testing?

Thick client penetration testing (also called desktop application or fat client testing) is the security assessment of desktop-installed applications — Windows, macOS, Linux. It covers attack surfaces unique to desktop apps: local privilege escalation, IPC abuse, reverse engineering, custom binary protocols, registry / file system tampering, and binary protection.

How is thick client testing different from web/mobile?

Web testing covers the browser; mobile covers the smartphone; thick client covers the desktop. Different attack surface (local privilege escalation, IPC, custom protocols), different tooling (IDA Pro, Ghidra, Frida, Wireshark dissectors), different threat model (local attacker has more capabilities than remote web attacker).

What platforms do you test?

Windows (Win32, .NET / C# / VB.NET, native C++, Electron, Qt, JavaFX), macOS (Swift / Objective-C / AppKit, Electron, Qt), Linux (Qt, GTK, Electron). Multi-platform applications can be tested on all platforms in one engagement.

What frameworks do you cover?

.NET / C# / VB.NET, Electron (Node.js + Chromium), JavaFX, Qt (cross-platform), Win32, native C++, native macOS Swift / Objective-C, Linux GTK. Less common frameworks (Tcl/Tk, wxWidgets, Avalonia) on request.

How long does thick client testing take?

Small (single platform, basic app): 5-7 working days. Mid-market (multi-platform, custom protocols): 8-12 days. Enterprise (complex business logic, hardware integration, multi-platform): 12-15+ days. Test duration is determined during scoping based on application complexity.

How much does thick client penetration testing cost in the UK?

Small £5,000-£9,000. Mid-market (most commonly commissioned) £9,000-£18,000. Enterprise £18,000+. UK day rates for CREST + reverse-engineering specialists are £1,200-£1,800 per day.

Do you test custom binary protocols?

Yes. Custom binary protocol analysis is a core thick-client capability. We use Wireshark with custom dissectors, Frida for runtime hooking, and protocol fuzzing tools (boofuzz, custom fuzzers) to analyse and exploit proprietary protocols common in financial trading, industrial control, and legacy enterprise systems.

Do you do reverse engineering?

Yes. Reverse engineering is core to thick-client testing. IDA Pro, Ghidra, Binary Ninja for native code. dnSpy / dotPeek / ILSpy for .NET. JD-GUI / CFR for Java. Custom obfuscation defeat. Anti-debug bypass. Hardcoded credential extraction. We retain reverse-engineering specialists with practical experience.

Can you test against custom obfuscation / packers?

Yes. Custom obfuscation and packer defeat is part of advanced thick-client engagements. VMProtect, Themida, ConfuserEx, Eazfuscator, Dotfuscator, ProGuard, and custom packers all encountered in past engagements. Time investment varies; quoted during scoping.

Do you test the backend/server side?

Yes. Where the thick client communicates with backend services (commonly via REST APIs, SOAP, or custom binary protocols), we test the server-side as part of the engagement — this is necessary because thick clients often trust the server implicitly, and server-side validation flaws are a common finding.

Are your testers UK-based?

Yes. UK-based reverse-engineering specialists. SC-cleared testers available for public-sector and regulated-financial engagements. Reverse engineering is a specialist skillset; we maintain a small dedicated team rather than rotating generalists.

Do you sign NDAs?

Yes. Standard NDA before any binary access. We operate under a project-specific master agreement that includes binary IP protection, post-engagement binary destruction, and embargo periods for findings — particularly important for proprietary thick-client applications.

READY TO SCOPE

Book a Thick Client Pen Test Scoping Call

30 minutes with a CREST + reverse-engineering specialist. Fixed-price quote within 24 hours. No sales pipeline.

EJN Labs

EJN Labs

We are an CREST certified, AI led threat research and cyber security services company based in Canary Wharf, London, UK. Schedule a call to find out more!

Company

Services

Contact Us

Location
  • 44-45 Beaufort Court Admirals Way London E14 9XL
Phone
  • 02045771740
Email
Office hours
  • Monday – Friday : 8:00 AM – 5:00 PM
Scroll to Top