Securing your Web Applications

Client- side attacks leave your web applications vulnerable, allowing attackers to steal data. Obfuscators protect your apps from reverse engineering and malware attacks. Using Quantum Visualizer V8 SP4, you can create a post-build hook for your Desktop Web applications.

NOTE:
  • Quantum Visualizer supports the obfuscation of files only through post build hooks. Temenos does not provide the obfuscation tool or the required licenses. Ensure that you purchase, manage, and maintain the license of the obfuscation tool that you want to use.
  • Ensure that the Quantum Visualizer Application is working before you implement obfuscation.
  • Ensure that the obfuscation of the web artifact works before importing it into Quantum Visualizer.

To implement obfuscation in your web apps, do the following:

  1. Navigate to the location of your project. For example, <your workspace folder>/<appid>/.
  2. Create a New Folder with the name custombuild.
  3. In the custombuild folder, create a new file, build.xml.
  4. In the build.xml file, create an ANT task, postbuild.
    1. In the postbuild task, write a code that implements an obfuscation of your choice.
    2. After you implement an obfuscation, write a code to replace the existing artifact in the web artifact folder with the protected artifact.
      The protected artifact is generated as the output from the obfuscator tool.

    Here is an example of the contents of the build.xml file with the postbuild task:

    <?xml version="1.0" encoding="UTF-8"?>
<project name="CustomBuildTask" basedir=".">
    <target name="postbuild"  description="post build for desktopweb">
        <echo message="Post Build Started for Project :: ${projname}" />
        <!-- Code to generate protected artifact from chosen obfucator and replacing the existing webartifact -->
        <!-- App Developer Code start -->
        <exec executable="cmd" failonerror="true">
            <arg line="${project.loc}\custombuild\somebatch.bat --app ${webartifactpath} -- ANY OTHER INPUTS FOR YOUR OBFUSCATOR" />
            <redirector output="${basedir}\protected_ob.log" alwayslog="true"></redirector>
        </exec>
        <!-- start error message code - to halt the system when any error occurs -->
        <loadfile srcfile="${basedir}\protected_ob.log" property="errorline">
            <filterchain>
                <linecontains>
                    <contains value="ERROR, UNEXPECTED EXCEPTION"></contains>
                </linecontains>
            </filterchain>
        </loadfile>
        <fail message="Unable to obfuscate - ${errorline}">
            <condition>
                <contains string="${errorline}" substring="ERROR, UNEXPECTED EXCEPTION"/>
            </condition>
        </fail>
        <!-- error message Code end -->
        <!-- replacing old artifact with protected artifact start-->
        <move  file="${webartifactfolder}/${projname}.${webartifacttype}" tofile="${webartifactfolder}/${projname}-old.${webartifacttype}"/>
        <move  file="${basedir}/protected_${projname}.${webartifacttype}" tofile="${webartifactfolder}/${projname}.${webartifacttype}"/>
        <!-- replacing old artifact with protected artifact end-->
        <!-- App Developer Code end -->
    </target>
</project>
  5. Once you create the ANT task, save and close the file.

    6. NOTE: Ensure that you exclude any variables with global scope from obfuscation.

  6. Build the project. After the project is built, the protected binary is uploaded to Quantum Fabric.
    Once the build is completed, you must publish the app to your Fabric environment. Once you publish the app, you will get the Web Application URL.

Secure Web Applications by using Arxan Web Protection

NOTE: Temenos does not provide the license for the Arxan obfuscation tool. Ensure that you purchase, manage, and maintain the license of the Arxan obfuscation tool.

You can implement obfuscation mechanisms from the Arxan Obfuscation Tool in your Web Apps during the build process. After you obtain your Arxan License, you can use any of the following methods to secure a Web app by using Arxan Web Protection in Quantum Visualizer:

IMPORTANT: Before you get started, you must raise a ticket with the Temenos support team to get a securejs.properties file.
Ensure that you provide the App ID, Client ID, and Client Secret from your Arxan License in the support ticket.
For information on generating the encryption keys, click here.

Web App Obfuscation using CI Build

From Quantum Visualizer V9 SP2 GA, developers can build protected mode web applications by using the Visualizer CI build feature and the Arxan Obfuscation Tool. The Visualizer CI build feature is implemented only through the command prompt.

NOTE: You can also secure your web apps by using the CI/CD builds in Temenos App Factory. For more information, refer to Building a Visualizer app in App Factory .

During the implementation, you can view protection presets in the CI build.

There are three different Protection build presets. Based on your requirements, you can choose one of the following presets.

  • Basic: Provides the basic level protection.
  • Moderate: Provides moderate level protection. CI build for this preset takes some time to process and the produced output is big in size.
  • Custom: This preset is used to customize the protection level. This option is recommended only when the application doesn’t meet the Basic or Moderate protection requirements.

To implement the Secure Web applications using CI build, do the following:

Before you get started, raise a ticket with the support team to get a securejs.properties file.
Ensure that you provide the App ID, Client ID, and Client Secret from your Arxan License in the support ticket.
To know how to generate the encryption keys, click here.

  1. On your computer where Quantum Visualizer is installed, navigate to Visualizer workspace.
  2. Open HeadlessBuild.properties in a source code editor.
  3. For the following properties, enter their corresponding values or paths.
    • Modify the protectedmodeenabled.web property value to true.
    • web.protection.properties= <path_to_securejs_properties_file>
    • web.encryption.dirs= <path_to_ encryption_keys_directory>
    • web.protection.preset=BASIC/MODERATE/CUSTOM
    • web.protection.custom.blueprint= <path_to_custom_blueprint_file>(optional)

    NOTE: When preset and blueprint paths are provided, the blueprint file takes the priority. The blueprint file will overwrite any existing preset files.
    When you choose CUSTOM as the preset, ensure that you provide the path to the blueprint file.

    NOTE: A custom blueprint file is a JSON file that is used to increase the protection level of the application. This file is provided by the Quantum support team on a need basis.

  4. By default, Visualizer includes all the files in the directory for protection. To exempt certain files from protection, follow these steps.
    1. Navigate to the custombuild folder.
    2. Create a new text file in it and rename the file excludefileslist.txt.
    3. In the text file, add names of files and folders in you want to exempt from protection. For example,

      @cacheid@/desktopweb/jslib/tparty

      @cacheid@/desktopweb/resources/strings

    4. Open the Headlessbuild.properties file in the edit mode.
    5. Provide the path for web protection exclude list in the following format.
      web.protection.excludelist=<path_to_exclude_list_file>

    Here is how a sample Headlessbuild.properties file looks.

    5. #properties for doing Web Protected build.
    #This feature only supports web platforms
    #Set the value to true to enable Web obfuscation
    protectedmodeenabled.web=true
    #Provide full path of securejs properties file
    web.protection.properties=<path_to_securejs_properties>
    #Provide full path of web encryption keys directory
    web.encryption.dirs= <path_to_encryption_keys>
    #Provide Web Protection Configuration Options: BASIC,MODERATE,CUSTOM
    web.protection.preset =BASIC
    #Provide Absolute path of custom protection blueprint json file web.protection.custom.blueprint=<path_to_custom_blueprint_file>
    #Provide Absolute path of excludelist.txt file
    web.protection.excludelist=<path_to_excludelist_text_file>
  5. Build the application.
    Visualizer takes some time to build the project.
    After the build completes, Visualizer displays a success message.

Web App Obfuscation using Quantum Visualizer

If you want to implement obfuscation for your web apps by using the Arxan Obfuscation Tool in Quantum Visualizer, follow these steps:

Before you get started, raise a ticket with the support team to get a securejs.properties file.
Ensure that you provide the App ID, Client ID, and Client Secret from your Arxan License in the support ticket.

  1. Navigate to the location of your project.
    For example, <your workspace folder>/<appid>/
  2. Download the custombuild.zip file.
  3. Copy the securejs.properties file received over the customer service ticket into the <your workspace folder>/<appid>/custombuild folder.
  4. To exempt certain files from protection do the following, in the custombuild folder, create a text file excludefilelist.txt. In the text file, add sections of the application(you can add both files and/or directors) to exclude.
    • Ensure that each path is defined in a new line. For example,
      @cacheid@/desktopweb/jslib/tparty
      @cacheid@/desktopweb/resources/strings

      NOTE: @cacheid@ is the placeholder to be replaced within the build.xml in the custombuild folder.

  5. Build the project.
    After the project is built, the protected binary uploads to the Fabric environment.
  6. Once the build is completed, publish the app to your Fabric environment.
    Once the app is published, you will receive the Web Application URL.