Background

Traditionally, web apps run inside a browser that does not allow native device API invocation. With hybrid apps built with frameworks such as Cordova, native APIs are exposed in the JavaScript namespace and can be invoked by the hybrid web application as seamlessly as the ones exposed by the browser. It is also easy to swap the JavaScript code running in the hybrid app with the new version.

While this allows you to control and update the application logic from the server side, the risk of letting SAP Fiori apps call native APIs is a point of concern for IT administrators and security experts. Feature restriction and its related policy address this problem by allowing you to define all features an SAP Fiori application is given access to.

Prerequisites

• SAP Fiori Client for iOS or Android, version 1.5 or later, or a custom SAP Fiori client built with SAP Mobile Platform SDK 3.0 SP10 or later

• SAP Mobile Platform Server 3.0 SP05 or later, or SAP HCP, mobile service for development and operations

Feature Restriction Policy Definition

When the SAP Mobile Platform administrator defines a hybrid application, he or she may choose to apply feature restrictions for the application. The policy explicitly defines features that are not allowed to be used within the application. Typically these features are JavaScript APIs that provide access to the native APIs of the mobile device (implemented as Apache Cordova plugins). The policy is applied for all SAP Fiori launchpad applications running inside SAP Fiori Client. Application users will not have access to any restricted feature.

To restrict certain features, the administrator should know the Cordova metadata for those features. A Cordova plugin’s metadata lives in the plugin.xml file, which lives in the plugin’s folder.

The feature restriction policy is sent to the device through the Settings Plugin REST API, which is invoked by SAP Fiori Client after user registration and every time the application starts or resumes. Changes to the feature restriction policy are communicated to the application by using the REST API commands GET, PUT, and DELETE.

Feature Restriction Policy Enforcement

The feature restriction policy is enforced by un-defining--that is, making the plugin name space in javascript null. Access to the plugin to the native layer is blocked by the enforcement. For example, if the BarcodeScanner is disabled, the name space cordova.plugins.barcodeScanner will become null. Any attempt to use the barcode scanner by forcefully loading barcode scanner using cordova.require("com.sap.mp.cordova.plugins.barcodescanner.BarcodeScanner").scan() will fail to run the native code by blocking access to it. Any attempt to call the barcode scanner by an executable also will fail.

if ([g_disabledPluginsMap objectForKey:pluginName] != nil)
{
        return nil;
} else { 
        return [self performSelector:@selector(NEW_getCommandInstance:) withObject:pluginName]; 
} 

public CordovaPlugin getPlugin(String service)
 {
 if (SettingsExchange.isFeatureEnabled(service))
 {
      return super.getPlugin(service);
 } else {
 SettingsExchange.clientLogger.logError("Plugin "+service+" is disabled by feature vector"); 
return null;
 }
 }