All Products
Search
Document Center

Fraud Detection:Integrate Device Risk Detection SDK for Android

Last Updated:Mar 25, 2024

This topic describes how to integrate Device Risk Detection SDK for Android.

Prerequisites

  • Android 4.0.3 or later and minSdkVersion 15 or later are used.

Compliance guide

1. The first time a user starts an app, make sure that the privacy policy is displayed. The user must agree to the terms and conditions of the privacy policy by selecting the required option.

2. The following terms and conditions must be stated in the privacy policy of the Device Risk Detection SDK:

  • SDK name: Device Risk Detection SDK

  • Service scope: Check for malicious scripts and abnormal devices whose data or simulators are tampered with.

  • Device information to be collected:

    • Basic information: the manufacturer, brand, model, name, operating system, configuration, and environment.

    • Identity information: the International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), MAC address, Integrated Circuit Card Identifier (ICCID), Android device ID, hardware SN, open advertising identifier (OAID), Google AID, Bluetooth MAC, identifier for advertisers (IDFA), and identifier for vendors (IDFV).

    • Network information: the IP address, Wi-Fi information, Basic Service Set Identifiers (BSSID), Service Set Identifier (SSID), carrier information, network type, and network status.

    • Other information: the information about the app that uses the SDK, such as the app name, app version, and installation time.

3. Before you initialize a Device Risk Detection SDK, make sure that the user has agreed to the terms and conditions of the privacy policy.

Permission

To improve the efficiency of fraud detection, we recommend that you grant specific permissions to Device Risk Detection SDK for Android. The following table describes the permissions.

Permission

Required

Remarks

android.permission.INTERNET

Yes

The permissions to access networks.

If Device Risk Detection SDK for Android does not have the permissions, specific features are unavailable.

android.permission.ACCESS_NETWORK_STATE

No but recommended

The permissions to obtain the network status of a device.

android.permission.READ_PHONE_STATE

No but recommended

The permissions are dynamically granted in Android 6.0 or later.

If you want to enable relevant permissions, make sure that your app has been granted the relevant permissions before you use and initialize Device Risk Detection SDK for Android.

android.permission.WRITE_EXTERNAL_STORAGE

No but recommended

android.permission.READ_EXTERNAL_STORAGE

No but recommended

Download and configure Device Risk Detection SDK for Android

  1. Download Device Risk Detection SDK for Android and decompress the SDK package. The SDK package is a standard .aar package for Android.

  2. Copy the .aar SDK package to the libs directory of your project. Add the following dependencies to the build.gradle file of the app module:

// Copy the SDK package.
implementation files('libs/Android-AliyunDevice-Version number.aar')

// Add the third-party network libraries as dependencies.
implementation 'com.squareup.okhttp3:okhttp:3.11.0'
implementation 'com.squareup.okio:okio:1.14.0'

You must add the third-party network libraries. Otherwise, Device Risk Detection SDK for Android cannot connect to networks.

Initialize the SDK

When the app starts, you must call the init operation to initialize the SDK at the earliest opportunity.

  • Function

public interface SecurityInitListener {
    // The code parameter specifies the call status code of the operation.
    void onInitFinish(int code);
}

public void init(Context ctx, 
                 String appKey, 
                 SecurityInitListener securityInitListener);
  • Parameter

ctx: the context of an application or an activity.

appKey: the identity of a user. You can obtain the identity on the Device APP management tab in the Fraud Detection console.

securityInitListener: the listener for the initialization result of Device Risk Detection SDK for Android. You can check whether the initialization is successful based on the callback notification. For more information about the value range of the code parameter, see the "Status codes" section of this topic.

  • Return value

None.

Obtain the token of the client

Obtain and send the client session to the application server. You can call the Service event parameters and response parameters for Device Risk Detection on the application server to query the device fingerprint information.

  • Function

public class SecurityToken {
    // The call status code.
    public int code;
    
    // The token that is used to query the result on the application server. 
    public String token;
}

public SecurityToken getDeviceToken();
  • Return value

The value is a SecurityToken class.

code: the call status code of the operation. You can check whether the call is successful based on the status code. For more information about the value range of the code parameter, see the "Status codes" section of this topic.

token: the token that is returned to the client. The token can be used to call the Device Risk Detection Fraud Detection API.

Usage notes:

1. The getDeviceToken operation requires a long period of time to complete. Make sure that the app runs in a child thread. Otherwise, the app may fail due to an Application Not Responding (ANR) error.

2. Make sure that an interval of at least 2 seconds is specified between a call for the init operation and a call for the getDeviceToken operation.

3. In normal network environments, the length of a token is approximately 600 bytes. In abnormal network environments, tokens whose lengths are greater than or equal to 2.5 KB may be returned.

Status codes

SecurityCode

Code

Remarks

SC_SUCCESS

10000

The SDK is initialized.

SC_NOT_INIT

10001

The SDK is not initialized.

SC_NOT_PERMISSION

10002

One or more basic Android permissions are not granted to the SDK.

SC_UNKNOWN_ERROR

10003

An unknown system error occurred.

SC_NETWORK_ERROR

10004

A network error occurred.

SC_NETWORK_ERROR_EMPTY

10005

A network error occurred and the return value is an empty string.

SC_NETWORK_ERROR_INVALID

10006

The format of the response returned over the network is invalid.

SC_PARSE_SRV_CFG_ERROR

10007

The system failed to parse the server settings.

SC_NETWORK_RET_CODE_ERROR

10008

The gateway failed to return a response.

SC_APPKEY_EMPTY

10009

The value of the appkey parameter is empty.

SC_PARAMS_ERROR

10010

Other parameters are invalid.

SC_FGKEY_ERROR

10011

The system failed to calculate the key.

SC_APPKEY_ERROR

10012

The version of the SDK does not match the version of the appkey.

Sample code

Initialize Device Risk Detection SDK for Android. When the app starts, you must call the init operation at the earliest opportunity.

The value of the ALIYUN_APPKEY parameter is used to identify a user. You can obtain the identity on the Device APP management tab in the Fraud Detection console.

public class CustomApplication extends Application {
    private static String ALIYUN_APPKEY = "xxxx";

    @Override
    public void onCreate() {
        super.onCreate();

        // Initialize Device Risk Detection SDK for Android. When the app starts, you must call the init operation at the earliest opportunity. 
        SecurityDevice.getInstance().init(this, ALIYUN_APPKEY, null);
    }
}

In business scenarios that require fraud detection, such as account registrations and promotional activities, you must obtain the token of the client and submit the token to the application server. Make sure that an interval of at least 2 seconds is specified between a call for the init operation and a call for the getDeviceToken operation.

The getDeviceToken operation requires a long period of time to complete. Do not call the operation in a UI thread.

new Thread() {
    @Override
    public void run() {
        SecurityToken st = SecurityDevice.getInstance().getDeviceToken();
        if(null != st){
            if(SecurityCode.SC_SUCCESS == st.code){
                Log.d("AliyunDevice", "token: " + st.token);

                // Send the token to the self-managed application server and call the Device Risk Detection Fraud Detection API. 
                // sendToAPPServer(st.token);
            } else {
                Log.e("AliyunDevice", "getDeviceToken error, code: " + st.code);
            }
        } else {
            Log.e("AliyunDevice", "getDeviceToken is null.");
        }
    }
}.start();

Obfuscate code

-keep class net.security.device.api.** {*;}
-dontwarn net.security.device.api.**

Call the Fraud Detection API

Use the deviceToken parameter and other related parameters to call the Fraud Detection API. For more information, see the following topic:

Service event parameters and response parameters for Device Risk Detection Fraud Detection

The following figure shows how to integrate and use the SDK. Steps 1 and 2 are required only the first time you load the SDK. You can perform Steps 3 to Step 9 in a loop based on your business requirements.

Flow Chart of SDK

FAQ

1. Which architectures are supported by a Device Risk Detection SDK?

A Device Risk Detection SDK supports the ARM, ARMv7, and ARM64 architectures.

2. What is the size of a Device Risk Detection SDK?

The size of a mono-architecture SO file is approximately 1.8 MB.

To prevent reverse engineering and ensure the security of data in transit, a Device Risk Detection SDK contains a large number of obfuscation, dilation, and decryption operations. Therefore, the size of the SDK is big.

3. Why is the token that I obtained longer than expected?

In most cases, a token is approximately 600 bytes in length. If the network condition is poor, tokens whose lengths are greater than or equal to 2.5 KB may be returned.

If a large number of long tokens exist in daily operations, perform the following steps: Make sure that all connections between clients and the application server are normal. Then, make sure that an interval of at least 2 seconds is specified between a call for the init operation and a call for the getDeviceToken operation.