This topic describes how to integrate Device Fraud Detection SDK for Android.
Prerequisites
Android 4.0.3 or later and minSdkVersion 15 or later are used.
To ensure that integration of SDKs meets privacy rules, you must use the latest versions of SDKs that are released on the official website of Alibaba Cloud. This prevents privacy leaks and ensures that your business meets compliance regulations. Before you use Device Fraud Detection, make sure that you understand the relevant rules of personal information processing and Fraud Detection SDK Privacy Policy. Make sure that you integrate the SDK based on the descriptions provided in Compliant use of Device Fraud Detection SDK.
Permission description
To improve the efficiency of device fraud detection, we recommend that you grant specific permissions. The following table describes the permissions.
Permission | Required | Description |
android.permission.INTERNET | Yes | The permissions to access networks. If the SDK does not have the permissions, specific features are unavailable. |
android.permission.ACCESS_NETWORK_STATE | No but recommended | The permissions to obtain the network status of a device. |
android.permission.READ_PHONE_STATE | No but recommended | The permissions are dynamically granted in Android 6.0 or later. If the SDK requires related permissions, make sure that your app has been granted the permissions before the SDK is integrated and the data collection operation is called. |
android.permission.WRITE_EXTERNAL_STORAGE | No but recommended | |
android.permission.READ_EXTERNAL_STORAGE | No but recommended |
Download and configure the SDK
Download the Android SDK package and decompress it. The SDK package is a standard .aar package for Android.
Copy and paste the .aar SDK package to the libs directory of your project. Add the following dependencies to the build.gradle file of the app:
// The SDK package. implementation files('libs/Android-AliyunDevice-Version number.aar') // Third-party network library dependencies. implementation 'com.squareup.okhttp3:okhttp:3.11.0' implementation 'com.squareup.okio:okio:1.14.0'ImportantYou must add the third-party network library dependencies. Otherwise, the SDK is unable to connect to the Internet.
Collect information
When you use Device Fraud Detection, you must call the following function to collect the required data. We recommend that the function be called at the earliest opportunity when compliance requirements are met.
Function syntax
public interface SecurityInitListener {
// The code parameter specifies the status code of the operation.
void onInitFinish(int code);
}
public void initWithOptions(Context ctx,
String appKey,
Map<String, String> options,
SecurityInitListener securityInitListener);Parameters
ctx: Valid values are Application Context and Activity Context.
appKey: the identity of a user. You can obtain the identity on the Device APP management tab in the Fraud Detection console.
options: the optional parameters for data collection. The value can be null. The following table describes the optional parameters.
Parameter | Description | Example |
IPv6 | Specifies whether to use IPv6 domain names to report device information. Valid values: 0 (default): IPv4 domain names are used. 1: IPv6 domain names are used. | "1" |
CustomUrl | The domain name of the self-managed server to which you want to send data. | "https://cloudauth-device.aliyuncs.com" |
CustomHost | The host of the self-managed server to which you want to send data. | "cloudauth-device.aliyuncs.com" |
DataType | The type of sensitive data that is excluded. This parameter is empty by default, which specifies that all data is collected. The following table describes the types of data that can be excluded. | One data type: ''NO_UNIQUE_DEVICE_DATA'' Multiple data types: ''NO_UNIQUE_DEVICE_DATA| NO_IDENTIFY_DEVICE_DATA'' |
Type of sensitive data | Description | Device information field |
NO_UNIQUE_DEVICE_DATA | The resettable device identifier. | The following fields can be excluded: Open Anonymous Device Identifier (OAID), Google advertising ID, and Android ID. |
NO_IDENTIFY_DEVICE_DATA | The non-resettable device identifier. | The following fields can be excluded: International Mobile Equipment Identity (IMEI), International Mobile Equipment Identity (IMSI), SimSerial, BuildSerial (SN), and Media Access Control (MAC) address. |
NO_BASIC_DEVICE_ DATA | The basic device information. | The following fields can be excluded: device name (Build.DEVICE), Android version (Build.VERSION#RELEASE), and screen resolution. |
NO_EXTRA_DEVICE_ DATA | The extended sensitive information. | The following information can be excluded: the list of apps that are used for illicit trading, IP addresses of local area networks (LANs), IP addresses of Domain Name Systems (DNSs), information about connected Wi-Fi networks, including the corresponding service set identifiers (SSIDs) basic SSIDs (BSSIDs), list of nearby Wi-Fi networks, and location information. |
securityInitListener: the callback operation for data collection by using the Device Fraud Detection SDK, which can be used to determine whether data is collected. For more information about the value range of the code parameter, see the "Status codes" section of this topic.
Return value
None.
Obtain the client token
Obtain a client token, send the token to the server, and then obtain the device risk information based on the event parameters and response parameters. For more information, see Service event parameters and response parameters for Device Fraud Detection
Function syntax
public class Securitytoken {
// The status code of the operation.
public int code;
// The token that is used to query the result on the server side.
public String token;
}
public Securitytoken getDevicetoken();Return values
The value is a Securitytoken class.
code: the status code of the operation. The parameter indicates whether the operation is successful. For more information about the value range of the code parameter, see the "Status codes" section of this topic.
token: the token that is returned to the client. The data type of the token is string. The token can be used to call the Device Fraud Detection API.
The getDeviceToken operation is relatively time-consuming. Make sure that the client calls the operation by using a non-main thread. Otherwise, application not responding (ANR) errors may occur, and the app may stop responding.
Make sure that the interval between the call for data collection and the call getDevicetoken is at least 2 seconds.
If the network quality is good, the length of a token is approximately 600 bytes. If the network quality is poor, the length of a token is approximately 2.5 KB.
Status codes
SecurityCode | Code | Description |
SC_SUCCESS | 10000 | The data collection is successful. |
SC_NOT_INIT | 10001 | The data collection fails. |
SC_NOT_PERMISSION | 10002 | One or more basic Android permissions are not granted to the SDK. |
SC_UNKNOWN_ERROR | 10003 | An unknown system error occurred. |
SC_NETWORK_ERROR | 10004 | A network error occurred. |
SC_NETWORK_ERROR_EMPTY | 10005 | A network error occurred, and the return value is an empty string. |
SC_NETWORK_ERROR_INVALID | 10006 | The format of the response is invalid. |
SC_PARSE_SRV_CFG_ERROR | 10007 | The system failed to parse the server-side settings. |
SC_NETWORK_RET_CODE_ERROR | 10008 | The gateway returns an error. |
SC_APPKEY_EMPTY | 10009 | The appKey parameter is left empty. |
SC_PARAMS_ERROR | 10010 | Other parameter errors occurred. |
SC_FGKEY_ERROR | 10011 | The system failed to calculate the key. |
SC_APPKEY_ERROR | 10012 | The version of the SDK does not match the version of the appkey. |
Sample code
When you use Device Fraud Detection, you must call the data collection operation. We recommend that the operation be called at the earliest opportunity when compliance requirements are met.
The value of the ALIYUN_APPKEY parameter is used to identify a user. You can obtain the identity on the Device APP management tab in the Fraud Detection console.
You can use the DataType field of the options parameter to configure the specific type for data collection. This helps meet the privacy protection requirements in specific business scenarios.
public class CustomApplication extends Application {
private static String ALIYUN_APPKEY = "xxxx";
@Override
public void onCreate() {
super.onCreate();
// Manage privacy data collection by excluding specific types of data. If you set the value to NO_IDENTIFY_DEVICE_DATA, non-resettable device identifiers are excluded. You can specify multiple data types. Separate the data types with vertical bars (|). The input of "(NO_IDENTIFY_DEVICE_DATA))" cannot be empty.
Map<String, String> options = new HashMap<>();
options.put("DataType", String.valueOf(NO_IDENTIFY_DEVICE_DATA));
If you use the Device Fraud Detection SDK to collect data, make sure that the data collection operation is called at the earliest opportunity in risk scenarios.
SecurityDevice.getInstance().initWithOptions(this, ALIYUN_APPKEY, options, null);
}
}In scenarios that require fraud detection, such as account registration and promotional events, the client token must be obtained and sent to the application server. Make sure that the interval between the call for data collection and the call getDevicetoken is at least 2 seconds.
The getDeviceToken operation is relatively time-consuming. Make sure that the client calls the operation by using a non-main thread.
new Thread() {
@Override
public void run() {
Securitytoken st = SecurityDevice.getInstance().getDevicetoken();
if(null != st){
if(SecurityCode.SC_SUCCESS == st.code){
Log.d("AliyunDevice", "token: " + st.token);
// Send the token to the self-managed application server and call the Device Fraud Detection API.
// sendToAPPServer(st.token);
} else {
Log.e("AliyunDevice", "getDevicetoken error, code: " + st.code);
}
} else {
Log.e("AliyunDevice", "getDevicetoken is null.");
}
}
}.start();Operation obfuscation
-keep class net.security.device.api.** {*;}
-dontwarn net.security.device.api.**Call the Device Fraud Detection API
Use the deviceToken parameter and other related parameters to call the Device Fraud Detection API. For more information, see the following topic:
Service event parameters and response parameters for Device Fraud Detection
FAQ
1. Which architectures are supported by the Device Fraud Detection SDK?
The Device Fraud Detection SDK supports the ARM, ARMv7, and ARM64 architectures.
2. What is the size of the SDK package?
The size of a mono-architecture Shared Object (SO) file is approximately 1.8 MB.
To prevent reverse engineering and ensure the security of data in transit, an SDK contains a large number of obfuscation, dilation, and cryptographic operations. Therefore, the size of the SDK package is also large.
3. What is the validity period of a device token? Can I use a device token to call the server-side API multiple times?
A device token is valid for seven days. You can use the same device token to call the server-side API multiple times.