Guides
Start typing to search…

Risk SDK for Android

OSL Pay Risk SDK Overview

The OSL Pay Risk SDK collects device and risk-related parameters, which are submitted to the server. The server then returns a clientInfoToken. The integrating app uses this token in scenarios where risk intervention is required, serving as risk proof.

Internal dependencies

The OSL Pay Risk SDK integrates three risk management SDKs internally, which serve as the data sources for risk parameters. These include:


Collected parameters

ParameterTypeDescriptionSource
deviceIdRisk ParameterUnique device IDFingerprint
userAgentDevice ParameterBrowser UA informationDevice
forterMobileUidRisk ParameterDevice fingerprintForter SDK
agentOSDevice ParameterOperating systemDevice
browserWidthDevice ParameterScreen widthDevice
browserHeightDevice ParameterScreen heightDevice
appVersionDevice ParameterApp versionDevice
appnameDevice ParameterApp nameDevice
osVersionDevice ParameterOperating system versionDevice
brandDevice ParameterDevice brandDevice
modelDevice ParameterDevice modelDevice
browserTimezoneDevice ParameterTimezoneDevice
lanDevice ParameterLanguageDevice
deviceSessionIdRisk ParameterUnique device identifierCheckout
terminaltypeDevice ParameterFixed to 2, indicating an Android deviceDevice

Integrating OSL Pay Risk SDK

1.SDK compilation environment

The OSL Pay Risk SDK is compiled in the following environment:

  • id = "com.android.library", version.ref = "8.3.2"
  • id = "org.jetbrains.kotlin.android", version.ref = "2.0.21"
  • minSdk 24
  • targetSdk 36
  • compileSdk 36

2.Add OSL Pay Risk SDK dependency

Add the SDK's .aar file to the libs folder:

  • OslPayRiskSdk-release.aar ,OSL Pay Risk SDK compiled artifact

Then, configure it in the build.gradle file:

implementation fileTree(dir: 'libs', include: ['*.jar', '*.aar'])

3.Add dependencies required by OSL Pay Risk SDK

Dependencies on third-party libraries:

    //2.Add dependencies
    //Official libraries
    implementation "androidx.core:core-ktx:1.13.1"
    implementation "androidx.appcompat:appcompat:1.7.0"

    //Third-party libraries
    implementation("com.squareup.okhttp3:okhttp:4.12.0")
    implementation("com.squareup.okhttp3:logging-interceptor:4.12.0")
    implementation("com.squareup.retrofit2:retrofit:2.9.0")
    implementation("com.squareup.retrofit2:converter-gson:2.9.0")
    implementation 'com.google.code.gson:gson:2.13.2'
    implementation "com.github.fingerprintjs:fingerprint-android:2.2.0"
    implementation 'com.forter.mobile:fortersdk:3.0.10'
    implementation 'com.github.checkout:checkout-risk-sdk-android:2.1.0'

Configure repository addresses:

dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
    repositories {
        google()
        mavenCentral()
        //OSLPayRiskSDK接入
        maven { url 'https://jitpack.io' }
        maven {
            url "https://mobile-sdks.forter.com/android"
            credentials {
                username "forter-android-sdk"
                password "HvYumAfjVQYQFyoGsmNAefGdR84Esqig"
            }
        }
        maven { url = uri("https://maven.fpregistry.io/releases") }
    }
}

4.Required permissions for the SDK

The OSL Pay Risk SDK declares the following permissions:

    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
    <uses-permission android:name="android.permission.INTERNET" />

5.Proguard configuration

OSL Pay Risk SDK depends on Retrofit and OkHttp. Add the following Proguard configuration:

# for OkHttp
# JSR 305 annotations are for embedding nullability information.
-dontwarn javax.annotation.**

# Animal Sniffer compileOnly dependency to ensure APIs are compatible with older versions of Java.
-dontwarn org.codehaus.mojo.animal_sniffer.*

# OkHttp platform used only on JVM and when Conscrypt and other security providers are available.
# May be used with robolectric or deliberate use of Bouncy Castle on Android
-dontwarn okhttp3.internal.platform.**
-dontwarn org.conscrypt.**
-dontwarn org.bouncycastle.**

# for Retrofit
# Retrofit does reflection on generic parameters. InnerClasses is required to use Signature and
# EnclosingMethod is required to use InnerClasses.
-keepattributes Signature, InnerClasses, EnclosingMethod

# Retrofit does reflection on method and parameter annotations.
-keepattributes RuntimeVisibleAnnotations, RuntimeVisibleParameterAnnotations

# Keep annotation default values (e.g., retrofit2.http.Field.encoded).
-keepattributes AnnotationDefault

# Retain service method parameters when optimizing.
-keepclassmembers,allowshrinking,allowobfuscation interface * {
    @retrofit2.http.* <methods>;
}

# Ignore annotation used for build tooling.
-dontwarn org.codehaus.mojo.animal_sniffer.IgnoreJRERequirement

# Ignore JSR 305 annotations for embedding nullability information.
-dontwarn javax.annotation.**

# Guarded by a NoClassDefFoundError try/catch and only used when on the classpath.
-dontwarn kotlin.Unit

# Top-level functions that can only be used by Kotlin.
-dontwarn retrofit2.KotlinExtensions
-dontwarn retrofit2.KotlinExtensions$*

# With R8 full mode, it sees no subtypes of Retrofit interfaces since they are created with a Proxy
# and replaces all potential values with null. Explicitly keeping the interfaces prevents this.
-if interface * { @retrofit2.http.* <methods>; }
-keep,allowobfuscation interface <1>

# Keep inherited services.
-if interface * { @retrofit2.http.* <methods>; }
-keep,allowobfuscation interface * extends <1>

# With R8 full mode generic signatures are stripped for classes that are not
# kept. Suspend functions are wrapped in continuations where the type argument
# is used.
-keep,allowoptimization,allowshrinking,allowobfuscation class kotlin.coroutines.Continuation

# R8 full mode strips generic signatures from return types if not kept.
-if interface * { @retrofit2.http.* public *** *(...); }
-keep,allowoptimization,allowshrinking,allowobfuscation class <3>

# With R8 full mode generic signatures are stripped for classes that are not kept.
-keep,allowoptimization,allowshrinking,allowobfuscation class retrofit2.Response

Usage instructions

1.SDK usage overview

The SDK’s logic is straightforward—it collects parameters and returns a risk control token. It exposes only two methods:

  • com.osl.pay.risk.sdk.OslPayRiskSDK#init, Initializes the SDK
  • com.osl.pay.risk.sdk.control.OSLPayRiskControl#getClientInfoToken, Returns the risk control token

2.SDK initialization

Example code:

    fun initOslPaySdk(context: Application) {
        // During the development and debugging phase, use OslPayRiskSDK.ENVIRONMENT_SANDBOX. After going live, switch to OslPayRiskSDK.ENVIRONMENT_PROD.
        val envConfig = OslPayRiskSDK.ENVIRONMENT_SANDBOX
        OslPayRiskSDK.init(context, environment = envConfig)
    }

3.Get the Risk Control token

Example code:

    fun getClientInfoToken() {
        viewModelScope.launch(Dispatchers.IO) {
            val result = OSLPayRiskControl.getClientInfoToken()
            if (result is ResultData.Success) {
                // If obtaining the risk control token is successful, result.data.clientInfoToken will provide the token
            } else {
                // If obtaining the risk control token fails
            }
        }
    }

The returned data is in JSON format.

 {
   "clientInfoToken": "c71889e7ca060e806772c118cf967d4f"
 }

Reference files

  1. Risk SDK for Web
  2. Checkout Android SDK
  3. Fingerprint Android SDK
  4. Forter's Android SDK
  5. OSL Pay Risk SDK Demo - Android Github

Updated 8 days ago