Android SDK quick start with Identity Orchestration-powered backend

This guide describes how to quickly integrate Detection and Response services into your Android application and obtain real-time risk recommendations using Identity Orchestration journeys. This guide covers the client-side integration (using the Detection and Response SDK and the Identity Orchestration SDK) and the journey configuration needed to complete the flow.

How it works

The flow starts with the user navigating to your Android app (1). The Detection and Response (DRS) SDK and the Identity Orchestration (IDO) SDKs get initialized (2 & 3). The DRS SDK starts streaming telemetry data to Mosaic (4). The application requests a session token (5), the DRS sends a request to the Mosaic server (6) and receives a session token (7), which is then returned to the application (8).

When a user performs a high risk action (9), the application notifies the IDO SDK to start a journey (10). The IDO SDK invokes a journey (11). Mosaic reaches the risk recommendation step (12) and sends a request to the DRS engine (13). As soon as a recommendation is returned (14), IDO processes the risk (15) and passes this data to the IDO SDK (16), which then forwards it to the application (17). The application proceeds depending on results (18).

UserApplicationDRS SDKIDO SDKMosaic DRS serivceMosaic IDO servicealt[Do Once]1. open app2. Initialize3. Initialize4. Streaming telemetry5. getSessionToken6. Start session7. session_token8. session_token9. High risk action10. Start journey(session_token)11. Start journey(session_token)12. Reach new riskrecommendation step13. New trigger-actionAPI (session_token)14. Risk recommendation15. Process risk16. Complete (recommendation json)17. Recommendation json18. Allow/Challenge/DenyUserApplicationDRS SDKIDO SDKMosaic DRS serivceMosaic IDO service

Requirements

  • Android 5+ (API level 21+)

Before you start

  • Allow Mosaic IPs and domains on your network
  • Extend the Content-Security-Policy header, if CSP is enabled on your web server

Step 1: Get client credentials

Admin portal

Client credentials are used to identify your app and generate access tokens for authorizing Mosaic requests. To obtain them, you'll need to create an application in the Admin Portal (if you don’t have one yet).

  1. From Applications , click Add application .
  2. Add the friendly application name to display in the Admin Portal.
  3. Configure a client: its display name, and your website URL as a redirect URI (e.g., https://your-domain.com ).
    Note

    These fields are required for all Mosaic apps, but won’t be used for Detection and Response or Identity Orchestration journeys.

  4. Click Add to create your client. This will automatically generate your client credentials.

Step 2: Orchestrate the backend logic

Admin portal

Identity Orchestration can handle the business logic responsible for obtaining risk recommendations for sensitive events. This includes the following configuration steps:

  1. Store client credentials
  2. Create a web function
  3. Configure journey steps

1. Store client credentials

Start by saving the client credentials you've acquired in Step 1 with Identity Orchestration. This step is required in order to authorize journey calls.

  1. Navigate to Admin Portal > Orchestration > Keys and Credentials > Credentials and select +Add credentials .
  2. Provide an alias and input client ID and secret.

See Key and credentials for more details.

2. Create a web function

Create a new web function that calls the Trigger action endpoint. See Web service function for more details.

  1. Navigate to Admin Portal > Orchestration > External Connections and select +Add > API > Web service function .
  2. Provide a function name, e.g., trigger_action_for_user
  3. Add function argument # 1:
    • Argument name: session_token
    • Argument description: DRS SDK session token
    • Type description: string
  4. Add function argument # 2:
    • Argument name: action_type
    • Argument description: Client provided action type
    • Type description: string
  5. Add function argument # 3:
    • Argument name: user_id
    • Argument description: Identifier of an authenticated user
    • Type description: string
  6. Add function argument # 4:
    • Argument name: correlation_id
    • Argument description: Interaction ID in your app
    • Type description: string
  7. Configure the format:
    • Request URI: https://api.transmitsecurity.io/risk/v1/action/trigger-action?get_recommendation=true
    • HTTP request method: POST
    • Request body:
      Copy
      Copied
      {
    "session_token": "${session_token}",
    "action_type": "${action_type}",
    "correlation_id": "${correlation_id}",
    "user_id": "${user_id}"
}
    • Request header:
      • Name: Content-Type
      • Value: application/json
  8. Configure authentication:
    • Authentication Type: OAuth 2 Client Credentials Grant
    • URL: https://api.transmitsecurity.com/oidc/token
    • Credentials alias: select the alias created in Step 2.1
    • Scope: offline_access
    • Resource: https://risk.identity.security
  9. Set the response format to JSON object .
  10. Save a function.

3. Configure journey steps

Configure an identity journey for obtaining risk recommendations and exporting a result.

  1. In the Admin Portal, go to the Orchestration > Identity journeys and create a new Client SDK journey. Provide a name, e.g., risk-recommendation .
  2. Add the Invoke a Web Service step and configure it to use the web function defined in Step 3.2 .
    • Configure the step to set its result into the output variable (e.g., risk_recommendation ).
    • Configure the step to retrieve the input parameters provided by the client in the journey (see Step 6 ) as follows:
      • session_token : @policy.request().params["session_token"]
      • action_type : @policy.request().params["action_type"]
      • user_id : @policy.request().params["user_id"]
      • correlation_id : @policy.request().params["correlation_id"]
  3. Add the Provide JSON Data step and set the Data to Send to:
    Copy
    Copied
     {
    "risk_recommendation": risk_recommendation
 }
  4. Add the Complete Journey step.

Your journey will look as follows:

Step 3: Add SDKs to project

client

Add the following lines in the shared build.gradle file ("allprojects" scope):

Copy
Copied
dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
    repositories {

        maven {
            url('https://transmit.jfrog.io/artifactory/transmit-security-gradle-release-local/')
        }
        mavenCentral()
        google()
    }
}

Add the following in the module build.gradle file (project scope):

Copy
Copied
dependencies {
    implementation("com.ts.sdk:accountprotection:2.1.+")
    implementation("com.ts.sdk:identityorchestration:1.0.+")
}

Step 4: Initialize SDKs

client
DRS SDK
IDO SDK

Initializing the SDKs configures them to work with your client ID. It also allows setting the base URL for the SDK to use, whether a Mosaic-provided path or your own proxy. In case of Detection and Response, it starts streaming telemetry data upon SDK initialization.

Initialize using strings.xml configuration (recommended)

To do this, update the strings.xml file in your Application with the following content. The [CLIENT_ID] should be replaced with your client ID from Step 1.

Copy
Copied
<resources>
    <!-- Mosaic Credentials -->
    <string name="transmit_security_client_id">"YOUR_CLIENT_ID"</string>
    <string name="transmit_security_base_url">https://api.transmitsecurity.io/</string> <!-- Default -->
</resources>
Note

The SDK can be configured to work with a different cluster or a proxy by setting transmit_security_base_url to a different URI.

Add the code below to your Application class.

Copy
Copied
class Application : Application() {
    override fun onCreate() {
        super.onCreate()
        TSAccountProtection.initializeSDK(this)
        TSIdo.initializeSDK(this)
    }
}
Initialize using SDK parameters

Add the code below to your Application Class. The [CLIENT_ID] should be replaced with your client ID from Step 1.

Copy
Copied
class Application : Application() {
    override fun onCreate() {
        super.onCreate()
        TSAccountProtection.initialize(this, "CLIENT_ID")
        TSIdo.initializeSDK(context,
            clientId,
            TSIdoInitOptions(baseUrl))  // Default is https://api.transmitsecurity.io
    }
}
Note

The SDK can be configured to work a different cluster or a proxy by setting baseUrl to a different URI.

Step 5: Create session token

client
DRS SDK

Obtain a DRS session token by executing the code below. This step occurs once per application lifecycle. Save the received session token in order to obtain risk recommendations in the next step (Step 6).

Copy
Copied
TSAccountProtection.getSessionToken(object : ISessionTokenCallback {
    override fun onSessionToken(sessionToken: String) {

    }

})

Step 6: Invoke journey

client
IDO SDK

To obtain risk recommendations, the journey (created in Step 2) should start in response to sensitive user interactions, such as payments. Your application should present a button and call the below on user click. Along with the journey invocation, pass:

  • session_token received in Step 5
  • action_type from our list of actions that represents a high risk action the user attempts to perform
  • user_id that represents a hash of the user logged into the app. The actual user ID should not be sent (this journey assumes the user has already authenticated in your app)
  • correlation_id of the interaction
Copy
Copied
@Keep
data class Params(val user_id: String, val action_type: String, val session_token: String, val correlation_id: String)
....
// Starts a journey
// JOURNEY_ID: journey name

TSIdo.startJourney([JOURNEY_ID],
    TSIdoStartJourneyOptions(Params([USER_ID], [ACTION_TYPE], [SESSION_TOKEN], [CORRELATION_ID]),
        [FLOW_ID]), callback)
Note

The callback object should implement the TSIdoCallback interface.

Step 7: Handle recommendation

client
IDO SDK

Mosaic signals journey completion by setting the journeyStepId property to Rejection.type or Success.type. The IDO SDK returns recommendation data (idoServiceResponse.data.json_data) to the application to proceed accordingly.

Note

In your application, add code that performs the appropriate identity protection steps based on the Mosaic risk recommendation. For example, proceed normally if Mosaic returns 'allow', terminate and inform the user of the issue if 'deny', or trigger a step-up authentication process if 'challenge'.