Powered by Soft Space Sdn. Bhd.
201201002345 (975870-D)
www.softspace.com.my

SDK Integration

SDK Integration

The Fasstap™ SDK has to be integrated with third party application in order to initiate a transaction and this section describes the flow details in each step.

Setup Flow

There are some preliminary setup steps must be carried out before utilizing Fasstap™ SDK. Please perform the following steps in sequence:

  1. Client has to exchange the public PGP key with Soft Space.

  2. Client has to provide Soft Space the application's application ID by protecting it with PGP. We will be registering the application into the attestation service to make the application recognizable when the application performs attestation. Please note that altering the application ID upon registration will result in attestation failure, or SDK crashing.

  3. Client has to provide Soft Space the Fasstap™ app's signing keystore's public key. This key must be the same key that will be used to sign the application before uploading to the Google Play Store. The following command can be used to extract the public key:

    keytool -export -keystore path/to/keystore.keystore -alias yourAlias -rfc -file path/to/export.cert

    And upon extraction, the key shall be protected by PGP and send to Soft Space.

  4. Soft Space will be providing the access key, secret key, Attestation Service's CA cert, and the SDK's library files, which they will be protected by using the PGP key that we have shared.

  5. Place the listed given files into /your/project/libs

    • ssmobile-pog-engine-1.0.0.aar
    • ssmobile-tee-reader-engine-1.0.0.aar
    • VisaSensoryBranding.aar
    • ssmobile-fasstap-sdk-3.0.0.aar
    • ssmobile-androidutil-engine-3.0.0.aar
    • ssmobile-fasstapsdk-wrapper-1.0.0.aar
    • ssmobile-mpos-core-release.aar
    • ssmobile-mpos-sdk-release.aar
    • ssmobile-reader-engine-1.0.0.aar
    • ssmobile-uicomponent-engine-3.0.0.aar
    • ssmobile-thirdparty-engine-1.0.0.aar

  6. Make sure the minSdkVersion in your project's Gradle is 26 to 32.

  7. Make sure the sourceCompatibility and targetCompatibility under compileOptions are both targetting JavaVersion.VERSION_1_8

  8. Include the dependencies from the aar files listen in step 1, by using code

    implementation fileTree(dir: 'libs', include: ['*.aar'])

  9. Include Fasstap™ SDK's dependencies by using code

    implementation 'com.google.android.gms.play:integrity:1.0.2'
implementation 'com.google.android.gms:play-services-location:21.0.1'
implementation 'com.google.code.gson:gson:2.8.5'
implementation 'com.squareup.okhttp3:okhttp:3.14.7'
implementation 'androidx.room:room-runtime:2.2.5'
implementation 'androidx.localbroadcastmanager:localbroadcastmanager:1.0.0'
implementation 'com.jakewharton.timber:timber:4.7.0'
implementation 'org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.3.70'
implementation 'com.google.code.gson:gson:2.8.5'
implementation 'androidx.lifecycle:lifecycle-process:2.2.0'

// Discover
implementation 'androidx.preference:preference-ktx:1.1.1'
implementation 'androidx.core:core-ktx:1.2.0'
implementation 'androidx.security:security-crypto:1.0.0'

// QR 
implementation 'com.google.zxing:core:3.4.0'

  10. Add the following json files into /your/project/src/main/res/raw directory:

    • config_uat.env
    • mc_sensory_transaction.mp4

Init Flow

Upon completing Setup Flow, application project is now able to import and make use of Fasstap™ SDK API successfully. Figure below depicts the Fasstap™ SDK Initialization flow.

Application should start by setting up configuration object. Below is a sample snippet of codes that perform the configuration.

Tips

For more information about each configuration field, please take a look at SSMPOSSDKConfiguration

SSMPOSSDKConfiguration config = SSMPOSSDKConfiguration.Builder.create() 
    .setAttestationHost("https://mpos-uat.fasspay.com:9001") 
    .setAttestationHostCertPinning("sha256/BjlJjxY7OhxhAz6yqy2gm58+qlP0AGwnBHDIG6zkhfU=")
    .setAttestationHostReadTimeout(10000L) 
    .setAttestationRefreshInterval(300000L) 
    .setAttestationStrictHttp(true) 
    .setAttestationConnectionTimeout(30000L) 
    .setLibGooglePlayProjNum("1234567890") // using own google play project number
    .setLibAccessKey("KxNXmOxZmjoP3BHqp+XdQEp6BrRDOKZMCdJL85H9fsEGAg==") 
    .setLibSecretKey("1vkai6Jq1zXVXytlt+bagA9VFgEcXYQjfbLWmczc7mM=") 
    .setUniqueID("xxxxx")
    .setDeveloperID("xxxxxxxxx")
    .setEnvironment(Environment.UAT)
    .build();

SSMPOSSDK.init(context, config);
SSMPOSSDK.getInstance().startTransaction(context, trxParams, callback);

Once the setup mentioned above are completed, application can then make call to init the Fasstap™ SDK, as below code.

SSMPOSSDK.init(context, config);

After the initialization has carried out successfully, the application could then use

SSMPOSSDK.getInstance();

to obtain the SDK’s singleton representation to carry out any SDK’s action like attestation and transaction.

The SDK has handled most of the attestation properly, but there are some security measurements that needed to be implemented by the project instead. And below are the required handlings that needed to be added.

Making sure application is not multi-window supported. This can be done by adding code snippet below in your Android.manifest file.

<application android:resizeableActivity="false">
    . . .
</application>

Making sure the application is not running on a separate display (projection mode, for example). This can be done by adding the following code snippet as checking when transaction starts.

DisplayManager dm = (DisplayManager) context.getSystemService(Context.DISPLAY_SERVICE);
Display[] allDisplays = dm.getDisplays();
for(Display display : allDisplays) {
    if ((display.getFlags() & Display.FLAG_PRESENTATION) == Display.FLAG_PRESENTATION) {
        return false;
    }    
}
return true;

Codes above basically checking all the displays available in the system, aren’t running in presentation mode.

Application should also ensure that screen capturing function is disabled. This can be done by adding the following code in your Activities’ onCreate method.

getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE);

Payment Flow

Upon initialization and attestation been carried out successfully, App may then request for payment action with Fasstap™ SDK. Figure below shows the payment flow using Fasstap™ SDK. The SDK will handle the NFC and card APDU challenging part, and the online request message shall be constructed by the SDK as well.

When the kernel has done processing the payment, it shall then require online authorization request (MPOS is currently supporting only Online Capability). The SDK will forward the request for Host Authorization. And the request message includes plenty of request tags and values. Data will be encrypted before forwarding to the Fasstap™ Server.

After capturing host response, SDK could verify the transaction status from host and then proceed with Fasstap™’s business logic.