In critical business scenarios such as user registration, logon, and coupon collection, you must detect device risks such as emulators, root access, and multi-instance environments. This topic describes how to call the device risk identification service (Basic Edition and Enhanced Edition) to obtain device risk detection results, including event parameters, response parameters, error codes, and SDK integration methods. This applies to scenarios such as campaign anti-fraud and account security protection.
Editions
To meet the risk control requirements of different industries and enterprises at different stages of development, device risk identification is available in two editions: Basic Edition and Enhanced Edition. The following table compares the differences between the two editions.
Feature | Basic Edition | Enhanced Edition |
Real-time computing | Supported | Supported |
Service response | Risk tag | Risk tag and unique device ID |
Log Service (SLS) delivery | Not supported | Supported. You can authorize log delivery and store logs free of charge for one year. |
Select an edition
Basic Edition: Suitable for scenarios that require only risk tag determination, such as basic risk control requirements like identifying whether a device is an emulator, rooted, or running in a multi-instance environment.
Enhanced Edition: Suitable for scenarios that require a unique device ID for cross-session tracking, or require log delivery to Log Service (SLS) for in-depth analysis.
Prerequisites
Before using the device risk identification service, make sure that the following prerequisites are met:
The device risk identification service is activated.
An AccessKey ID and an AccessKey Secret are obtained. We recommend that you use a RAM user to access the API instead of using the AccessKey pair of your Alibaba Cloud account.
The client SDK is integrated. For more information, see SDK Integration Guide.
Input parameters
Service Parameter
The Service parameter specifies the service edition to call. The following table lists the Service parameter values for different editions.
Edition | Service Parameter Value |
Basic Edition |
|
Enhanced Edition |
|
ServiceParameters
ServiceParameters contains the specific business request parameters in JSON format, corresponding to the ServiceParameters field in Common Parameters. The following table describes the request parameters for the device risk identification service (including Basic Edition and Enhanced Edition).
Field Name | Description | Data Type | Example | Required | Remarks |
deviceToken | Obtain the deviceToken from the Device Risk SDK. | String | Tk9SSUQuMS***************************ZDNmNWY5NzQxOW1oLTE2MjI2NDIyNjc4MzAtZmIwODAwOGE2NGZWFhdDgzMTBLUlVSU0VoWWVNcW82ZkZlZWJBY0s0QmFGOGNyT3poY2txZXVqRjMyc1lCaDdBL2pzRTRPdXhmZjU5NEgxcGlQMGFEU1AwajZpa1ZTQ1FlbE5IQmZkTklZVzVkV2VDM1hHNUMreVRtMXFFemp3PT0= | Yes | Under normal conditions, the token length is around 600 bytes. In scenarios with poor network connectivity, the token length may exceed 2.5 KB. If a large number of long tokens are generated, first check whether the client network is stable, and then ensure that the interval between calling the SDK init and getSession methods is greater than 2 seconds. |
deviceTokenBizId | Business-specific unique ID | String | aes9ad0356da4df8c1f18bc349296d60 | No | We recommend that you pass this bizId when obtaining the deviceToken from the client SDK. This binds the current deviceToken to the current business-specific unique ID. When querying the results on the server side, pass them together, and ensure that the bizId passed from the client is consistent with the ID passed from the server to prevent the deviceToken from being replaced. |
Response parameters
The response parameters of the device risk identification service include the device ID and device risk tags.
Device ID
See the extend field in the response parameter Data. The unique device ID is returned only in the Enhanced Edition.
Device risk tags
See the tags field in the response parameter Data. If multiple tags are returned, they are separated by commas. Some tag meanings are as follows:
Value | Description |
is_emulator | The device is suspected of being an emulator. |
is_rooted | The device is suspected of being rooted. |
is_virtual | The device is suspected of running in a multi-instance environment. |
... | Log on to the Fraud Detection console to view more device tag descriptions. |
For more information, see Common Parameters.
Error codes
Code | Description |
200 | The request is successful. |
400 | The ServiceParameters (event parameter) is invalid. |
402 | The QPS exceeds the purchased quota. The request is throttled. |
403 | Insufficient permissions. The service is not activated or has expired. |
404 | The Service (service parameter) is invalid. |
500 | An internal server error occurred. |
SDK integration
For the complete integration demo, see SDK Integration Guide. The following example uses the Java SDK.
Maven dependencies
Java Maven dependency:
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>aliyun-java-sdk-saf</artifactId>
<version>3.0.1</version>
</dependency>
Recommended Java Maven dependency versions:
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>aliyun-java-sdk-core</artifactId>
<optional>true</optional>
<version>4.5.25</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.68.noneautotype</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5.3</version>
</dependency>
<dependency>
<groupId>io.opentracing</groupId>
<artifactId>opentracing-util</artifactId>
<version>0.31.0</version>
</dependency>
Java SDK source code
// The AccessKey pair of an Alibaba Cloud account has permissions on all API operations.
// We recommend that you use a RAM user for API access and daily O&M.
// Do not save the AccessKey ID and AccessKey Secret in your project code to prevent AccessKey leakage,
// which may compromise the security of all resources under your account.
// This example uses environment variables to read the RAM user AccessKey for API authentication.
// Before running this code, make sure the following environment variables are configured:
// ALIBABA_CLOUD_ACCESS_KEY_ID, ALIBABA_CLOUD_ACCESS_KEY_SECRET.
// Create and initialize a DefaultAcsClient instance. Initialize only once.
DefaultProfile profile = DefaultProfile.getProfile(
"cn-shanghai", // Region ID. cn-shanghai is recommended for the China site. Must match the client SDK reporting domain.
System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), // RAM user AccessKey ID
System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET") // RAM user AccessKey Secret
);
// HTTP connection pool configuration
HttpClientConfig clientConfig = HttpClientConfig.getDefault();
clientConfig.setMaxRequestsPerHost(6);
clientConfig.setMaxIdleConnections(20);
// HTTP timeout configuration
clientConfig.setReadTimeoutMillis(10000);
clientConfig.setConnectionTimeoutMillis(3000);
profile.setHttpClientConfig(clientConfig);
IAcsClient client = new DefaultAcsClient(profile);
// Send the request
ExecuteRequestRequest executeRequestRequest = new ExecuteRequestRequest();
// To specify a custom version number, modify it here. Default: 2019-05-21
executeRequestRequest.setVersion("2019-05-21");
// Specify the request method
executeRequestRequest.setSysMethod(MethodType.POST);
// Specify the protocol. Currently, only HTTPS is supported.
executeRequestRequest.setSysProtocol(ProtocolType.HTTPS);
// Product code for the device risk identification service: device_risk or device_risk_pro.
// See the Service parameter row in the "Editions" table.
String service = "device_risk";
executeRequestRequest.setService(service);
// Business parameters. Set only the parameters you need.
Map<String, Object> serviceParams = new HashMap<String, Object>();
// deviceToken is required.
serviceParams.put("deviceToken", "TK******************");
executeRequestRequest.setServiceParameters(JSONObject.toJSONString(serviceParams));
executeRequestRequest.setAcceptFormat(FormatType.JSON);
try {
ExecuteRequestResponse httpResponse = client.getAcsResponse(executeRequestRequest);
System.out.println("httpResponse:" + JSONObject.toJSONString(httpResponse));
} catch (Exception e) {
e.printStackTrace();
}
Verify the call result
After calling the SDK to send a request, you can verify the integration by checking the following:
A return value of
Code=200indicates that the request is successful.
Supported regions
The REGION-ID parameter must match the device risk SDK reporting domain.
Region | Description |
cn-shanghai | China (Shanghai) (Default for China site) |
How it works
After integrating the device SDK, call the server-side API of the device risk identification service during critical business operations and pass the service field to obtain the risk detection result. A single risk detection workflow consists of the following steps:
Initialize the SDK: We recommend that you asynchronously initialize the SDK when the app starts to collect and report basic fields. Depending on the system and device model, this process typically takes 2 to 5 seconds.
Obtain the device token: Call the SDK's local method to obtain the deviceToken.
Call the server-side API: Pass the deviceToken and other business fields (refer to the specific event definition). After the cloud detection model calculates the result, it returns the detection result in real time.
