radarlabs · lmeier · Feb 11, 2026 · Nov 4, 2025 · Nov 19, 2025 · Jan 20, 2026
diff --git a/.gitmodules b/.gitmodules
@@ -0,0 +1,4 @@
+[submodule "sdk-fraud"]
+	path = sdk-fraud
+	url = git@github.com:radarlabs/radar-lib-fraud-android.git
+	branch = initial-setup
-	branch = initial-setup
+	branch = main
-	branch = initial-setup
+	branch = main
diff --git a/example/src/main/res/xml/network_security_config.xml b/example/src/main/res/xml/network_security_config.xml
@@ -1,5 +1,14 @@
 <?xml version="1.0" encoding="utf-8"?>
 <network-security-config>
+    <!-- For debugging local development server trackVerified -->
+    <!-- Allow connections to local development server without certificate validation -->
+    <!-- <domain-config cleartextTrafficPermitted="false">
+        <domain includeSubdomains="true">192.168.68.112</domain>
+        <trust-anchors>
+            <certificates src="system"/>
+            <certificates src="user"/>
+        </trust-anchors>
+    </domain-config> -->
-    <!-- For debugging local development server trackVerified -->
-    <!-- Allow connections to local development server without certificate validation -->
-    <!-- <domain-config cleartextTrafficPermitted="false">
-        <domain includeSubdomains="true">192.168.68.112</domain>
-        <trust-anchors>
-            <certificates src="system"/>
-            <certificates src="user"/>
-        </trust-anchors>
-    </domain-config> -->
-    <!-- For debugging local development server trackVerified -->
-    <!-- Allow connections to local development server without certificate validation -->
-    <!-- <domain-config cleartextTrafficPermitted="false">
-        <domain includeSubdomains="true">192.168.68.112</domain>
-        <trust-anchors>
-            <certificates src="system"/>
-            <certificates src="user"/>
-        </trust-anchors>
-    </domain-config> -->
     <domain-config cleartextTrafficPermitted="false">
         <domain includeSubdomains="true">api-verified.radar.io</domain>
         <pin-set>

diff --git a/sdk-fraud b/sdk-fraud
diff --git a/sdk/build.gradle b/sdk/build.gradle
@@ -75,6 +75,12 @@ dependencies {
     implementation "androidx.fragment:fragment:1.3.0"
     compileOnly "com.huawei.hms:location:6.16.0.302"
     compileOnly "com.google.android.play:integrity:1.2.0"
+
+    // Optional fraud detection module (Git submodule)
+    if (findProject(':sdk-fraud') != null) {
+        implementation project(':sdk-fraud')
+    }
+
     testImplementation "androidx.test.ext:junit:1.1.5"
     testImplementation "org.robolectric:robolectric:4.10"
     testImplementation 'org.json:json:20211205'

diff --git a/sdk/src/main/java/io/radar/sdk/RadarApiClient.kt b/sdk/src/main/java/io/radar/sdk/RadarApiClient.kt
@@ -276,6 +276,7 @@ internal class RadarApiClient(
         expectedStateCode: String? = null,
         reason: String? = null,
         transactionId: String? = null,
+        fraudPayload: String? = null,
         callback: RadarTrackApiCallback? = null
     ) {
         val publishableKey = RadarSettings.getPublishableKey(context)
@@ -401,6 +402,9 @@ internal class RadarApiClient(
                 params.putOpt("integrityToken", integrityToken)
                 params.putOpt("integrityException", integrityException)
                 params.putOpt("encrypted", encrypted)
+                if (fraudPayload != null) {
+                    params.putOpt("fraudPayload", fraudPayload)
+                }
                 if (expectedCountryCode != null) {
                     params.putOpt("expectedCountryCode", expectedCountryCode)
                 }

diff --git a/sdk/src/main/java/io/radar/sdk/RadarApiHelper.kt b/sdk/src/main/java/io/radar/sdk/RadarApiHelper.kt
@@ -18,12 +18,37 @@ import java.util.Scanner
 import java.util.concurrent.Executors
 import javax.net.ssl.HttpsURLConnection
 
+// // For debugging local development server trackVerified
+// import javax.net.ssl.SSLContext
+// import javax.net.ssl.TrustManager
+// import javax.net.ssl.X509TrustManager
+// import javax.net.ssl.HostnameVerifier
+// import java.security.cert.X509Certificate
+
 internal open class RadarApiHelper(
     private var logger: RadarLogger? = null
 ) {
 
     private val executor = Executors.newSingleThreadExecutor()
     private val handler = Handler(Looper.getMainLooper())
+
+    // // For debugging local development server trackVerified
+    // // Custom TrustManager that accepts all certificates
+    // private val trustAllCerts = arrayOf<TrustManager>(object : X509TrustManager {
+    //     override fun getAcceptedIssuers(): Array<X509Certificate> = arrayOf()
+    //     override fun checkClientTrusted(certs: Array<X509Certificate>, authType: String) {}
+    //     override fun checkServerTrusted(certs: Array<X509Certificate>, authType: String) {}
+    // })
+
+    // // SSLContext that uses the custom TrustManager
+    // private val sslContext: SSLContext by lazy {
+    //     val context = SSLContext.getInstance("TLS")
+    //     context.init(null, trustAllCerts, java.security.SecureRandom())
+    //     context
+    // }
+
+    // // Custom HostnameVerifier that accepts all hostnames
+    // private val hostnameVerifier = HostnameVerifier { _, _ -> true }
 
     interface RadarApiCallback {
         fun onComplete(status: Radar.RadarStatus, res: JSONObject? = null)
@@ -64,6 +89,10 @@ internal open class RadarApiHelper(
         executor.execute {
             try {
                 val urlConnection = url.openConnection() as HttpsURLConnection
+                // // For debugging local development server trackVerified
+                // // Configure SSL to accept any certificate and hostname
+                // urlConnection.sslSocketFactory = sslContext.socketFactory
+                // urlConnection.hostnameVerifier = hostnameVerifier
                 if (headers != null) {
                     for ((key, value) in headers) {
                         try {