Integrate Prove Bot Detection SDK for SMS fraud prevention

[Copilot]

Adds Prove Bot Detection to prevent SMS fraud during sign-in, sign-up, and strong auth verification flows. Bot detection runs before OTP codes are sent, blocking suspicious requests.

Changes

Dependency & Configuration

• Added Prove SDK dependency (com.prove.sdk:proveauth:+) and Maven repository
• Added required Android permissions: INTERNET, ACCESS_NETWORK_STATE, CHANGE_NETWORK_STATE

Core Implementation

• Created ProveBotDetectionHelper singleton for SDK lifecycle and bot detection API calls
• Initialized Prove SDK in AuthClient.initialize() to obtain device-level Prove Key
• Integrated bot detection gates in:
  • EmailSignInSignUpFragment (signIn/signUp)
  • EmailPasswordSignInSignUpFragment (signIn/signUp)
  • StrongAuthVerificationContactFragment (verifyContact for SMS channel)

Flow Example

// Bot detection gate before authentication
if (ProveBotDetectionHelper.hasProveKey()) {
    val botResult = ProveBotDetectionHelper.performBotDetection(phoneNumber)
    when (botResult) {
        is BotDetectionResult.Failed -> {
            displayDialog("Fraud Detection", "Sign-in blocked: ${botResult.reason}")
            return@launch
        }
        is BotDetectionResult.Error -> Log.w(TAG, "Bot detection error: ${botResult.message}")
        is BotDetectionResult.Passed -> Log.i(TAG, "Bot detection passed")
    }
}

Configuration Required

• Replace BOT_DETECTION_BACKEND_URL with production backend endpoint
• Replace placeholder Prove Key initialization with actual SDK calls
• Update phone number extraction logic (currently uses email field as placeholder)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• dl.google.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.xml/javax.xml.namespace=ALL-UNNAMED -Xmx1536m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant -cp /home/REDACTED/.gradle/wrapper/dists/gradle-8.13-bin/5xuhj0ry160q40clulazy9h7d/gradle-8.13/lib/gradle-daemon-main-8.13.jar (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Overview

Integrate Prove Bot Detection into this sample Android app to add SMS fraud detection before OTP codes are sent during sign-in, sign-up, and strong auth verification flows.

Changes Required

1. Add Prove SDK Repository & Dependency

settings.gradle — Add the Prove Maven repository:

include ':app'

dependencyResolutionManagement {
    repositories {
        maven {
            url = "https://prove.jfrog.io/artifactory/libs-public-maven/"
        }
    }
}

app/build.gradle — Add the Prove SDK dependency in the dependencies block (alongside existing dependencies like okhttp):

// Prove Bot Detection SDK
implementation 'com.prove.sdk:proveauth:+'

2. Add Required Permissions to AndroidManifest.xml

Ensure the following permissions are present in app/src/main/AndroidManifest.xml:

<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.CHANGE_NETWORK_STATE" />

3. Create a new Prove Bot Detection Helper class

Create a new file at app/src/main/java/com/azuresamples/msalnativeauthandroidkotlinsampleapp/ProveBotDetectionHelper.kt with the following implementation:

package com.azuresamples.msalnativeauthandroidkotlinsampleapp

import android.content.Context
import android.util.Log
import kotlinx.coroutines.Dispatchers
import kotlinx.coroutines.withContext
import okhttp3.MediaType.Companion.toMediaType
import okhttp3.OkHttpClient
import okhttp3.Request
import okhttp3.RequestBody.Companion.toRequestBody
import org.json.JSONObject

/**
 * Helper class for integrating Prove Bot Detection into the sign-in/sign-up flows.
 *
 * Flow overview (per https://developer.prove.com/docs/check-for-prove-key#prompt-for-phone-number-3):
 * 1. Initialize the Prove SDK on app start to obtain a device-level "Prove Key".
 * 2. Before sending an OTP / completing sign-in, call YOUR backend with the phone number + Prove Key.
 * 3. Your backend calls Prove's /v3/verify API with verificationType="bot".
 * 4. The backend returns the bot-detection result to the app.
 * 5. The app decides whether to proceed with authentication or block the attempt.
 */
object ProveBotDetectionHelper {

    private const val TAG = "ProveBotDetection"

    // IMPORTANT: Replace with your own backend endpoint that proxies to Prove's API.
    // NEVER call Prove's API directly from the client — your access token must stay server-side.
    private const val BOT_DETECTION_BACKEND_URL = "https://your-backend.example.com/api/prove/bot-detect"

    private val httpClient = OkHttpClient()
    private var proveKey: String? = null

    /**
     * Initialize the Prove SDK and retrieve the Prove Key (device fingerprint).
     * Call this once during app startup (e.g., in AuthClient.initialize).
     */
    fun initialize(context: Context) {
        try {
            // Initialize the Prove SDK — the exact API depends on the SDK version.
            // Refer to: https://developer.prove.com/reference/unify-android-sdk
            //
            // Example (pseudocode — adapt to actual SDK):
            // ProveAuth.initialize(context, "YOUR_PROVE_CLIENT_ID")
            // proveKey = ProveAuth.getDeviceId()

            Log.i(TAG, "Prove SDK initialized. Prove Key obtained.")

            // TODO: Replace the line below with real SDK call
            // proveKey = ProveAuth.getDeviceId()
            proveKey = "PLACEHOLDER_PROVE_KEY" // Remove this after real integration
        } catch (e: Exception) {
            Log.e(TAG, "Failed to initialize Prove SDK", e)
        }
    }

    /**
     * Check whether the Prove Key is available.
     */
    fun hasProveKey(): Boolean {
        return !proveKey.isNullOrBlank()
    }

    /**
     * Perform bot detection by calling YOUR backend with the phone number and Prove Key.
     *
     * Your backend should:
     *   1. Obtain a Prove access token (OAuth2 client_credentials grant).
     *   2. POST to https://platform.prove.com/v3/verify with:
     *      {
     *        "verificationType": "bot",
     *        "phoneNumber": "<phone>",
     *        "deviceId": "<proveKey>",
     *        "clientRequestId": "<unique-session-id>"
     *      }
     *   3. Return the result to the mobile app.
     *
     * @param phoneNumber The phone number entered by the user (E.164 format recommended)
     * @return BotDetectionResult indicating whether the user passed or failed bot detection
     */
    suspend fun performBotDetection(phoneNumber: String): BotDetectionResult {
        if (!hasProveKey()) {
            Log.w(TAG, "Prove Key not available. Cannot perform bot detection.")
            return BotDetectionResult.Error("Prove Key not available. Please restart the app.")
        }

        return withContext(Dispatchers.IO) {
    ...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for you](https://github.com/Azure-Samples/ms-identity-ciam-native-auth-android-sample/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo.

[antrix1989]

should we remove clientSecret from public sample?