General information

SDK/Library version: :3.3.0 Environment: SandBox Android 8

Issue description

As a developer I can test with a declined credit card, so that I should be notified my payment was not successful

General information

• SDK/Library version: 5.0.1
• Environment:Production
• Android Version and Device: Any device

Issue description

I tried to publish app in Google Play, but my app has been rejected due to unsafe implementation of the HostnameVerifier interface. I believe this is because Google Play changed policy and are not allowing anymore such a vulnerability.

I ran scanner to find potential sources in our app and report clearly say that Braintree SDK ( its dependencies) ignore SSL errors:

WebHybridClient.java in PayPal 5.3 and earlier for Android ignores SSL errors, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.

Please fix your issue asap, since is blocking Google Play publishes.

General information

• SDK/Library version: 5.x version, 6.0.1
• Environment: both
• Android Version and Device: all devices

Issue description

Our application was found to store the credit or debit card number, expiry date and CVV in memory after the initial card registration for the entire period that the application was running thereafter. After exiting and re-starting the application, the data was no longer found in memory. I downloaded the demo project with the latest library (6.0.1), made a memory dump after registering the card and returning back to the main screen in the demo project, and the dump has all the data - the card number, cvv code, expiration date, and so on. The same situation with previous version too - with the latest 5.x version. In the memory dump, you can see that the credit card number is stored in several memory areas This still could present a risk where this was running on a rooted device, and a malicious application was monitoring memory for stored card data. Please see an example in the memory dump (test card): "operationName":"TokenizeCreditCard","variables":{"input":{"options":{"validate":true},"creditCard":{"number":"5105105105105100","expirationMonth":"08","expirationYear":"24","cvv":"200","billingAddress":{"postalCode":"347900"}}}}}

General information

• SDK/Library version: API 27 | Braintree Android 2.6.2/Drop-in 3.1/Card 5.1.1
• Gradle version: 4.4.1
• Environment: Sandbox
• Android Version and Device: Galaxy S7/7.0

Issue description

I'm working with this library in relation to the cordova-plugin-braintree library. Building the app works great, but when I tap on the drop-in UI, the app crashes and I see the following in the logs:

Class not found when unmarshalling: com.braintreepayments.api.dropin.DropInRequest
ClassNotFoundException: com.braintreepayments.api.dropin.DropInRequest

Here's the gradle file for the plugin:

def packageName = getPackageName()

android {
    defaultConfig {
        applicationId packageName
    }
}

dependencies {
    compile 'com.braintreepayments.api:braintree:2.3.12'
    compile 'com.braintreepayments.api:drop-in:3.0.1'
    compile 'io.card:android-sdk:5.4.1'
}

def getPackageName() {
    def config = file("res/xml/config.xml").getText()
    def xml = new XmlParser(false, false).parseText(config)
    return xml.attribute("id")
}

I realize that this may not be directly related to the SDK, so just hoping for some pointers on what I might look for. Appreciated!

From: @TatyanaRTB

General information

• SDK/Library version: Android SDK 4.0.1
• Environment: Development
• Android Version and Device: All Android versions with various devices
• Braintree dependencies:

• com.braintreepayments.api:braintree:3.14.0
• com.braintreepayments.api:drop-in:4.6.0
• com.braintreepayments.api:google-payment:3.3.1

Issue description

The issue is related to https://github.com/braintree/braintree_android/issues/308. Firstly we observed crash from the #308 and now after fixes crash happens in next step by code, when BrowserSwitchOptions.start is called:

ThreeDSecure:

public static void continuePerformVerification(BraintreeFragment fragment, ThreeDSecureRequest request, ThreeDSecureLookup threeDSecureLookup) {
    boolean showChallenge = threeDSecureLookup.getAcsUrl() != null;
    String threeDSecureVersion = threeDSecureLookup.getThreeDSecureVersion();
    fragment.sendAnalyticsEvent(String.format("three-d-secure.verification-flow.challenge-presented.%b", showChallenge));
    fragment.sendAnalyticsEvent(String.format("three-d-secure.verification-flow.3ds-version.%s", threeDSecureVersion));
    if (!showChallenge) {
        completeVerificationFlowWithNoncePayload(fragment, threeDSecureLookup.getCardNonce());
    } else if (!threeDSecureVersion.startsWith("2.")) {
        fragment.browserSwitch(13487, ThreeDSecureV1BrowserSwitchHelper.getUrl(fragment.getReturnUrlScheme(), fragment.getConfiguration().getAssetsUrl(), request, threeDSecureLookup));
    } else {
        performCardinalAuthentication(fragment, threeDSecureLookup);
    }
}

BrowserSwitchFragment:

public void browserSwitch(int requestCode, String url) {
    BrowserSwitchOptions browserSwitchOptions = (new BrowserSwitchOptions()).requestCode(requestCode).url(Uri.parse(url));
    this.browserSwitchClient.start(browserSwitchOptions, this);
}

BrowserSwitchClient:

public void start(BrowserSwitchOptions browserSwitchOptions, Fragment fragment) {
    if (fragment instanceof BrowserSwitchListener) {
        this.start(browserSwitchOptions, fragment, (BrowserSwitchListener)fragment);
    } else {
        throw new IllegalArgumentException("Fragment must implement BrowserSwitchListener.");
    }
}

The issue can be reproduced by the following steps:

1. Select credit card option in DropIn dialog
2. Enter card parameters
3. Press Go/Next button on the keyboard two-three times: https://monosnap.com/file/kcCFXR7wLZkKU7MtGu1bgvD6dHJaqF

Please block the button from several payment attempts if request to Braintree API is already in progress. Several payment flows are started in parallel and BraintreeFragment is detached from Activity when receive first successful payment result. Other payment results cause this crash.

java.lang.IllegalStateException: Fragment must be attached to an activity.
	at com.braintreepayments.browserswitch.BrowserSwitchClient.start(BrowserSwitchClient.java:206) ~[na:0.0]
	at com.braintreepayments.browserswitch.BrowserSwitchClient.start(BrowserSwitchClient.java:186) ~[na:0.0]
	at com.braintreepayments.browserswitch.BrowserSwitchFragment.browserSwitch(BrowserSwitchFragment.java:59) ~[na:0.0]
	at com.braintreepayments.api.ThreeDSecure.continuePerformVerification(ThreeDSecure.java:266) ~[na:0.0]
	at com.braintreepayments.api.ThreeDSecure$3.onLookupComplete(ThreeDSecure.java:155) ~[na:0.0]
	at com.braintreepayments.api.ThreeDSecure$7.success(ThreeDSecure.java:503) ~[na:0.0]
	at com.braintreepayments.api.internal.HttpClient$3.run(HttpClient.java:288) ~[na:0.0]
	at android.os.Handler.handleCallback(Handler.java:739) ~[na:0.0]
	at android.os.Handler.dispatchMessage(Handler.java:95) ~[na:0.0]
	at android.os.Looper.loop(Looper.java:157) ~[na:0.0]
	at android.app.ActivityThread.main(ActivityThread.java:5429) ~[na:0.0]
	at java.lang.reflect.Method.invoke(Native Method) ~[na:0.0]
	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:726) ~[na:0.0]
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:616) ~[na:0.0]

The credentials for accessing the Cardinal Mobile SDK have changed, due to the sunset of Bintray.

Please update the credentials in your app-level build.gradle to the following:

repositories {
    maven {
        url "https://cardinalcommerceprod.jfrog.io/artifactory/android"
        credentials {
            username 'braintree_team_sdk'
            password 'AKCp8jQcoDy2hxSWhDAUQKXLDPDx6NYRkqrgFLRc3qDrayg6rrCbJpsKKyMwaykVL8FWusJpp'
        }
    }
}

If you continue to have problems accessing the Cardinal Mobile SDK, we recommend upgrading to Drop-in version 5.2.2 or later.

Hey,

I am using venmo payment in my android app. i got the HTTP 400 Bad Request when try to payment. can anyone tell me why i get this error.

Thanks,

I am getting this error when I add Braintree depedency.

Execution failed for task ':vtg:processDevDebugManifest'. Manifest merger failed with multiple errors, see logs

Braintree version:

// app gradle implementation 'com.braintreepayments.api:drop-in:5.3.0'

// project gradle

maven {
    url "https://cardinalcommerceprod.jfrog.io/artifactory/android"
    credentials {
        username 'braintree_team_sdk'
        password 'AKCp8jQcoDy2hxSWhDAUQKXLDPDx6NYRkqrgFLRc3qDrayg6rrCbJpsKKyMwaykVL8FWusJpp'
    }
}

I checked the Merged Manifest tab but I cannot see any error over there.

What could be the cause?

General information

• SDK/Library version: 4.3.0
• Environment: Sandbox
• Android Version and Device: API 23+

ERROR: Failed to resolve: org.jfrog.cardinalcommerce.gradle:cardinalmobilesdk:2.1.4-1

I am getting mentioned error for; implementation "com.braintreepayments.api:drop-in:4.3.0"

General information

• SDK/Library version: 6.0.0.
• Environment: sandbox
• Android Version and Device: any

Issue description

dropInClient.launchDropInForResult() requires Activity. But in this case startActivityForResult is called on activity, not in attached fragment. So result is returned to activity and not into active fragment.

Expected behavior

launchDropInForResult accept Fragments, so we can expect result in Fragment and not only in activity.

Or even better accept Activity Result APIs lambda function to handle result in callback through registerForActivityResult. More info about Activity Result APIs: https://developer.android.com/training/basics/intents/result https://medium.com/e-legion/the-right-way-to-get-a-result-part-i-activity-result-api-6efbcaa5600d

https://github.com/braintree/braintree-android-drop-in

I just download the project and run on my android setup same issue in the demo project too

Could not GET 'https://cardinalcommerce.bintray.com/android/org/jfrog/cardinalcommerce/gradle/cardinalmobilesdk/2.2.4-1/cardinalmobilesdk-2.2.4-1.pom'. Received status code 403 from server

Summary of changes

• Add DropInClient#getClientMetadataId() method

Checklist

• [x] Added a changelog entry

Authors

List GitHub usernames for everyone who contributed to this pull request.

• @sshropshire

General information

• SDK/Library version: 6.5.0, 6.5.1
• Environment: PayPal SandBox
• Android Version and Device: Samsung Galaxy Tab S6 with Android 12

Issue description

I'm using DropIn on Android platform to perform Payment by PayPal. Please find below the steps:

1. Start activity that shows DropIn
2. Select PayPal as Payment process from DropIn UI
3. as soon as the PayPal payment process is complete the PayPal screen is closed and my activity receives: User canceled DropIn (event is received as error: UserCanceledException)
4. Using standard Credit Card payment flow works fine

Thanks and regards.

Summary of changes

• Bump braintree_android module dependency versions to 4.21.1

Checklist

• [x] Added a changelog entry

Authors

List GitHub usernames for everyone who contributed to this pull request.

• @sshropshire

General information

• SDK/Library version: com.braintreepayments.api:drop-in:6.5.0, braintree: 4.20.0
• Environment: Production
• Android Version and Device: Not relevant, all

Response from your Support team:

Non-recurring merchant initiated transactions will be processed much the same way that recurring transactions would be. You should request a cardholder challenge to establish SCA when the card is first authorized, establishing a mandate between you and your customer. This can be with a verification, or the first transaction of a recurring billing event. By applying 3D Secure to the first transaction or verification, you signal to the card issuer that you have established a mandate between you and your customer to charge their payment method for subsequent recurring payments as detailed in your terms and conditions. Establishing SCA on verifications will be useful for scenarios where the cardholder will not be present when the charge is issued, and the amount isn’t known when the payment method is stored. For subsequent transactions from that payment method, which would be outside of the scope of PSD2 SCA, use the unscheduled value in the TransactionSource parameter of the Transaction.Sale() API call. Lastly, please note that gateway rejections are not the same as declines. Gateway rejections are blocked by your gateway settings, while declines are blocked by the customer's bank. I hope this helps answer your questions. If you have any additional questions, please let me know.

Issue description

Try to create a payment using a Credit card. We need to store card to Vault manager with 3D Secure validation due to Eurepean regulation and PSD2.

Create a request with 3D Secure for request a cardholder challenge using: isChallengeRequested / isCardAddChallengeRequested is not possible, we try it with:

val threeD = ThreeDSecureRequest().apply {
        paymentAmount.let { amount = String.format(Locale.ENGLISH, "%.2f", it) }      
        email = userInfo.email
        billingAddress = userInfo.toThreeDSecurePostalAddress()
        mobilePhoneNumber = userPhone
        versionRequested = ThreeDSecureRequest.VERSION_2
        /**
         * Request full 3DS flow to verify card.
         * Should be used for avoid [2099 errors](https://developer.paypal.com/braintree/docs/reference/general/processor-responses/authorization-responses#code-2099)
         */
        if (isOnlyCardAdd) {
            isCardAddChallengeRequested = true
        } else {
            isChallengeRequested = true
        }
        additionalInformation = userInfo.additionalInformation.toThreeDSecureAdditionalInfo()
}

val dropInRequest = DropInRequest().apply {
        isPayPalDisabled = true
        isVaultManagerEnabled = false
        isGooglePayDisabled = true
        threeDSecureRequest = threeD
        isVenmoDisabled = true
}

    private fun initDropInClient() {
        dropInClient = DropInClient(this) { clientToken ->
            viewState.braintreeToken.value?.token?.let { clientToken.onSuccess(it) }.ifNullThen {
                clientToken.onFailure(Exception("Braintree token is null"))
            }
        }
    }
    
    private fun startDropIn() {
        dropInClient
            .apply { setListener(dropInListener) }
            .run { launchDropIn(dropInRequest) }
    }

The issue is, that while adding card in DropIn UI threeDSecureRequest from dropInRequest is ignored and user address/additional info are not sent with card to card issuer / bank. So the card is not possible to verify in that case.

Request which is send from DropIn UI SDK to Braintree API:

{
  "clientSdkMetadata": {
    "platform": "android",
    "sessionId": "****",
    "source": "form",
    "integration": "custom"
  },
  "query": "mutation TokenizeCreditCard($input: TokenizeCreditCardInput!) {  tokenizeCreditCard(input: $input) {    token    creditCard {      bin      brand      expirationMonth      expirationYear      cardholderName      last4      binData {        prepaid        healthcare        debit        durbinRegulated        commercial        payroll        issuingBank        countryOfIssuance        productId      }    }  }}",
  "operationName": "TokenizeCreditCard",
  "variables": {
    "input": {
      "options": {
        "validate": true
      },
      "creditCard": {
        "number": "*****",
        "expirationMonth": "**",
        "expirationYear": "**",
        "cvv": "***"
      }
    }
  }
}

Missing validation info from threeDSecureRequest, in that case is not applied isChallengeRequested / isCardAddChallengeRequested to request as you can see from request, only card info is sent.

Response to this request is:

{
  "errors": [
    {
      "message": "CVV verification failed",
      "locations": [
        {
          "line": 1,
          "column": 66
        }
      ],
      "path": [
        "tokenizeCreditCard"
      ],
      "extensions": {
        "errorClass": "VALIDATION",
        "errorType": "user_error",
        "inputPath": [
          "input",
          "creditCard",
          "cvv"
        ],
        "legacyCode": "81736"
      }
    }
  ],
  "data": {
    "tokenizeCreditCard": null
  },
  "extensions": {
    "requestId": "***"
  }
}

Because Bank Issuer can't validate Credit card without address, etc it return 2099 error. Your API return misunderstood error about wrong CVC. But CVC is correct, same as card number and expiration date.

Current state:

• user click on Pay (or Add card, depends on screen)
• app open DropIn UI with selection of payment method (only Credit or Debit Card is available, that's ok)
• user click on Credit or Debit Card
• DropIn UI client open screen with Card details
• user fill Card Number and click on Next button
• user fill Expiration date and CVC/CVV and click on ADD CARD button
• DropIn UI show error: CVC is invalid.That's not correct, because card info is ok, but error 2099

Expected state

• user click on Pay (od Add card, depends on screen)
• app open DropIn UI with selection of payment method (only Credit or Debit Card is available, that's ok)
• user click on Credit or Debit Card
• DropIn UI client open screen with Card details
• user fill Card Number and click on Next button
• user fill Expiration date and CVC/CVV and click on ADD CARD button
• DropIn Client send all info (addtition, address, phone, etc) with card number
• DropIn UI client show 3D Secure screen for add card to Vault manager

I am working on react native module for DropIn and getting this error on initialization of DropInClient

implementation "com.braintreepayments.api:drop-in:6.5.0

         val dropInClient = DropInClient(currentActivity as AppCompatActivity?,clientToken)
         

Method addObserver must be called on the main thread

Why this error can appear?

General information

• SDK/Library version: 5.+
• Environment: Production
• Android Version and Device: -

Issue description

We received email from Google Play Store title: CardinalComm SDK 60 Warning Template - Id Bridging

Please help to assist