lankapay_justpay_flutter 0.2.20

Flutter plugin bridging LankaPay LPTrusted (JustPay): getDeviceId and createIdentityAndSign over MethodChannel justpay_sdk/methods. Host apps must supply bank JSON and SDK binaries per README.

Complete setup guide: lankapay_justpay_flutter

This document is the full, ordered checklist for integrating the plugin. Follow it top to bottom the first time you integrate. Example XML in the Android and iOS sections matches common MID patterns for MNV cleartext hosts; always confirm values against your official MID.

Related files in this repo

Item	Location
Short overview	README.md
Example app	example/
Method channel name	justpay_sdk/methods

---

Table of contents

1. Before you write any code
2. Update your Flutter project
3. Add the Dart dependency
4. Android — LPTrusted AAR
5. Android — Gradle (app module)
6. Android — Config JSON in res/raw
7. Android — Permissions (AndroidManifest.xml)
8. Android — Network security (cleartext / MNV)
9. Android — ProGuard / R8 (release)
10. iOS — LPTrusted xcframework layout
11. iOS — CocoaPods
12. iOS — Bundle JSON
13. iOS — App Transport Security (ATS)
14. iOS — Xcode build settings
15. iOS — Embed & Sign the framework
16. Dart — Usage in your app
17. Config JSON — Required keys (reference)
18. Verify the integration
19. Migrating from embedded native JustPay code
20. Troubleshooting

---

1. Before you write any code

Obtain from your bank / LankaPay onboarding (not from this open-source repo):

Asset	Android	iOS
justpay.json	Place in res/raw	Add to Runner bundle
mnv.json	Place in res/raw	Required on iOS (add to Runner bundle)
Native SDK	LPTrustedSDK.aar	LPTrustedSDK.xcframework

---

2. Update your Flutter project

1. Use a stable Flutter channel and a Dart SDK compatible with the plugin’s pubspec.yaml (environment.sdk).

2. From your app root:

   flutter upgrade
   flutter doctor -v
   

Fix any Android SDK / Xcode / CocoaPods issues flutter doctor reports before continuing.

---

3. Add the Dart dependency

In your app’s pubspec.yaml:

dependencies:
  flutter:
    sdk: flutter
  lankapay_justpay_flutter: ^0.2.14   # or path: / git: for your team

Then:

flutter pub get

Import:

import 'package:lankapay_justpay_flutter/lankapay_justpay_flutter.dart';

---

4. Android — LPTrusted AAR

1. Create the folder android/app/libs/ if it does not exist.

2. Copy the bank’s file LPTrustedSDK.aar into:

   android/app/libs/LPTrustedSDK.aar

   Use exactly this filename unless you change every Gradle reference yourself.

3. The plugin’s Android module uses compileOnly against:

   $rootProjectDir/app/libs/LPTrustedSDK.aar

   (same path relative to your Flutter app’s android/ folder). If this file is missing, Android Gradle fails with an explicit error from the plugin — that is expected until the AAR is present.

---

5. Android — Gradle (app module)

Edit android/app/build.gradle or android/app/build.gradle.kts.

Kotlin DSL (build.gradle.kts) — recommended pattern

Add a dependencies { } block (or merge into your existing one):

dependencies {
    // Required: packages LPTrusted into the APK. The plugin only compileOnly-compiles against it.
    implementation(files("libs/LPTrustedSDK.aar"))

    // MID-aligned versions (OkHttp 4.9.3, json-simple non-transitive).
    // The plugin also declares OkHttp + json-simple; duplicating here is optional but explicit.
    implementation("com.squareup.okhttp3:okhttp:4.9.3")
    implementation("com.googlecode.json-simple:json-simple:1.1.1") {
        isTransitive = false
    }
}

Groovy (build.gradle)

dependencies {
    implementation files('libs/LPTrustedSDK.aar')
    implementation 'com.squareup.okhttp3:okhttp:4.9.3'
    implementation('com.googlecode.json-simple:json-simple:1.1.1') {
        transitive = false
    }
}

If your build fails with duplicate classes from org.apache.commons.io.* or org.slf4j.*, add this in the app module:

configurations.configureEach {
    exclude(group = "commons-io", module = "commons-io")
    exclude(group = "org.slf4j", module = "slf4j-api")
}

configurations.all {
    exclude group: "commons-io", module: "commons-io"
    exclude group: "org.slf4j", module: "slf4j-api"
}

Trade-off (read this if you use file_picker 11+ or other Apache Tika stacks): Excluding external commons-io avoids duplicate class errors with a fat LPTrustedSDK.aar that already embeds org.apache.commons.io.*. Some dependencies (for example file_picker ≥ 11 on Android, which pulls tika-core) expect a **full Maven commons-io 2.x** on the classpath. With the exclude, **release R8** can fail with **missing** org.apache.commons.io.*classes. In that case you cannot satisfy both AAR and Tika from Gradle alone: **ask the bank / LankaPay for anLPTrustedSDKbuild that does not bundlecommons-io** (or uses a **relocated** / shaded package), **or** avoid the conflicting stack (for example pin **file_picker** to a version **without** tika-core`, if acceptable for your app). There is no Dart-only fix inside this plugin.

applicationId / flavors: The value of package inside justpay.json must match the built app’s applicationId (including flavor suffixes such as .dev). If they differ, identity and signing will fail.

---

6. Android — Config JSON in res/raw

1. Copy your bank’s files to:

   • android/app/src/main/res/raw/justpay.json
   • android/app/src/main/res/raw/mnv.json

2. Resource names are the filenames without extension: justpay and mnv. Do not rename to justpay_config.json unless you also change native loading logic (this plugin expects those two names).

3. The plugin validates required keys before calling the SDK (see section 17).

---

7. Android — Permissions (AndroidManifest.xml)

JustPay / LPTrusted needs network access. Declaring network state is optional but useful for connectivity-aware behavior.

Minimum recommended for JustPay networking

Inside <manifest> (not inside <application>):

<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />

Other permissions

Typical banking apps also declare permissions for notifications, camera, biometric, and so on. Those are not required by this plugin unless your app uses those features. For JustPay-only networking, INTERNET (+ optionally ACCESS_NETWORK_STATE) is the core set.

Optional (only if your MID or bank doc says so): Some integrations mention telephony. Follow your MID if it requires READ_PHONE_STATE or similar.

Application attribute for network security

On <application>, point to your XML config (see next section). Example:

<application
    android:name="${applicationName}"
    android:label="your_app_name"
    android:icon="@mipmap/ic_launcher"
    android:networkSecurityConfig="@xml/network_security_config">
    <!-- activities, meta-data, etc. -->
</application>

---

8. Android — Network security (cleartext / MNV)

Mobile network validation (MNV) often uses HTTP to specific operator endpoints. Android 9+ blocks cleartext unless you allow it per domain. Without the right hosts, you may see UnknownServiceException: CLEARTEXT communication … not permitted.

UAT/sandbox MNV configs often hit 3lauth.ideabiz.lk and gsmacnvep.mobitel.lk in addition to production-style mobileauth.ideabiz.lk and gsmacnv.mobitel.lk. Include every host your mnv.json / MID uses.

1. Create android/app/src/main/res/xml/network_security_config.xml.

2. Example content (merge with your MID; add or remove domains per environment):

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">3lauth.ideabiz.lk</domain>
        <domain includeSubdomains="true">mobileauth.ideabiz.lk</domain>
        <domain includeSubdomains="true">gsmacnvep.mobitel.lk</domain>
        <domain includeSubdomains="true">gsmacnv.mobitel.lk</domain>
        <domain includeSubdomains="true">apihub.hutch.lk</domain>
        <domain includeSubdomains="true">heapihub.hutch.lk</domain>
    </domain-config>
</network-security-config>

3. Ensure AndroidManifest.xml references it (see section 7).

Important: If your bank’s MID lists different hosts for sandbox/production, adjust this list. The block above is a working reference for common LankaPay MNV hosts, not a substitute for verifying your MID.

---

9. Android — ProGuard / R8 (release)

1. This plugin publishes android/consumer-rules.pro, which Gradle merges into your app when minifyEnabled is true. It keeps:

   • com.lankapay.justpay.** (LPTrusted),
   • org.spongycastle.** (SpongyCastle jars inside the AAR — not the same as BouncyCastle org.bouncycastle),
   • org.apache.commons.* / org.json.simple.** as used by the stack,
   • lk.lankapay.justpay_flutter.** (MethodChannel bridge),
   • minimal OkHttp rules.

2. Resource shrinking (shrinkResources) — not fixed by ProGuard:

   If your app sets isShrinkResources = true (common with release minify), the build may remove res/raw/justpay.json and res/raw/mnv.json because they are opened via Context#getIdentifier("justpay", "raw", …) — the shrinker often does not treat that as a reference. LPTrusted then cannot read config → getDeviceId() returns "" in release only (debug does not shrink). iOS is unaffected.

   Add app/src/main/res/xml/keep_justpay_raw_resources.xml (name optional):

   <?xml version="1.0" encoding="utf-8"?>
   <resources xmlns:tools="http://schemas.android.com/tools"
       tools:keep="@raw/justpay,@raw/mnv" />
   

   Or temporarily set isShrinkResources = false to confirm.

3. If getDeviceId is non-empty in debug but empty in Android release while iOS release is fine, check (2) first, then consumer rules / SpongyCastle.

4. If LankaPay or your bank supplies additional ProGuard rules, merge them into your app’s proguard-rules.pro (or the rules file your release build uses).

5. Always run a release build on a real device and exercise JustPay onboarding before store submission.

---

10. iOS — LPTrustedSDK and JSON (MID manual Xcode; Flutter disk path)

Follow your MID Section 7 (LankaPay): copy LPTrustedSDK.xcframework into the project folder, in Xcode use Add Files to “…” on the project, select the xcframework, Create groups, enable the Runner target, then Runner → General → Frameworks, Libraries, and Embedded Content and set LPTrustedSDK.xcframework to Embed & Sign. Add justpay.json the same way (Add Files…), with Runner target membership. mnv.json is required on iOS; add it to Runner as well so the plugin can validate dialog / hutch / mobitel before calling the SDK.

Flutter caveat: lankapay_justpay_flutter is a separate CocoaPods target. The plugin pod links LPTrustedSDK with FRAMEWORK_SEARCH_PATHS that include ios/, ios/Runner/, and common xcframework slice folders (ios-arm64, ios-arm64_x86_64-simulator, ios-arm64-simulator) under both LPTrustedSDK.xcframework locations — the linker needs -F on the slice that contains LPTrustedSDK.framework, not only the .xcframework root. From 0.2.14 this is built into the podspec; upgrade before adding a custom Podfile post_install. After you wire the framework in Xcode, keep the on-disk xcframework at ios/LPTrustedSDK.xcframework or ios/Runner/LPTrustedSDK.xcframework, then cd ios && pod install. If your bank’s xcframework uses other slice directory names, you can still append those paths in post_install for the lankapay_justpay_flutter target (same pattern as slice-specific FRAMEWORK_SEARCH_PATHS).

---

11. iOS — CocoaPods

1. Open a terminal at your_app/ios/.

2. Run:

   pod install
   

3. If you change the plugin version or iOS native deps, run again:

   pod install --repo-update
   

4. Open Runner.xcworkspace in Xcode (not Runner.xcodeproj alone).

Podfile platform: Use at least iOS 13.0 (MID). Your team may standardize on a higher minimum; that is fine as long as it meets MID requirements.

---

12. iOS — Bundle JSON

1. In Xcode, add justpay.json (Add Files…), enable Runner target membership, and confirm it under Build Phases → Copy Bundle Resources.
2. mnv.json is required on iOS. Add it using the same steps and confirm it is in Copy Bundle Resources; the plugin validates dialog, hutch, and mobitel.

Use the literal filenames justpay.json and mnv.json so Bundle.main.url(forResource:withExtension:) finds them.

---

13. iOS — App Transport Security (ATS)

iOS blocks insecure HTTP unless you declare exceptions. Add NSAppTransportSecurity for the same operator hosts you allow in Android cleartext (section 8). Use the same domain set as your network_security_config.xml (UAT often needs 3lauth.ideabiz.lk and gsmacnvep.mobitel.lk).

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>3lauth.ideabiz.lk</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
        <key>mobileauth.ideabiz.lk</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
        <key>gsmacnvep.mobitel.lk</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
        <key>gsmacnv.mobitel.lk</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
        <key>apihub.hutch.lk</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
        <key>heapihub.hutch.lk</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

How to add in Xcode: Open Runner → Info.plist as source code, or use Information Property List editor: add App Transport Security Settings → Exception Domains and mirror the keys above.

Again: confirm hosts with your MID for non-production environments.

---

14. iOS — Xcode build settings

Per MID:

Setting	Value
iOS Deployment Target	≥ 13.0 (MID minimum; your app may use a higher floor)
Enable Bitcode	No (MID)

In Xcode: Runner target → Build Settings → search “Bitcode” → Enable Bitcode → No.

---

15. iOS — Verify framework, JSON, and Pods

1. Run pod install --repo-update and open Runner.xcworkspace.
2. On disk: ios/LPTrustedSDK.xcframework or ios/Runner/LPTrustedSDK.xcframework exists.
3. In Xcode (Runner): General → Frameworks, Libraries, and Embedded Content shows LPTrustedSDK.xcframework with Embed & Sign; both justpay.json and mnv.json have Runner target membership and are in Copy Bundle Resources.

If Framework 'LPTrustedSDK' not found remains, reconfirm the xcframework on-disk path and rerun pod install --repo-update.

---

16. Dart — Usage in your app

final justPay = LankapayJustpayFlutter();

// 1) Optional: device id for your backend
final deviceId = await justPay.getDeviceId();

// 2) challenge from your bank API; contentToSign = e.g. terms text user agreed to
final result = await justPay.createIdentityAndSign(
  challenge: challengeFromApi,
  contentToSign: termsPlainText,
);

if (result.success) {
  final signature = result.signature;
  final mobileReference = result.mobileReference;
  // Send signature + mobileReference to your bank API per integration guide.
} else {
  // Show result.message to the user or log for support.
}

If your flow needs signature only (without MNV/mobile validation), use:

final signOnly = await justPay.createIdentityAndSignOnly(
  challenge: challengeFromApi,
  contentToSign: termsPlainText,
);

if (signOnly.success) {
  final signature = signOnly.signature;
  // mobileReference is empty in sign-only mode.
}

Threading: Native callbacks complete on the platform main thread; the plugin returns a Future to Dart as usual.

---

17. Config JSON — Required keys (reference)

These are validated before the SDK runs (mirroring typical native LPTrusted integration checks).

justpay.json (string values, non-empty after trim)

Key
url
package
justpay_code
key_encipher
key_signer
justpay_cert
issuer

mnv.json

Android: required in res/raw; keys below must be present and non-empty.

iOS: required in the app bundle; keys below must be present and non-empty.

Key
dialog
hutch
mobitel

If required keys are missing (or mnv.json is missing on Android/iOS), you get a structured error message in the Dart result.

---

18. Verify the integration

Use this checklist on a physical device when possible (MNV often depends on real carrier data).

• ❌ flutter pub get succeeds.
• ❌ cd ios && pod install succeeds.
• ❌ Android: LPTrustedSDK.aar exists at android/app/libs/LPTrustedSDK.aar.
• ❌ Android: justpay.json / mnv.json exist under res/raw/ with correct names.
• ❌ Android: network_security_config.xml present and referenced in the manifest.
• ❌ iOS: LPTrustedSDK.xcframework on disk under ios/ or ios/Runner/; Runner → Embed & Sign; both justpay.json and mnv.json in bundle; pod install succeeds.
• ❌ iOS: justpay.json and mnv.json are in Copy Bundle Resources.
• ❌ iOS: ATS NSExceptionDomains for every MNV HTTP host you use (mirror Android §8; confirm with MID).
• ❌ justpay.json package matches Android applicationId.
• ❌ getDeviceId returns a non-empty string when the SDK is correctly linked (empty often means iOS framework not linked or stub path).
• ❌ createIdentityAndSign completes with success: true in a full test onboarding (uses bank sandbox as directed).

---

19. Migrating from embedded native JustPay code

If you previously registered a custom MethodChannel in MainActivity / FlutterActivity or AppDelegate that called LPTrusted directly:

1. Add lankapay_justpay_flutter to pubspec.yaml.
2. Remove your custom JustPay MethodChannel setup and any duplicate LPTrusted handler classes from the host app (the plugin registers justpay_sdk/methods on its own).
3. Replace your Dart bridge class with LankapayJustpayFlutter from this package.
4. Keep Firebase, notifications, other channels, and unrelated manifest keys as they are.
5. Run full JustPay regression on Android and iOS.

---

20. Troubleshooting

Symptom	What to check
Gradle: AAR not found	Path android/app/libs/LPTrustedSDK.aar and spelling of filename.
Gradle: duplicate classes (org.apache.commons.io.* / org.slf4j.*)	LPTrustedSDK AAR may already include commons-io and slf4j-api. Exclude external duplicates in app Gradle using configurations.configureEach { exclude(...) } (Kotlin DSL) or configurations.all { exclude ... } (Groovy), then run flutter clean.
Release R8: missing org.apache.commons.io.* after excluding commons-io	Same trade-off as above: Tika / full commons-io vs fat AAR. Prefer an updated LPTrustedSDK from the vendor, or remove/downgrade the dependency that pulls Tika (often file_picker ≥ 11).
Gradle: duplicate classes return when you remove the commons-io exclude	Expected: Maven commons-io and the AAR’s embedded copy both define org.apache.commons.io.*. You need a non-fat AAR or avoid pulling a second commons-io.
Android: “Missing res/raw/…”	Files named justpay.json / mnv.json under app/src/main/res/raw/.
Android: cleartext / SSL errors	network_security_config.xml domains vs MID; manifest networkSecurityConfig.
Android: package mismatch	justpay.json package vs applicationId (flavors).
Android: getDeviceId empty only in release	R8 / SpongyCastle — plugin ≥ 0.2.19 (consumer-rules.pro). Also shrinkResources: add tools:keep="@raw/justpay,@raw/mnv" (see §9) or test with isShrinkResources = false.
iOS: Framework 'LPTrustedSDK' not found	ios/LPTrustedSDK.xcframework or ios/Runner/ on disk; pod install --repo-update; open Runner.xcworkspace. Use plugin ≥ 0.2.14 (slice FRAMEWORK_SEARCH_PATHS).
iOS: import LPTrustedSDK / link errors	Same + pod install --repo-update; Runner.xcworkspace. If your xcframework uses unusual slice folder names, append them in post_install for lankapay_justpay_flutter. Optional vendored pod.
iOS: HTTP load fails	ATS entries in Info.plist for operator hosts.
iOS: empty getDeviceId	Often stub (framework not linked: #if canImport(LPTrustedSDK) false) — fix xcframework disk path + pod install. On a linked device build, empty can mean SDK not initialized per MID.
Dart: success: false with config message	JSON keys missing/wrong; read message string.
Debug logs (recommended)	Android: view logcat and filter by tag LankapayJustpay. iOS: view the Xcode console for lines starting with [LankapayJustpay]. Dart: debug console output (only in debug mode).
Debug mocks (optional)	In debug builds you can enable failure simulation as success. This can help you continue UI/backend registration flow without native success. Enable with LankapayJustpayFlutter(enableDebugMocks: true). Backend may still reject dummy signature or mobileReference if it validates strictly.
Release-only crashes	R8/ProGuard rules; test release on device.

---

Quick command recap

# From app root
flutter pub get
cd ios && pod install && cd ..

# Android
cd android && ./gradlew :app:assembleDebug && cd ..

# iOS (from app root)
flutter build ios --no-codesign

If anything in this guide conflicts with your bank’s MID, the MID wins.