split ios fraud into submodule

[cameron-radar]

server pr: https://github.com/radarlabs/server/pull/7066

run local server using branch cameronmorrow1/fra-1378-ios-fraud-lib-split, point host and verified host to it and call track verified (my staging branch doesn't seem to be a "verified host")

try running master ios branch too to ensure backwards compatibility on server

[Copilot]

Pull Request Overview

This PR splits iOS fraud detection functionality into a separate submodule (RadarSDKFraud), making it an optional dependency rather than part of the core SDK. The fraud detection code (jailbreak checks, attestation, IP monitoring) is moved to the new submodule and accessed via a protocol interface.

Key Changes:

• Fraud detection logic extracted to RadarSDKFraud submodule
• New RadarSDKFraudProtocol defines the interface between core SDK and fraud module
• Core SDK checks for fraud module availability at runtime using NSClassFromString

Reviewed Changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
.gitmodules	Adds RadarSDKFraud as a git submodule dependency
RadarSDK/Include/RadarSDKFraudProtocol.h	Defines protocol interface for fraud detection functionality
RadarSDK/RadarVerificationManager.m	Removes fraud implementation, adds runtime checks for fraud module availability
RadarSDK/RadarVerificationManager.h	Removes exposed fraud-related method signatures
RadarSDK/RadarAPIClient.m	Replaces inline fraud checks with calls to fraud module
RadarSDK/RadarUtils.m	Removes isSimulator utility (moved to fraud module)
RadarSDK/RadarUtils.h	Removes isSimulator method declaration
RadarSDKTests/RadarTestUtils.h	Removes import of RadarVerificationManager
RadarSDKTests/RadarTestutils.m	Removes jailbreak detection from test utilities
RadarSDKTests/RadarSDKTests.m	Removes fraud-related test assertions
RadarSDK.xcodeproj/project.pbxproj	Adds RadarSDKFraudProtocol.h to build configuration

Comments suppressed due to low confidence (1)

RadarSDK/RadarVerificationManager.m:1

• Missing closing brace for the if (RadarSDKFraud) block that starts at line 367. This will cause a compilation error.

//

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The TODO comment should be converted to a FIXME or TODO with a ticket reference, or resolved before merging. Using RadarStatusErrorUnknown for missing module dependencies is unclear to API consumers.

Suggested change

	// todo: add a new error type for missing modules?
	completionHandler(RadarStatusErrorUnknown, nil);
	// FIXME(RADAR-1234): Use a specific error type for missing RadarSDKFraud module
	completionHandler(RadarStatusErrorMissingDependency, nil);

[Copilot]

Submodules should typically reference a stable branch (e.g., main or a release tag) rather than a development branch like initial-setup. This could cause instability for other developers or CI/CD systems.

Suggested change

	branch = initial-setup
	branch = main

[lmeier]

+1 to fixing this before shipping

[Copilot]

Missing nil check for fraudResults before assignment. If detectFraudWithLocation: returns nil, this will add a null value to the params dictionary, which could cause serialization issues.

Suggested change

	params[@"fraudPayload"] = fraudResults;
	if (fraudResults) {
	params[@"fraudPayload"] = fraudResults;
	}

[ShiCheng-Lu]

I think maybe the fraud lib can handle the getConfig call (currently in here before the getLocation call), we should probably also just skip that call for projects that don't have the app attest setup, since it's a waste of api call.

so main SDK: getLocation -> RadarSDKFraud.getFraudPayload

within RadarSDKFraud:

• if RadarSettings.useAttest (or something), then call getConfig and attest with nonce, else I think we just encode the payload in a jwt (or encrypted string it looks like?).
• respond with the payload

then we continue to track call.

[cameron-radar]

I'd rather keep any dependencies from the core lib out of radarsdkfraud, such as those needed to make the getConfig call. is there a security reason to move it into radarsdkfraud?

[cameron-radar]

I agree about conditionally skipping the getconfig call, I added it as a linear task:
https://linear.app/radarlabs/issue/FRA-1449/skip-getconfig-call-in-trackverified-if-attest-isnt-enabled

[lmeier]

Hmmm, I think I lean towards keeping config here.

We can pass through (or store in nsuserdefaults) anything that's necessary from config.

[lmeier]

Instead of adding a new error type (I'd lean away from that to avoid error enum bloat), we can just add a logger line to make it clear what's happening.

[lmeier]

Hmmm, I think I lean towards keeping config here.

We can pass through (or store in nsuserdefaults) anything that's necessary from config.

[lmeier]

+1 to fixing this before shipping