SMS-Based Payment Confirmation: How It Works and Why It's Reliable
Automated payment verification is the backbone of modern e-commerce checkouts. While card networks rely on immediate authorization flows (VISA/Mastercard processing), mobile financial services (MFS) in Bangladesh often operate through physical SMS confirmation notifications. In this engineering deep-dive, we break down how BDGate's SMS-Based Payment Confirmation operates and why it offers a robust alternative to manual checks.
The Architectural Setup
The system relies on three distinct layers cooperating asynchronously:
- MFS Provider System: Initiates and processes user wallets. When a payment completes, it generates a physical SMS alert and broadcasts it to the merchant's target SIM card phone number.
- Android Relay Client: A lightweight background Android app running on the merchant's smartphone. It utilizes Android's native
NotificationListenerServiceto safely monitor notifications sent from specific sender headers (like bKash, NAGAD, or Rocket). - BDGate REST Server: Receives the parsed SMS components, verifies security signature hashes, checks pending database invoices, and completes orders.
Safeguarding Transaction Data
A common concern is security: can a bad actor inject fake SMS notifications into the API? We prevent this through multiple validation mechanisms:
- Secure Web Signatures: Every request sent from the Android Relay client is hashed using a shared
security_secretand timestamp variables. The server rejects any payload that doesn't resolve to the correct hash. - Sender Validation: The app only forwards alerts generated by official MFS sender IDs, ignoring standard 11-digit mobile phone numbers.
- Duplicate Checks: Each MFS SMS contains a unique transaction ID. The BDGate backend keeps a distinct cache of processed transaction keys and rejects any duplicate attempts instantly.
Handling Lost Connections
If the Android device loses network access, it queues incoming parsed transaction data locally in an SQLite datastore. The moment mobile data or Wi-Fi is restored, the queue is pushed to the server sequentially, ensuring zero payments are lost or delayed.