From 153c98862e60a50268f6db2fe6a03ee9f8c2cef6 Mon Sep 17 00:00:00 2001 From: Shihaam Abdul Rahman Date: Sun, 17 May 2026 00:47:48 +0500 Subject: [PATCH] add readme --- README.md | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..f0b590a --- /dev/null +++ b/README.md @@ -0,0 +1,72 @@ +# BasedBank + +A unified Android banking app for Maldivians that combines MIB (Faisanet), BML (Bank of Maldives), and Fahipay into a single interface — with no analytics, no tracking, and no phone-home behaviour outside the banks themselves. + +[![AI Slop Inside](https://sladge.net/badge.svg)](https://sladge.net) +[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](LICENSE) +![Android 8.0+](https://img.shields.io/badge/Android-8.0+-3DDC84?logo=android&logoColor=white) +![Jetpack Compose](https://img.shields.io/badge/Jetpack%20Compose-4285F4?logo=jetpackcompose&logoColor=white) +![Maintained](https://img.shields.io/badge/Maintained-yes-green.svg) + +## What it does + +- **Multi-bank dashboard** — view balances across all your MIB, BML, and Fahipay accounts in one place, with a combined MVR and USD total +- **Transaction history** — paginated, searchable transaction history per account for MIB CASA, BML CASA, BML prepaid cards, and Fahipay wallet +- **Transfers** — send money between accounts and to saved contacts; supports MIB-to-MIB, BML-to-BML, and cross-bank (MIB↔BML via FAVARA) +- **Contacts** — manage saved beneficiaries across all banks; validates Dhiraagu and Ooredoo numbers and shows the account owner name before you add +- **Fahipay** — full wallet support including balance, history with merchant icons, and Fahipay favourites (Raastas, Reload, Ooredoo Bill, Dhiraagu Bill) +- **QR payments** — scan PayMV QR codes to pre-fill transfers +- **BML foreign limits** — view your foreign currency spending allowances and breakdowns by ATM / POS / ECOM +- **MIB financing** — view active financing deals + +## Authentication + +The app requires your existing credentials for each bank — the same username/password/OTP seed you use with the official apps. It stores them encrypted using AES-256-GCM backed by the Android Keystore (hardware secure enclave). + +Each bank's 2FA uses TOTP, so you need to have your OTP seed (the same secret used by your authenticator app). + +## Security + +- All credentials encrypted at rest with **AES-256-GCM** (Android Keystore) +- Lock screen protected by **PBKDF2-HMAC-SHA256** (100,000 iterations) with optional biometric unlock +- **FLAG_SECURE** on by default — content hidden in app switcher and screenshots blocked +- All sensitive data excluded from Android cloud backup +- Zero analytics, crash reporters, or third-party SDKs — network traffic goes only to MIB, BML, Fahipay, and the Maldivian telecoms for number validation + +See [`docs/AI_SECURITY_CHECK.md`](docs/AI_SECURITY_CHECK.md) for the full security audit. + +## Supported banks + +| Bank | Login | Accounts | History | Transfers | Contacts | +|---|---|---|---|---|---| +| MIB (Faisanet) | username + password + TOTP | ✓ | ✓ | ✓ | ✓ | +| BML (Bank of Maldives) | username + password + TOTP | ✓ | ✓ | ✓ | ✓ | +| Fahipay | national ID + password + TOTP | ✓ | ✓ | — | ✓ (favourites) | + +## Requirements + +- Android 8.0+ (API 26) +- Existing accounts with MIB, BML, or Fahipay +- Your TOTP seed (base32 secret from your authenticator app setup) for each bank + +## Building + +Open in Android Studio and run. No API keys or secrets required — all protocol constants are derived from the official apps and are included in the source. + +The release signing config reads from environment variables (`KEYSTORE_PASSWORD`, `KEY_ALIAS`, `KEY_PASSWORD`). + +## How it works + +BasedBank talks directly to each bank's existing mobile API using the same protocol as their official apps, reverse-engineered from the APKs. It does not use any intermediary server — requests go straight from your device to the bank. + +- **MIB**: Blowfish/ECB encrypted JSON over HTTPS with a Diffie-Hellman session key exchange +- **BML**: PKCE OAuth 2.0 flow via the BML web login, exchanged for a Bearer token used on the mobile API +- **Fahipay**: multipart form login with TOTP, session maintained via `__Secure-sess` cookie and `authid` header + +## Privacy + +No data ever leaves your device except the API calls to the banking services themselves. See the [security audit](docs/AI_SECURITY_CHECK.md) for a full list of every server the app connects to. + +## Disclaimer + +This is an unofficial third-party app. It is not affiliated with, endorsed by, or supported by MIB, BML, or Fahipay. Use at your own risk. Review the source code before entering your banking credentials.