# BasedBank A unified Android banking app for Maldivians that combines MIB (Faisanet), BML (Bank of Maldives), and Fahipay into a single interface — with no analytics, no tracking, and no phone-home behaviour outside the banks themselves. [![AI Slop Inside](https://sladge.net/badge.svg)](https://sladge.net) [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](LICENSE) ![Android 8.0+](https://img.shields.io/badge/Android-8.0+-3DDC84?logo=android&logoColor=white) ![Jetpack Compose](https://img.shields.io/badge/Jetpack%20Compose-4285F4?logo=jetpackcompose&logoColor=white) ![Maintained](https://img.shields.io/badge/Maintained-yes-green.svg) ## What it does - **Multi-bank dashboard** — view balances across all your MIB, BML, and Fahipay accounts in one place, with a combined MVR and USD total - **Transaction history** — paginated, searchable transaction history per account for MIB CASA, BML CASA, BML prepaid cards, and Fahipay wallet - **Transfers** — send money between accounts and to saved contacts; supports MIB-to-MIB, BML-to-BML, and cross-bank (MIB↔BML via FAVARA) - **Contacts** — manage saved beneficiaries across all banks; validates Dhiraagu and Ooredoo numbers and shows the account owner name before you add - **Fahipay** — full wallet support including balance, history with merchant icons, and Fahipay favourites (Raastas, Reload, Ooredoo Bill, Dhiraagu Bill) - **QR payments** — scan PayMV QR codes to pre-fill transfers - **BML foreign limits** — view your foreign currency spending allowances and breakdowns by ATM / POS / ECOM - **MIB financing** — view active financing deals ## Authentication The app requires your existing credentials for each bank — the same username/password/OTP seed you use with the official apps. It stores them encrypted using AES-256-GCM backed by the Android Keystore (hardware secure enclave). Each bank's 2FA uses TOTP, so you need to have your OTP seed (the same secret used by your authenticator app). ## Security - All credentials encrypted at rest with **AES-256-GCM** (Android Keystore) - Lock screen protected by **PBKDF2-HMAC-SHA256** (100,000 iterations) with optional biometric unlock - **FLAG_SECURE** on by default — content hidden in app switcher and screenshots blocked - All sensitive data excluded from Android cloud backup - Zero analytics, crash reporters, or third-party SDKs — network traffic goes only to MIB, BML, Fahipay, and the Maldivian telecoms for number validation See [`docs/AI_SECURITY_CHECK.md`](docs/AI_SECURITY_CHECK.md) for the full security audit. ## Supported banks | Bank | Login | Accounts | History | Transfers | Contacts | |---|---|---|---|---|---| | MIB (Faisanet) | username + password + TOTP | ✓ | ✓ | ✓ | ✓ | | BML (Bank of Maldives) | username + password + TOTP | ✓ | ✓ | ✓ | ✓ | | Fahipay | national ID + password + TOTP | ✓ | ✓ | — | ✓ (favourites) | ## Requirements - Android 8.0+ (API 26) - Existing accounts with MIB, BML, or Fahipay - Your TOTP seed (base32 secret from your authenticator app setup) for each bank ## Building Open in Android Studio and run. No API keys or secrets required — all protocol constants are derived from the official apps and are included in the source. The release signing config reads from environment variables (`KEYSTORE_PASSWORD`, `KEY_ALIAS`, `KEY_PASSWORD`). ## How it works BasedBank talks directly to each bank's existing mobile API using the same protocol as their official apps, reverse-engineered from the APKs. It does not use any intermediary server — requests go straight from your device to the bank. - **MIB**: Blowfish/ECB encrypted JSON over HTTPS with a Diffie-Hellman session key exchange - **BML**: PKCE OAuth 2.0 flow via the BML web login, exchanged for a Bearer token used on the mobile API - **Fahipay**: multipart form login with TOTP, session maintained via `__Secure-sess` cookie and `authid` header ## Privacy No data ever leaves your device except the API calls to the banking services themselves. See the [security audit](docs/AI_SECURITY_CHECK.md) for a full list of every server the app connects to. ## Disclaimer This is an unofficial third-party app. It is not affiliated with, endorsed by, or supported by MIB, BML, or Fahipay. Use at your own risk. Review the source code before entering your banking credentials.