From 5d8ab76477471ef0aad136ed356c57160466a8e8 Mon Sep 17 00:00:00 2001 From: Shihaam Abdul Rahman Date: Wed, 27 May 2026 18:35:42 +0500 Subject: [PATCH] update docs --- README.md | 62 +++++++------------------------------------------------ 1 file changed, 8 insertions(+), 54 deletions(-) diff --git a/README.md b/README.md index a945381..0f4ae71 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Thijooree -A native Android client for Maldivian banking services — MIB (Faisanet), BML (Bank of Maldives), and Fahipay. It is a pure client: requests go directly from your device to the banks' own servers using the same protocols as their official apps. No proxy, no backend, no middleman. +A native Android client for Maldivian banking services. It is a pure client: requests go directly from your device to the banks' own servers using the same protocols as their official apps. No proxy, no backend, no middleman. [![AI Slop Inside](https://sladge.net/badge.svg)](https://sladge.net) [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](LICENSE) @@ -8,65 +8,14 @@ A native Android client for Maldivian banking services — MIB (Faisanet), BML ( ![Jetpack Compose](https://img.shields.io/badge/Jetpack%20Compose-4285F4?logo=jetpackcompose&logoColor=white) ![Maintained](https://img.shields.io/badge/Maintained-yes-green.svg) -## What it does - -- **Multi-bank dashboard** — view balances across all your MIB, BML, and Fahipay accounts in one place, with a combined MVR and USD total -- **Transaction history** — paginated, searchable transaction history per account for MIB CASA, BML CASA, BML prepaid cards, and Fahipay wallet -- **Transfers** — send money between accounts and to saved contacts; supports MIB-to-MIB, BML-to-BML, and cross-bank (MIB↔BML via FAVARA); transfer receipts saved locally -- **Contacts** — manage saved beneficiaries across all banks; validates Dhiraagu and Ooredoo numbers and shows the account owner name before you add -- **Fahipay** — full wallet support including balance, history with merchant icons, and Fahipay favourites (Raastas, Reload, Ooredoo Bill, Dhiraagu Bill) -- **QR payments** — scan PayMV QR codes to pre-fill transfers -- **BML foreign limits** — view your foreign currency spending allowances and breakdowns by ATM / POS / ECOM -- **MIB financing** — view active financing deals -- **Hide amounts** — one-tap toggle to hide all balances on screen (e.g. in public) -- **Multi-account support** — add multiple logins per bank (e.g. personal + business); BML supports multiple profiles per login with per-profile session tokens -- **Profile visibility** — individually hide/show MIB or BML profiles from the dashboard without removing them - -## Authentication - -The app requires your existing credentials for each bank — the same username/password/OTP seed you use with the official apps. It stores them encrypted using AES-256-GCM backed by the Android Keystore (hardware secure enclave). - -Each bank's 2FA uses TOTP, so you need to have your OTP seed (the same secret used by your authenticator app). - -MIB sessions persist their Blowfish DH key pair and app ID between launches (re-login only when the session expires). BML tokens are stored per-profile with refresh token support. Fahipay sessions persist the `authId` and `__Secure-sess` cookie. - -## Security - -- All credentials encrypted at rest with **AES-256-GCM** (Android Keystore) -- Lock screen protected by **PBKDF2-HMAC-SHA256** (100,000 iterations) with optional biometric unlock -- **FLAG_SECURE** on by default — content hidden in app switcher and screenshots blocked -- All sensitive data excluded from Android cloud backup -- Zero analytics, crash reporters, or third-party SDKs — network traffic goes only to MIB, BML, Fahipay, and the Maldivian telecoms for number validation - -See [`docs/AI_SECURITY_CHECK.md`](docs/AI_SECURITY_CHECK.md) for the full security audit. - -## Supported banks - -| Bank | Login | Accounts | History | Transfers | Contacts | -|---|---|---|---|---|---| -| MIB (Faisanet) | username + password + TOTP | ✓ | ✓ | ✓ | ✓ | -| BML (Bank of Maldives) | username + password + TOTP | ✓ | ✓ | ✓ | ✓ | -| Fahipay | national ID + password + TOTP | ✓ | ✓ | — | ✓ (favourites) | - ## Requirements - Android 8.0+ (API 26) - Existing accounts with MIB, BML, or Fahipay - Your TOTP seed (base32 secret from your authenticator app setup) for each bank -## Building - -Open in Android Studio and run. No API keys or secrets required — all protocol constants are derived from the official apps and are included in the source. - -The release signing config reads from environment variables (`KEYSTORE_PASSWORD`, `KEY_ALIAS`, `KEY_PASSWORD`). - -## How it works - -BasedBank talks directly to each bank's existing mobile API using the same protocol as their official apps, reverse-engineered from the APKs. It does not use any intermediary server — requests go straight from your device to the bank. - -- **MIB**: Blowfish/ECB encrypted JSON over HTTPS with a Diffie-Hellman session key exchange -- **BML**: PKCE OAuth 2.0 flow via the BML web login, exchanged for a Bearer token used on the mobile API -- **Fahipay**: multipart form login with TOTP, session maintained via `__Secure-sess` cookie and `authid` header +## Download +[Download latest APK](https://git.shihaam.dev/shihaam/ISODroid/releases/latest) ## Privacy @@ -75,3 +24,8 @@ No data ever leaves your device except the API calls to the banking services the ## Disclaimer This is an unofficial third-party app. It is not affiliated with, endorsed by, or supported by MIB, BML, or Fahipay. Use at your own risk. Review the source code before entering your banking credentials. + + +## License + +GNU General Public License v3.0 - See [LICENSE](LICENSE) file for details