shihaam/thijooree
1
0
Fork 1
Code Issues 10 Pull Requests 2 Actions Packages Projects Releases 18 Wiki Activity

Compare commits

base: shihaam/thijooree:v1.0.11
Branches Tags
shihaam/thijooree:main shihaam/thijooree:ahusan-fix/accounts-list-balance-consistency
shihaam/thijooree:v1.0.18 shihaam/thijooree:v1.0.17 shihaam/thijooree:v1.0.16 shihaam/thijooree:v1.0.15 shihaam/thijooree:v1.0.14 shihaam/thijooree:v1.0.13 shihaam/thijooree:v1.0.12 shihaam/thijooree:v1.0.11 shihaam/thijooree:v1.0.10 shihaam/thijooree:v1.0.9 shihaam/thijooree:v1.0.8 shihaam/thijooree:v1.0.7 shihaam/thijooree:v1.0.6 shihaam/thijooree:v1.0.5 shihaam/thijooree:v1.0.4 shihaam/thijooree:v1.0.3 shihaam/thijooree:v1.0.2 shihaam/thijooree:v1.0 shihaam/thijooree:v1.0.1
...
compare: shihaam/thijooree:v1.0.13
Branches Tags
shihaam/thijooree:main shihaam/thijooree:ahusan-fix/accounts-list-balance-consistency
shihaam/thijooree:v1.0.18 shihaam/thijooree:v1.0.17 shihaam/thijooree:v1.0.16 shihaam/thijooree:v1.0.15 shihaam/thijooree:v1.0.14 shihaam/thijooree:v1.0.13 shihaam/thijooree:v1.0.12 shihaam/thijooree:v1.0.11 shihaam/thijooree:v1.0.10 shihaam/thijooree:v1.0.9 shihaam/thijooree:v1.0.8 shihaam/thijooree:v1.0.7 shihaam/thijooree:v1.0.6 shihaam/thijooree:v1.0.5 shihaam/thijooree:v1.0.4 shihaam/thijooree:v1.0.3 shihaam/thijooree:v1.0.2 shihaam/thijooree:v1.0 shihaam/thijooree:v1.0.1

31 Commits
v1.0.11 ... v1.0.13

Author SHA1 Message Date
shihaam 173c02ab8f release version 1.0.13
Build and Release APK / build (push) Successful in 3m12s
Details
Auto Tag on Version Change / check-version (push) Failing after 14m33s
Details
2026-05-31 00:28:28 +05:00
shihaam b37b12996f Contacts after selecting account back button Behaviour Enchantment #30
Auto Tag on Version Change / check-version (push) Successful in 5s
Details
2026-05-31 00:26:10 +05:00
shihaam 21203b39e7 rearrange buttons in contact page #28
Auto Tag on Version Change / check-version (push) Failing after 15m6s
Details
2026-05-31 00:22:55 +05:00
shihaam 0be492ca18 remove custom logic for scan button in PayMV QR generate and just handoff to transfer page to handle auto select account
Auto Tag on Version Change / check-version (push) Failing after 15m1s
Details
2026-05-31 00:18:01 +05:00
shihaam 973576cf6a save static BML QR scans to recents #31
Auto Tag on Version Change / check-version (push) Successful in 6s
Details
2026-05-31 00:06:37 +05:00
shihaam 4523aed69e remove *** on customer amount set PayMV QRs, #29
Auto Tag on Version Change / check-version (push) Successful in 7s
Details
2026-05-30 23:26:55 +05:00
shihaam f90d83b59e improve share to scan to pay flow: fetching merchant details
Auto Tag on Version Change / check-version (push) Failing after 10m51s
Details
2026-05-30 23:22:10 +05:00
shihaam a03b1b1682 improve QR scan flow part:1 unified
Auto Tag on Version Change / check-version (push) Failing after 14m4s
Details
2026-05-30 22:53:56 +05:00
shihaam bc958e2df6 fallback to use transfer if user scanned a paymv qr after selecting a card 2026-05-30 22:29:28 +05:00
shihaam ae8ad24d13 add support for default trsnager accounts
Auto Tag on Version Change / check-version (push) Successful in 5s
Details
2026-05-30 22:24:37 +05:00
shihaam a20f2a9ce7 made transfer flow more friendly and vivid UI
Auto Tag on Version Change / check-version (push) Failing after 13m27s
Details
2026-05-30 21:24:35 +05:00
shihaam 0795df35a1 add share to scan to pay
Auto Tag on Version Change / check-version (push) Failing after 11m26s
Details
2026-05-30 20:11:35 +05:00
shihaam 86e1e66a20 update docs
Auto Tag on Version Change / check-version (push) Failing after 14m45s
Details
2026-05-30 19:33:15 +05:00
shihaam a5124096d7 update docs
Auto Tag on Version Change / check-version (push) Failing after 12m5s
Details
2026-05-30 19:00:57 +05:00
shihaam 1d2cd40b3c fix nfc related crash bug
Auto Tag on Version Change / check-version (push) Failing after 11m8s
Details
2026-05-30 18:50:15 +05:00
shihaam abc1a43ad6 address issue #12: add app icon and title
Auto Tag on Version Change / check-version (push) Successful in 5s
Details
2026-05-30 01:12:44 +05:00
shihaam c7718f94b3 add api call indicator to nfc
Auto Tag on Version Change / check-version (push) Failing after 14m27s
Details
2026-05-30 00:21:54 +05:00
shihaam 57bc488b98 new NFC tap to pay animation
Auto Tag on Version Change / check-version (push) Failing after 15m0s
Details
2026-05-29 23:56:23 +05:00
shihaam 7f87c9e13f update docs
Auto Tag on Version Change / check-version (push) Failing after 12m39s
Details
2026-05-29 18:58:43 +05:00
shihaam cc15ab1c6c potential nfc bug fix 2026-05-29 18:58:35 +05:00
shihaam 0efe833e40 release version 1.0.12
Auto Tag on Version Change / check-version (push) Successful in 6s
Details
Build and Release APK / build (push) Failing after 14m56s
Details
2026-05-29 17:35:27 +05:00
shihaam f5f52829c7 bug fix that took user to default card from dashboard instead of the card user selected
Auto Tag on Version Change / check-version (push) Has been cancelled
Details
2026-05-29 16:45:19 +05:00
shihaam 3db077cf9a rename shorcut to scan to pay
Auto Tag on Version Change / check-version (push) Failing after 10m47s
Details
2026-05-29 16:42:04 +05:00
shihaam ee5ecdaa18 new nfc icon, hide cards, removed offline nfc payments
Auto Tag on Version Change / check-version (push) Failing after 12m50s
Details
2026-05-29 16:39:58 +05:00
shihaam 2df162c09e tap-to-pay part 3: default wallet and shortcut
Auto Tag on Version Change / check-version (push) Failing after 11m53s
Details
2026-05-29 15:58:05 +05:00
shihaam 0f77216d2d tap-to-pay part 1
Auto Tag on Version Change / check-version (push) Failing after 14m38s
Details
2026-05-29 15:43:13 +05:00
shihaam 71e893faf8 update download links: preview tg channel
Auto Tag on Version Change / check-version (push) Failing after 11m6s
Details
2026-05-29 11:51:40 +05:00
shihaam 1cd254c134 update download links: preview tg channel
Auto Tag on Version Change / check-version (push) Failing after 12m3s
Details
2026-05-29 11:50:47 +05:00
shihaam 87536a339b update download links
Auto Tag on Version Change / check-version (push) Failing after 14m42s
Details
2026-05-29 11:48:10 +05:00
shihaam 32d23a43b3 lmao 2026-05-29 11:47:14 +05:00
shihaam 846ce22245 more astudio bs 2026-05-29 11:40:09 +05:00
62 changed files with 4147 additions and 215 deletions
Expand all files Collapse all files
.idea/deploymentTargetSelector.xml
Generated
+2 -2
View File
@@ -4,10 +4,10 @@
<selectionStates>
<SelectionState runConfigName="app">
<option name="selectionMode" value="DROPDOWN" />
<DropdownSelection timestamp="2026-05-22T00:11:32.873305232Z">
<DropdownSelection timestamp="2026-05-28T18:41:19.777722821Z">
<Target type="DEFAULT_BOOT">
<handle>
<DeviceId pluginId="PhysicalDevice" identifier="serial=683a9830" />
<DeviceId pluginId="PhysicalDevice" identifier="serial=4254e2f" />
</handle>
</Target>
</DropdownSelection>
README.md
+8 -3
View File
@@ -14,12 +14,17 @@ A native Android client for Maldivian banking services. It is a pure client: req
- Existing accounts with MIB, BML, or Fahipay
- Your TOTP seed (base32 secret from your authenticator app setup) for each bank
## Download
[Download latest APK](https://git.shihaam.dev/shihaam/ISODroid/releases/latest)
## Download APK
[Gitea Releases](https://git.shihaam.dev/shihaam/thijooree/releases)
[Telegram Channel](https://t.me/s/thijooreeapks)
## Privacy
No data ever leaves your device except the API calls to the banking services themselves. See the [security audit](docs/AI_SECURITY_CHECK.md) for a full list of every server the app connects to.
No data ever leaves your device except the API calls to the banking services themselves. See the [security audit](docs/thijooree/AI_SECURITY_CHECK.md) for a full list of every server the app connects to.
## Documentation
API reverse-engineering notes and app internals are in [`docs/`](docs/README.md).
## Disclaimer
app/build.gradle.kts
+5 -2
View File
@@ -11,8 +11,8 @@ android {
applicationId = "sh.sar.basedbank"
minSdk = 26
targetSdk = 36
versionCode = 10
versionName = "1.0.11"
versionCode = 12
versionName = "1.0.13"
testInstrumentationRunner = "androidx.test.runner.AndroidJUnitRunner"
}
@@ -91,6 +91,9 @@ dependencies {
// Biometric authentication
implementation("androidx.biometric:biometric:1.1.0")
// Encrypted SharedPreferences (HCE token store)
implementation("androidx.security:security-crypto:1.1.0-alpha06")
testImplementation(libs.junit)
androidTestImplementation(libs.androidx.junit)
androidTestImplementation(libs.androidx.espresso.core)
app/src/debug/res/xml/shortcuts.xml
+43
View File
@@ -0,0 +1,43 @@
<?xml version="1.0" encoding="utf-8"?>
<shortcuts xmlns:android="http://schemas.android.com/apk/res/android">
<shortcut
android:shortcutId="transfer"
android:enabled="true"
android:icon="@drawable/ic_shortcut_transfer"
android:shortcutShortLabel="@string/transfer"
android:shortcutLongLabel="@string/transfer">
<intent
android:action="sh.sar.basedbank.OPEN_TRANSFER"
android:targetPackage="sh.sar.basedbank.debug"
android:targetClass="sh.sar.basedbank.MainActivity" />
<categories android:name="android.shortcut.conversation" />
</shortcut>
<shortcut
android:shortcutId="scan_qr"
android:enabled="true"
android:icon="@drawable/ic_shortcut_scan_qr"
android:shortcutShortLabel="@string/transfer_scan_qr"
android:shortcutLongLabel="@string/transfer_scan_qr">
<intent
android:action="sh.sar.basedbank.OPEN_SCAN_QR"
android:targetPackage="sh.sar.basedbank.debug"
android:targetClass="sh.sar.basedbank.MainActivity" />
<categories android:name="android.shortcut.conversation" />
</shortcut>
<shortcut
android:shortcutId="tap_to_pay"
android:enabled="true"
android:icon="@drawable/ic_shortcut_pay_card"
android:shortcutShortLabel="@string/card_pay_nfc"
android:shortcutLongLabel="@string/card_pay_nfc">
<intent
android:action="sh.sar.basedbank.TAP_TO_PAY"
android:targetPackage="sh.sar.basedbank.debug"
android:targetClass="sh.sar.basedbank.MainActivity" />
<categories android:name="android.shortcut.conversation" />
</shortcut>
</shortcuts>
app/src/main/AndroidManifest.xml
+36
View File
@@ -7,6 +7,9 @@
<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.USE_BIOMETRIC" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.NFC" />
<uses-feature android:name="android.hardware.nfc.hce" android:required="false" />
<application
android:name=".BasedBankApp"
@@ -59,6 +62,39 @@
android:exported="false"
android:screenOrientation="portrait" />
<activity
android:name=".nfc.BmlTapToPayActivity"
android:exported="false"
android:launchMode="singleTop"
android:theme="@style/Theme.BasedBank" />
<service
android:name=".nfc.BmlHostCardEmulatorService"
android:exported="true"
android:permission="android.permission.BIND_NFC_SERVICE">
<intent-filter>
<action android:name="android.nfc.cardemulation.action.HOST_APDU_SERVICE" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
<meta-data
android:name="android.nfc.cardemulation.host_apdu_service"
android:resource="@xml/bml_aid_list" />
</service>
<!-- Share-sheet alias: "Scan to Pay" receives shared images and decodes their QR code -->
<activity-alias
android:name=".ScanToPayActivity"
android:targetActivity=".MainActivity"
android:exported="true"
android:label="@string/transfer_scan_qr"
android:icon="@drawable/ic_qr_scan">
<intent-filter>
<action android:name="android.intent.action.SEND" />
<category android:name="android.intent.category.DEFAULT" />
<data android:mimeType="image/*" />
</intent-filter>
</activity-alias>
<provider
android:name="androidx.core.content.FileProvider"
android:authorities="${applicationId}.fileprovider"
app/src/main/java/sh/sar/basedbank/LockActivity.kt
+4
View File
@@ -278,9 +278,13 @@ class LockActivity : AppCompatActivity() {
}
val navDest = intent.getIntExtra("nav_destination", -1)
val autoScan = intent.getBooleanExtra("auto_scan", false)
val autoTapMode = intent.getBooleanExtra("auto_tap_mode", false)
val shareQrText = intent.getStringExtra("share_qr_text")
startActivity(Intent(this, HomeActivity::class.java).apply {
if (navDest != -1) putExtra("nav_destination", navDest)
if (autoScan) putExtra("auto_scan", true)
if (autoTapMode) putExtra("auto_tap_mode", true)
if (shareQrText != null) putExtra("share_qr_text", shareQrText)
})
finish()
}
app/src/main/java/sh/sar/basedbank/MainActivity.kt
+37
View File
@@ -12,6 +12,28 @@ import sh.sar.basedbank.R
class MainActivity : AppCompatActivity() {
private fun decodeQrFromSharedImage(uri: android.net.Uri): String? {
return try {
val bitmap = contentResolver.openInputStream(uri)?.use {
android.graphics.BitmapFactory.decodeStream(it)
} ?: return null
val opts = de.markusfisch.android.zxingcpp.ZxingCpp.ReaderOptions(
tryHarder = true, tryRotate = true, tryInvert = true,
tryDownscale = true, maxNumberOfSymbols = 1,
textMode = de.markusfisch.android.zxingcpp.ZxingCpp.TextMode.PLAIN
)
val result = (de.markusfisch.android.zxingcpp.ZxingCpp.readBitmap(
bitmap, 0, 0, bitmap.width, bitmap.height, 0,
opts.apply { binarizer = de.markusfisch.android.zxingcpp.ZxingCpp.Binarizer.LOCAL_AVERAGE }
) ?: de.markusfisch.android.zxingcpp.ZxingCpp.readBitmap(
bitmap, 0, 0, bitmap.width, bitmap.height, 0,
opts.apply { binarizer = de.markusfisch.android.zxingcpp.ZxingCpp.Binarizer.GLOBAL_HISTOGRAM }
))?.firstOrNull()?.text
bitmap.recycle()
result
} catch (_: Exception) { null }
}
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
@@ -21,13 +43,26 @@ class MainActivity : AppCompatActivity() {
val store = CredentialStore(this)
val hasCredentials = store.hasMibCredentials() || store.hasBmlCredentials() || store.hasFahipayCredentials()
// Image shared via "Scan to Pay" — decode QR here while we still hold the URI permission
val shareQrText: String? = if (intent?.action == Intent.ACTION_SEND &&
intent.type?.startsWith("image/") == true) {
val uri: android.net.Uri? =
if (android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.TIRAMISU)
intent.getParcelableExtra(Intent.EXTRA_STREAM, android.net.Uri::class.java)
else
@Suppress("DEPRECATION") intent.getParcelableExtra(Intent.EXTRA_STREAM)
if (uri != null) decodeQrFromSharedImage(uri) else null
} else null
val navDestination = when (intent?.action) {
"sh.sar.basedbank.OPEN_TRANSFER" -> R.id.nav_transfer
"sh.sar.basedbank.OPEN_SCAN_QR" -> R.id.nav_transfer
"sh.sar.basedbank.OPEN_PAY_WITH_CARD" -> R.id.nav_pay_with_card
"sh.sar.basedbank.TAP_TO_PAY" -> R.id.nav_pay_with_card
else -> -1
}
val autoScan = intent?.action == "sh.sar.basedbank.OPEN_SCAN_QR"
val autoTapMode = intent?.action == "sh.sar.basedbank.TAP_TO_PAY"
val target = when {
!onboardingDone -> OnboardingActivity::class.java
@@ -43,6 +78,8 @@ class MainActivity : AppCompatActivity() {
startActivity(Intent(this, target).apply {
if (navDestination != -1) putExtra("nav_destination", navDestination)
if (autoScan) putExtra("auto_scan", true)
if (autoTapMode) putExtra("auto_tap_mode", true)
if (shareQrText != null) putExtra("share_qr_text", shareQrText)
})
finish()
}
app/src/main/java/sh/sar/basedbank/api/bml/BmlModels.kt
+9
View File
@@ -82,6 +82,15 @@ data class BmlQrPayResult(
val errorMessage: String = ""
)
data class BmlWalletToken(
val token: String,
val expiry: String,
val appCode: String, // AID hex, e.g. "A0000000031010"
val serviceCode: String,
val data: String,
val validUntil: String // "YYYY-MM-DD HH:mm:ss.SSS"
)
data class BmlForeignLimit(
val type: String,
val used: Double,
app/src/main/java/sh/sar/basedbank/api/bml/BmlTapToPayClient.kt
+79
View File
@@ -0,0 +1,79 @@
package sh.sar.basedbank.api.bml
import okhttp3.MediaType.Companion.toMediaType
import okhttp3.RequestBody.Companion.toRequestBody
import org.json.JSONArray
import org.json.JSONObject
class BmlTapToPayClient {
private val client = newBmlApiClient()
/**
* Fetches up to [quantity] single-use payment tokens for [cardId].
* [otp] is a TOTP code generated from the stored BML OTP seed.
*
* Flow:
* 1. POST → code 99 (OTP required) or 0 (direct, unlikely)
* 2. POST with channel=token → code 22 (OTP generated on BML side, but we use TOTP)
* 3. POST with otp=TOTP → code 0, payload = token list
*/
fun fetchTokens(
session: BmlSession,
cardId: String,
otp: String,
quantity: Int = 3
): List<BmlWalletToken> {
val url = "$BML_BASE_URL/api/mobile/walletpayments/gettoken"
// Step 1: initiate
val base = JSONObject().apply {
put("type", "track2")
put("cardid", cardId)
put("quantity", quantity)
}
val step1 = post(session, url, base)
if (step1.optInt("code") == 0) return parseTokens(step1.optJSONArray("payload"))
if (step1.optInt("code") != 99) throw Exception(step1.optString("message", "Token request failed"))
// Step 2: request OTP channel (triggers BML to validate we can use TOTP)
val body2 = JSONObject(base.toString()).apply { put("channel", "token") }
val step2 = post(session, url, body2)
if (step2.optInt("code") != 22) throw Exception(step2.optString("message", "OTP channel request failed"))
// Step 3: submit TOTP
val body3 = JSONObject(body2.toString()).apply { put("otp", otp) }
val step3 = post(session, url, body3)
if (step3.optInt("code") != 0) throw Exception(step3.optString("message", "Token fetch failed"))
return parseTokens(step3.optJSONArray("payload"))
}
private fun post(session: BmlSession, url: String, body: JSONObject): JSONObject {
val req = okhttp3.Request.Builder()
.url(url)
.post(body.toString().toRequestBody("application/json".toMediaType()))
.header("Authorization", "Bearer ${session.accessToken}")
.header("User-Agent", BML_USER_AGENT)
.header("x-app-version", BML_APP_VERSION)
.build()
return client.newCall(req).execute().use { resp ->
JSONObject(resp.body?.string() ?: throw Exception("Empty response"))
}
}
private fun parseTokens(arr: JSONArray?): List<BmlWalletToken> {
arr ?: return emptyList()
return (0 until arr.length()).map { i ->
val o = arr.getJSONObject(i)
BmlWalletToken(
token = o.getString("token"),
expiry = o.getString("expiry"),
appCode = o.getString("app_code"),
serviceCode = o.getString("service_code"),
data = o.optString("data", ""),
validUntil = o.optString("valid_until", "")
)
}
}
}
app/src/main/java/sh/sar/basedbank/nfc/BmlHostCardEmulatorService.kt
+185
View File
@@ -0,0 +1,185 @@
package sh.sar.basedbank.nfc
import android.content.Intent
import android.nfc.cardemulation.HostApduService
import android.os.Bundle
import android.util.Log
import sh.sar.basedbank.api.bml.BmlWalletToken
/**
* HCE service that emulates a BML contactless payment card.
*
* Implements the minimal EMV mag-stripe contactless flow:
* SELECT PPSE → SELECT AID → GET PROCESSING OPTIONS → READ RECORD
*
* Each BmlWalletToken is single-use and is set via [setToken] before tapping.
* After READ RECORD is sent the [onTransactionComplete] callback fires.
*/
class BmlHostCardEmulatorService : HostApduService() {
private var gpoSent = false
override fun processCommandApdu(commandApdu: ByteArray?, extras: Bundle?): ByteArray {
if (commandApdu == null) return SW_UNKNOWN_ERROR
val apdu = Apdu(commandApdu)
if (apdu.isError) return apdu.errorResponse()
return when (apdu.ins) {
INS_SELECT -> handleSelect(apdu)
INS_GPO -> handleGpo()
INS_READ -> handleReadRecord()
else -> SW_INS_NOT_SUPPORTED
}
}
override fun onDeactivated(reason: Int) {
if (!gpoSent) onTransactionComplete?.invoke(false)
gpoSent = false
}
// ── APDU handlers ──────────────────────────────────────────────────────────
private fun handleSelect(apdu: Apdu): ByteArray {
val data = apdu.data ?: return SW_UNKNOWN_ERROR
if (data.contentEquals(PPSE_BYTES)) {
val token = activeToken ?: run { launchPromptActivity(); return SW_UNKNOWN_ERROR }
return hexToBytes(buildSelectPpseResponse(token.appCode, applicationLabel(token.appCode), "01"))
}
val token = activeToken ?: return SW_UNKNOWN_ERROR
return if (data.contentEquals(hexToBytes(token.appCode))) {
hexToBytes(buildSelectAidResponse(token.appCode, applicationLabel(token.appCode)))
} else {
SW_UNKNOWN_ERROR
}
}
private fun launchPromptActivity() {
val intent = Intent(applicationContext, BmlTapToPayActivity::class.java).apply {
flags = Intent.FLAG_ACTIVITY_NEW_TASK
}
startActivity(intent)
}
private fun handleGpo(): ByteArray {
gpoSent = true
// AIP=0080 (mag-stripe mode), AFL=08010100 (SFI=1, record 1-1, offline 0)
val miscData = "008008010100"
val body = tlv("80", miscData)
return hexToBytes(body + SW_OK_HEX)
}
private fun handleReadRecord(): ByteArray {
val token = activeToken ?: return SW_UNKNOWN_ERROR
val track2 = buildTrack2(token)
val body = tlv("70", tlv("57", track2))
val response = hexToBytes(body + SW_OK_HEX)
onTransactionComplete?.invoke(true)
return response
}
// ── TLV / APDU response builders ───────────────────────────────────────────
private fun buildSelectPpseResponse(aid: String, label: String, priority: String): String {
val priorityTlv = tlv("87", priority) // tag 87
val aidTlv = tlv("4F", aid) // tag 4F (ADF Name)
val appEntry = tlv("61", aidTlv + priorityTlv) // tag 61
val ppseTlv = tlv("84", PPSE_HEX) // tag 84 (DF Name)
val inner = tlv("BF0C", appEntry) // tag BF0C
val propTemplate = tlv("A5", inner) // tag A5
val fci = tlv("6F", ppseTlv + propTemplate) // tag 6F
return fci + SW_OK_HEX
}
private fun buildSelectAidResponse(aid: String, label: String): String {
val aidTlv = tlv("84", aid) // tag 84
val labelTlv = tlv("50", asciiToHex(label)) // tag 50
val pdolTlv = tlv("9F38", "9F6602") // PDOL: TTQ 2 bytes
val propTemplate = tlv("A5", labelTlv + pdolTlv) // tag A5
val fci = tlv("6F", aidTlv + propTemplate) // tag 6F
return fci + SW_OK_HEX
}
private fun buildTrack2(token: BmlWalletToken): String {
var t2 = "${token.token}D${token.expiry}${token.serviceCode}${token.data}"
if (t2.length % 2 != 0) t2 += "F"
return t2
}
// ── Helpers ─────────────────────────────────────────────────────────────────
/** Build BER-TLV: tag (hex string, 1 or 2 bytes) + DER length + data (hex string). */
private fun tlv(tagHex: String, dataHex: String): String {
val lenBytes = dataHex.length / 2
val lenHex = when {
lenBytes <= 0x7F -> lenBytes.toHexByte()
lenBytes <= 0xFF -> "81" + lenBytes.toHexByte()
else -> "82" + (lenBytes shr 8).toHexByte() + (lenBytes and 0xFF).toHexByte()
}
return tagHex + lenHex + dataHex
}
private fun Int.toHexByte(): String = toString(16).padStart(2, '0').uppercase()
private fun asciiToHex(s: String): String =
s.toByteArray(Charsets.US_ASCII).joinToString("") { "%02X".format(it) }
private fun hexToBytes(hex: String): ByteArray {
val s = hex.uppercase()
return ByteArray(s.length / 2) { i ->
s.substring(i * 2, i * 2 + 2).toInt(16).toByte()
}
}
// ── APDU parser ─────────────────────────────────────────────────────────────
private inner class Apdu(raw: ByteArray) {
val isError: Boolean
val ins: Int
val data: ByteArray?
init {
if (raw.size < 5) {
isError = true; ins = -1; data = null
} else {
isError = false
ins = raw[1].toInt() and 0xFF
val lc = if (raw.size > 4) raw[4].toInt() and 0xFF else 0
data = if (lc > 0 && raw.size >= 5 + lc) raw.copyOfRange(5, 5 + lc) else null
}
}
fun errorResponse() = SW_UNKNOWN_ERROR
}
companion object {
private const val TAG = "BmlHCE"
private const val INS_SELECT = 0xA4
private const val INS_GPO = 0xA8
private const val INS_READ = 0xB2
private val PPSE_HEX = "325041592E5359532E4444463031" // "2PAY.SYS.DDF01"
private val PPSE_BYTES = byteArrayOf(
0x32,0x50,0x41,0x59,0x2E,0x53,0x59,0x53,0x2E,0x44,0x44,0x46,0x30,0x31
)
private const val SW_OK_HEX = "9000"
private val SW_UNKNOWN_ERROR = byteArrayOf(0x6F.toByte(), 0x00.toByte())
private val SW_INS_NOT_SUPPORTED = byteArrayOf(0x6D.toByte(), 0x00.toByte())
@Volatile var activeToken: BmlWalletToken? = null
@Volatile var onTransactionComplete: ((success: Boolean) -> Unit)? = null
fun setToken(token: BmlWalletToken) { activeToken = token }
fun clearToken() { activeToken = null }
fun applicationLabel(aidHex: String): String = when {
aidHex.startsWith("A0000000031010", ignoreCase = true) -> "VISA"
aidHex.startsWith("A0000000041010", ignoreCase = true) -> "MASTERCARD"
aidHex.startsWith("A000000025", ignoreCase = true) -> "AMEX"
else -> "BML"
}
}
}
app/src/main/java/sh/sar/basedbank/nfc/BmlTapToPayActivity.kt
+20
View File
@@ -0,0 +1,20 @@
package sh.sar.basedbank.nfc
import android.content.Intent
import android.os.Bundle
import androidx.appcompat.app.AppCompatActivity
import sh.sar.basedbank.MainActivity
/**
* Fallback entry point — redirects to MainActivity which routes to the in-app tap-to-pay screen.
*/
class BmlTapToPayActivity : AppCompatActivity() {
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
startActivity(Intent(this, MainActivity::class.java).apply {
action = "sh.sar.basedbank.TAP_TO_PAY"
flags = Intent.FLAG_ACTIVITY_NEW_TASK or Intent.FLAG_ACTIVITY_CLEAR_TASK
})
finish()
}
}
app/src/main/java/sh/sar/basedbank/ui/home/AccountHistoryAdapter.kt
+19
View File
@@ -37,7 +37,12 @@ class AccountHistoryAdapter(
var onImageNeeded: ((counterpartyName: String) -> Unit)? = null
var onIconUrlNeeded: ((url: String) -> Unit)? = null
var onTransferClick: ((BankAccount) -> Unit)? = null
var onDefaultToggle: ((Boolean) -> Unit)? = null
private var hideAmounts: Boolean = false
var showDefaultToggle: Boolean = false
set(value) { if (field == value) return; field = value; notifyItemChanged(0) }
var isDefaultAccount: Boolean = false
set(value) { if (field == value) return; field = value; notifyItemChanged(0) }
fun setHideAmounts(hide: Boolean) {
if (hideAmounts == hide) return
@@ -174,6 +179,20 @@ class AccountHistoryAdapter(
b.llHeaderBlocked.visibility = View.GONE
}
b.btnHeaderTransfer.setOnClickListener { onTransferClick?.invoke(account) }
if (showDefaultToggle) {
b.dividerDefaultAccount.visibility = View.VISIBLE
b.llDefaultAccountRow.visibility = View.VISIBLE
b.switchDefaultAccount.setOnCheckedChangeListener(null)
b.switchDefaultAccount.isChecked = isDefaultAccount
b.switchDefaultAccount.setOnCheckedChangeListener { _, checked ->
isDefaultAccount = checked
onDefaultToggle?.invoke(checked)
}
} else {
b.dividerDefaultAccount.visibility = View.GONE
b.llDefaultAccountRow.visibility = View.GONE
}
}
}
app/src/main/java/sh/sar/basedbank/ui/home/AccountHistoryFragment.kt
+25 -1
View File
@@ -29,7 +29,9 @@ import sh.sar.basedbank.api.models.BankTransaction
import sh.sar.basedbank.api.mib.TransactionCache
import sh.sar.basedbank.databinding.FragmentAccountHistoryBinding
import sh.sar.basedbank.util.AccountHistoryParser
import sh.sar.basedbank.util.AccountListParser
import sh.sar.basedbank.util.ContactImageCache
import sh.sar.basedbank.util.CredentialStore
import sh.sar.basedbank.util.HistoryFetcher
import sh.sar.basedbank.util.MerchantIconCache
@@ -80,6 +82,23 @@ class AccountHistoryFragment : Fragment() {
}
adapter.setHideAmounts(viewModel.hideAmounts.value ?: false)
viewModel.hideAmounts.observe(viewLifecycleOwner) { adapter.setHideAmounts(it) }
// Show default account toggle only for non-card accounts
val isCard = AccountListParser.from(account)?.isCard ?: false
if (!isCard) {
val store = CredentialStore(requireContext())
adapter.showDefaultToggle = true
adapter.isDefaultAccount = store.getDefaultAccountNumber() == account.accountNumber
adapter.onDefaultToggle = { isChecked ->
if (isChecked) {
store.setDefaultAccountNumber(account.accountNumber)
} else {
if (store.getDefaultAccountNumber() == account.accountNumber) {
store.setDefaultAccountNumber(null)
}
}
}
}
binding.recyclerView.layoutManager = LinearLayoutManager(requireContext())
binding.recyclerView.adapter = adapter
@@ -131,7 +150,12 @@ class AccountHistoryFragment : Fragment() {
override fun onResume() {
super.onResume()
if (::account.isInitialized) requireActivity().title = account.accountBriefName
if (::account.isInitialized) {
requireActivity().title = account.accountBriefName
if (adapter.showDefaultToggle) {
adapter.isDefaultAccount = CredentialStore(requireContext()).getDefaultAccountNumber() == account.accountNumber
}
}
}
private fun filterAndDisplay() {
app/src/main/java/sh/sar/basedbank/ui/home/BmlQrPayFragment.kt
+15
View File
@@ -33,6 +33,8 @@ import sh.sar.basedbank.api.models.BankAccount
import sh.sar.basedbank.databinding.FragmentBmlQrPayBinding
import sh.sar.basedbank.databinding.ItemAccountDropdownBinding
import sh.sar.basedbank.util.CredentialStore
import sh.sar.basedbank.util.RecentPick
import sh.sar.basedbank.util.RecentsCache
import sh.sar.basedbank.util.Totp
class BmlQrPayFragment : Fragment() {
@@ -150,6 +152,19 @@ class BmlQrPayFragment : Fragment() {
return@launch
}
merchantInfo = info
if (info.amount == 0.0) {
val qrUrl = arguments?.getString(ARG_QR_URL)
if (qrUrl != null) {
RecentsCache.save(requireContext(), RecentPick(
accountNumber = "bmlqr:$qrUrl",
displayName = info.merchantName,
subtitle = info.merchantAddress.ifBlank { "BML Merchant" },
colorHex = "#0066A1",
imageHash = null,
isProfileImage = false
))
}
}
populateMerchant(info)
}
}
app/src/main/java/sh/sar/basedbank/ui/home/ContactPickerSheetFragment.kt
+4
View File
@@ -168,6 +168,10 @@ class ContactPickerSheetFragment : BottomSheetDialogFragment() {
val account = accounts.firstOrNull { it.accountNumber == accountNumber }
val bundle = bundleOf(KEY_ACCOUNT_NUMBER to accountNumber, KEY_LABEL to label)
when {
accountNumber.startsWith("bmlqr:") -> {
bundle.putString(KEY_SUBTITLE, "BML QR Merchant")
bundle.putString(KEY_COLOR, "#0066A1")
}
account != null -> {
bundle.putString(KEY_SUBTITLE, "${account.accountNumber} · ${account.currencyName} ${account.availableBalance}")
bundle.putString(KEY_COLOR, "#FE860E")
app/src/main/java/sh/sar/basedbank/ui/home/ContactsFragment.kt
+1 -1
View File
@@ -178,7 +178,7 @@ class ContactsFragment : Fragment() {
colorHex = contact.bankColor,
imageHash = contact.imageHash
)
(requireActivity() as HomeActivity).navigateTo(R.id.nav_transfer, fragment)
(requireActivity() as HomeActivity).showWithBackStack(fragment)
}
private fun confirmDelete(contact: ContactDisplay) {
app/src/main/java/sh/sar/basedbank/ui/home/DashboardFragment.kt
+59 -14
View File
@@ -4,13 +4,13 @@ import android.app.Activity
import android.content.Context
import android.content.Intent
import android.os.Bundle
import androidx.activity.result.contract.ActivityResultContracts
import android.view.LayoutInflater
import android.view.View
import android.view.ViewGroup
import android.widget.ImageView
import android.widget.TextView
import android.widget.Toast
import androidx.activity.result.contract.ActivityResultContracts
import androidx.core.content.ContextCompat
import androidx.core.view.ViewCompat
import androidx.core.view.WindowInsetsCompat
@@ -25,8 +25,8 @@ import sh.sar.basedbank.api.models.BankAccount
import sh.sar.basedbank.api.mib.MibCard
import sh.sar.basedbank.api.mib.MibFinanceDeal
import sh.sar.basedbank.util.bmlapi.BmlCardParser
import sh.sar.basedbank.util.PaymvQrParser
import sh.sar.basedbank.util.CredentialStore
import sh.sar.basedbank.util.PaymvQrParser
import kotlin.math.abs
import sh.sar.basedbank.databinding.FragmentDashboardBinding
import sh.sar.basedbank.databinding.ItemForeignLimitBinding
@@ -36,21 +36,35 @@ class DashboardFragment : Fragment() {
private var _binding: FragmentDashboardBinding? = null
private val binding get() = _binding!!
private val viewModel: HomeViewModel by activityViewModels()
private var pendingQrAccountNumber: String? = null
private var pendingQrCardNumber: String? = null
private val qrLauncher = registerForActivityResult(ActivityResultContracts.StartActivityForResult()) { result ->
if (result.resultCode != Activity.RESULT_OK) return@registerForActivityResult
val raw = result.data?.getStringExtra(QrScannerActivity.EXTRA_QR_CONTENT) ?: return@registerForActivityResult
val cardNumber = pendingQrCardNumber.also { pendingQrCardNumber = null }
val bmlUrl = PaymvQrParser.extractBmlGatewayUrl(raw)
if (raw.startsWith("https://ebanking.bankofmaldives.com.mv/qrpay/") || bmlUrl != null) {
(requireActivity() as HomeActivity).navigateTo(
R.id.nav_transfer, TransferFragment.newInstanceFromBmlQr(bmlUrl ?: raw, pendingQrAccountNumber)
R.id.nav_transfer, TransferFragment.newInstanceFromBmlQr(bmlUrl ?: raw, cardNumber)
)
} else {
Toast.makeText(requireContext(), R.string.transfer_qr_invalid, Toast.LENGTH_SHORT).show()
val qr = PaymvQrParser.parse(raw)
if (qr?.accountNumber != null) {
Toast.makeText(requireContext(), R.string.card_qr_paymv_unsupported, Toast.LENGTH_SHORT).show()
val defaultFrom = CredentialStore(requireContext()).getDefaultAccountNumber()
(requireActivity() as HomeActivity).navigateTo(
R.id.nav_transfer, TransferFragment.newInstanceFromQr(
accountNumber = qr.accountNumber,
displayName = qr.merchantName ?: qr.accountNumber,
amount = qr.amount,
remarks = qr.purpose,
fromAccountNumber = defaultFrom
)
)
} else {
Toast.makeText(requireContext(), R.string.transfer_qr_invalid, Toast.LENGTH_SHORT).show()
}
}
pendingQrAccountNumber = null
}
override fun onCreateView(inflater: LayoutInflater, container: ViewGroup?, savedInstanceState: Bundle?): View {
@@ -98,12 +112,16 @@ class DashboardFragment : Fragment() {
LinearSnapHelper().attachToRecyclerView(binding.rvCards)
val updateCardList = {
val mibItems = (viewModel.mibCards.value ?: emptyList()).map { CardItem.Mib(it) }
val credStore = CredentialStore(requireContext())
val hidden = credStore.getHiddenDashboardCardNumbers()
val mibItems = (viewModel.mibCards.value ?: emptyList())
.filter { !hidden.contains(it.maskedCardNumber) }
.map { CardItem.Mib(it) }
val bmlItems = (viewModel.accounts.value ?: emptyList())
.filter { (it.profileType == "BML_PREPAID" || it.profileType == "BML_CREDIT" || it.profileType == "BML_DEBIT") && it.statusDesc.equals("Active", ignoreCase = true) }
.filter { (it.profileType == "BML_PREPAID" || it.profileType == "BML_CREDIT" || it.profileType == "BML_DEBIT") && it.statusDesc.equals("Active", ignoreCase = true) && !hidden.contains(it.accountNumber) }
.map { CardItem.Bml(it) }
val all = mibItems + bmlItems
val defaultNum = CredentialStore(requireContext()).getDefaultCardAccountNumber()
val defaultNum = credStore.getDefaultCardAccountNumber()
val ordered = if (defaultNum != null) {
val def = all.filterIsInstance<CardItem.Bml>().firstOrNull { it.account.accountNumber == defaultNum }
if (def != null) listOf(def) + all.filter { it !== def } else all
@@ -127,10 +145,30 @@ class DashboardFragment : Fragment() {
override fun onResume() {
super.onResume()
requireActivity().title = getString(R.string.nav_dashboard)
val isBottom = requireContext().getSharedPreferences("prefs", Context.MODE_PRIVATE)
.getBoolean("bottom_nav", false)
if (isBottom) {
requireActivity().title = getString(R.string.app_name)
val size = (28 * resources.displayMetrics.density).toInt()
val gap = (8 * resources.displayMetrics.density).toInt()
val icon = requireContext().packageManager.getApplicationIcon(requireContext().packageName)
val bmp = android.graphics.Bitmap.createBitmap(size + gap, size, android.graphics.Bitmap.Config.ARGB_8888)
val canvas = android.graphics.Canvas(bmp)
icon.setBounds(0, 0, size, size)
icon.draw(canvas)
requireActivity().findViewById<com.google.android.material.appbar.MaterialToolbar>(R.id.toolbar).logo =
android.graphics.drawable.BitmapDrawable(resources, bmp)
} else {
requireActivity().title = getString(R.string.nav_dashboard)
}
refreshQuickActions()
}
override fun onPause() {
super.onPause()
requireActivity().findViewById<com.google.android.material.appbar.MaterialToolbar>(R.id.toolbar).logo = null
}
private fun refreshQuickActions() {
val prefs = requireContext().getSharedPreferences("prefs", Context.MODE_PRIVATE)
val isBottom = prefs.getBoolean("bottom_nav", false)
@@ -378,7 +416,7 @@ class DashboardFragment : Fragment() {
if (isMib) {
Toast.makeText(requireContext(), R.string.mib_qr_nfc_not_supported, Toast.LENGTH_SHORT).show()
} else {
pendingQrAccountNumber = (item as CardItem.Bml).account.accountNumber
pendingQrCardNumber = (item as CardItem.Bml).account.accountNumber
qrLauncher.launch(Intent(requireContext(), QrScannerActivity::class.java))
}
}
@@ -386,8 +424,15 @@ class DashboardFragment : Fragment() {
val nfcSupported = nfcAdapter != null
btnPayNfc.isEnabled = nfcSupported
btnPayNfc.setOnClickListener {
val msg = if (isMib) R.string.mib_qr_nfc_not_supported else R.string.work_in_progress
Toast.makeText(requireContext(), msg, Toast.LENGTH_SHORT).show()
if (isMib) {
Toast.makeText(requireContext(), R.string.mib_qr_nfc_not_supported, Toast.LENGTH_SHORT).show()
} else {
val accountNumber = (item as CardItem.Bml).account.accountNumber
(requireActivity() as HomeActivity).navigateTo(
R.id.nav_pay_with_card,
CardsFragment.newInstanceWithAutoTapMode(accountNumber)
)
}
}
}
}
app/src/main/java/sh/sar/basedbank/ui/home/HomeActivity.kt
+41 -8
View File
@@ -237,14 +237,26 @@ class HomeActivity : AppCompatActivity() {
if (savedInstanceState == null) {
val navDest = intent.getIntExtra("nav_destination", -1)
val autoScan = intent.getBooleanExtra("auto_scan", false)
if (navDest != -1) {
val fragment = if (autoScan && navDest == R.id.nav_transfer)
TransferFragment.newInstanceWithAutoScan()
else null
navigateTo(navDest, fragment)
} else {
show(DashboardFragment())
binding.navigationView.setCheckedItem(R.id.nav_dashboard)
val autoTapMode = intent.getBooleanExtra("auto_tap_mode", false)
val shareQrText = intent.getStringExtra("share_qr_text")
when {
shareQrText != null -> {
show(DashboardFragment())
binding.navigationView.setCheckedItem(R.id.nav_dashboard)
routeSharedQrText(shareQrText)
}
navDest != -1 -> {
val fragment = when {
autoScan && navDest == R.id.nav_transfer -> TransferFragment.newInstanceWithAutoScan()
autoTapMode && navDest == R.id.nav_pay_with_card -> CardsFragment.newInstanceWithAutoTapMode()
else -> null
}
navigateTo(navDest, fragment)
}
else -> {
show(DashboardFragment())
binding.navigationView.setCheckedItem(R.id.nav_dashboard)
}
}
}
@@ -433,6 +445,27 @@ fun applyNavLabelVisibility() {
.commit()
}
private fun routeSharedQrText(text: String) {
val store = CredentialStore(this)
val bmlUrl = sh.sar.basedbank.util.PaymvQrParser.extractBmlGatewayUrl(text)
if (text.startsWith("https://ebanking.bankofmaldives.com.mv/qrpay/") || bmlUrl != null) {
navigateTo(R.id.nav_transfer, TransferFragment.newInstanceFromBmlQr(bmlUrl ?: text, store.getDefaultCardAccountNumber()))
return
}
val qr = sh.sar.basedbank.util.PaymvQrParser.parse(text)
if (qr?.accountNumber != null) {
navigateTo(R.id.nav_transfer, TransferFragment.newInstanceFromQr(
accountNumber = qr.accountNumber,
displayName = qr.merchantName ?: qr.accountNumber,
amount = qr.amount,
remarks = qr.purpose,
fromAccountNumber = store.getDefaultAccountNumber()
))
} else {
Toast.makeText(this, R.string.transfer_qr_invalid, Toast.LENGTH_SHORT).show()
}
}
override fun onResume() {
super.onResume()
// Returning from LockActivity — refresh sessions since they may have expired.
app/src/main/java/sh/sar/basedbank/ui/home/PayMvQrFragment.kt
+15 -30
View File
@@ -7,13 +7,10 @@ import android.os.Build
import android.os.Bundle
import android.os.Environment
import android.provider.MediaStore
import android.app.Activity
import android.content.Intent
import android.view.LayoutInflater
import android.view.View
import android.view.ViewGroup
import android.widget.*
import androidx.activity.result.contract.ActivityResultContracts
import androidx.appcompat.content.res.AppCompatResources
import androidx.core.content.FileProvider
import androidx.core.view.ViewCompat
@@ -39,7 +36,6 @@ import sh.sar.basedbank.databinding.FragmentPayMvQrBinding
import sh.sar.basedbank.util.CredentialStore
import sh.sar.basedbank.databinding.ItemAccountDropdownBinding
import sh.sar.basedbank.util.AccountListParser
import sh.sar.basedbank.util.PaymvQrParser
import sh.sar.basedbank.util.bmlapi.BmlCardParser
import sh.sar.basedbank.util.bmlapi.BmlDashboardParser
import java.io.File
@@ -56,31 +52,6 @@ class PayMvQrFragment : Fragment() {
private var generateJob: Job? = null
private val dropdownProfileImageCache = mutableMapOf<String, Bitmap>()
private val qrLauncher = registerForActivityResult(ActivityResultContracts.StartActivityForResult()) { result ->
if (result.resultCode != Activity.RESULT_OK) return@registerForActivityResult
val raw = result.data?.getStringExtra(QrScannerActivity.EXTRA_QR_CONTENT) ?: return@registerForActivityResult
// BML card/gateway QR — hand off to dedicated payment screen
val bmlUrl = PaymvQrParser.extractBmlGatewayUrl(raw)
if (raw.startsWith("https://ebanking.bankofmaldives.com.mv/qrpay/") || bmlUrl != null) {
(requireActivity() as HomeActivity).navigateTo(R.id.nav_transfer, TransferFragment.newInstanceFromBmlQr(bmlUrl ?: raw))
return@registerForActivityResult
}
val qr = PaymvQrParser.parse(raw)
if (qr == null || qr.accountNumber == null) {
Toast.makeText(requireContext(), R.string.transfer_qr_invalid, Toast.LENGTH_SHORT).show()
return@registerForActivityResult
}
val activity = requireActivity() as HomeActivity
activity.navigateTo(R.id.nav_transfer, TransferFragment.newInstanceFromQr(
accountNumber = qr.accountNumber,
displayName = qr.merchantName ?: qr.accountNumber,
amount = qr.amount,
remarks = qr.purpose
))
}
override fun onCreateView(
inflater: LayoutInflater, container: ViewGroup?, savedInstanceState: Bundle?
): View {
@@ -106,7 +77,7 @@ class PayMvQrFragment : Fragment() {
binding.btnShare.setOnClickListener { shareQr() }
binding.btnSave.setOnClickListener { saveQr() }
binding.btnScanQr.setOnClickListener {
qrLauncher.launch(Intent(requireContext(), QrScannerActivity::class.java))
(requireActivity() as HomeActivity).navigateTo(R.id.nav_transfer, TransferFragment.newInstanceWithAutoScan())
}
}
@@ -124,6 +95,20 @@ class PayMvQrFragment : Fragment() {
selectedAccount = picked
scheduleGenerate()
}
// Auto-select default account if none is selected yet
if (selectedAccount == null) {
val defaultNum = CredentialStore(requireContext()).getDefaultAccountNumber()
if (defaultNum != null) {
val defaultAcc = eligible.firstOrNull { it.accountNumber == defaultNum }
if (defaultAcc != null) {
selectedAccount = defaultAcc
val prefix = if (defaultAcc.bank == "BML" && defaultAcc.profileName.isNotBlank()) "${defaultAcc.profileName} · " else ""
binding.actvAccount.setText("$prefix${defaultAcc.accountBriefName}", false)
scheduleGenerate()
}
}
}
}
}
app/src/main/java/sh/sar/basedbank/ui/home/PayWithCardFragment.kt
+446 -22
View File
@@ -3,6 +3,7 @@ package sh.sar.basedbank.ui.home
import android.app.Activity
import android.content.Context
import android.content.Intent
import androidx.activity.result.contract.ActivityResultContracts
import android.graphics.Color
import android.graphics.drawable.GradientDrawable
import android.os.Bundle
@@ -13,7 +14,6 @@ import android.widget.ImageView
import android.widget.LinearLayout
import android.widget.TextView
import android.widget.Toast
import androidx.activity.result.contract.ActivityResultContracts
import android.view.animation.AccelerateInterpolator
import android.view.animation.DecelerateInterpolator
import androidx.core.view.ViewCompat
@@ -24,12 +24,29 @@ import androidx.fragment.app.activityViewModels
import androidx.recyclerview.widget.LinearLayoutManager
import androidx.recyclerview.widget.PagerSnapHelper
import androidx.recyclerview.widget.RecyclerView
import android.animation.ValueAnimator
import android.graphics.Canvas
import android.graphics.Paint
import android.graphics.RectF
import android.view.Gravity
import androidx.biometric.BiometricManager
import androidx.biometric.BiometricPrompt
import androidx.core.content.ContextCompat
import androidx.lifecycle.lifecycleScope
import com.google.android.material.button.MaterialButton
import com.google.android.material.color.MaterialColors
import kotlinx.coroutines.Dispatchers
import kotlinx.coroutines.launch
import kotlinx.coroutines.withContext
import sh.sar.basedbank.BasedBankApp
import sh.sar.basedbank.R
import sh.sar.basedbank.api.bml.BmlTapToPayClient
import sh.sar.basedbank.nfc.BmlHostCardEmulatorService
import sh.sar.basedbank.api.mib.MibCard
import sh.sar.basedbank.databinding.FragmentCardsBinding
import sh.sar.basedbank.util.CardsCache
import sh.sar.basedbank.util.CredentialStore
import sh.sar.basedbank.util.Totp
import sh.sar.basedbank.util.bmlapi.BmlCardParser
import sh.sar.basedbank.util.PaymvQrParser
import kotlin.math.abs
@@ -43,9 +60,41 @@ class CardsFragment : Fragment() {
private var cards: List<CardItem> = emptyList()
private var currentCardPosition: Int = 0
private var cardWidth: Int = 0
private var pendingQrAccountNumber: String? = null
private var pendingQrCardNumber: String? = null
private var isManageMode: Boolean = false
private val qrLauncher = registerForActivityResult(ActivityResultContracts.StartActivityForResult()) { result ->
if (result.resultCode != Activity.RESULT_OK) return@registerForActivityResult
val raw = result.data?.getStringExtra(QrScannerActivity.EXTRA_QR_CONTENT) ?: return@registerForActivityResult
val cardNumber = pendingQrCardNumber.also { pendingQrCardNumber = null }
val bmlUrl = PaymvQrParser.extractBmlGatewayUrl(raw)
if (raw.startsWith("https://ebanking.bankofmaldives.com.mv/qrpay/") || bmlUrl != null) {
(requireActivity() as HomeActivity).navigateTo(
R.id.nav_transfer, TransferFragment.newInstanceFromBmlQr(bmlUrl ?: raw, cardNumber)
)
} else {
val qr = PaymvQrParser.parse(raw)
if (qr?.accountNumber != null) {
Toast.makeText(requireContext(), R.string.card_qr_paymv_unsupported, Toast.LENGTH_SHORT).show()
val defaultFrom = store.getDefaultAccountNumber()
(requireActivity() as HomeActivity).navigateTo(
R.id.nav_transfer, TransferFragment.newInstanceFromQr(
accountNumber = qr.accountNumber,
displayName = qr.merchantName ?: qr.accountNumber,
amount = qr.amount,
remarks = qr.purpose,
fromAccountNumber = defaultFrom
)
)
} else {
Toast.makeText(requireContext(), R.string.transfer_qr_invalid, Toast.LENGTH_SHORT).show()
}
}
}
private var isTapMode: Boolean = false
private var tapAnimView: NfcTapAnimationView? = null
private var autoTapModeTriggered = false
// Carousel snapshot captured on enter, used to reverse the exit animation
private var carouselCardLayoutTop = 0f // card layout top relative to contentLayout
private var carouselCardCenterX = 0f // card center X relative to contentLayout
@@ -58,20 +107,6 @@ class CardsFragment : Fragment() {
private lateinit var stackAdapter: CardStackAdapter
private val store by lazy { CredentialStore(requireContext()) }
private val qrLauncher = registerForActivityResult(ActivityResultContracts.StartActivityForResult()) { result ->
if (result.resultCode != Activity.RESULT_OK) return@registerForActivityResult
val raw = result.data?.getStringExtra(QrScannerActivity.EXTRA_QR_CONTENT) ?: return@registerForActivityResult
val bmlUrl = PaymvQrParser.extractBmlGatewayUrl(raw)
if (raw.startsWith("https://ebanking.bankofmaldives.com.mv/qrpay/") || bmlUrl != null) {
(requireActivity() as HomeActivity).navigateTo(
R.id.nav_transfer, TransferFragment.newInstanceFromBmlQr(bmlUrl ?: raw, pendingQrAccountNumber)
)
} else {
Toast.makeText(requireContext(), R.string.transfer_qr_invalid, Toast.LENGTH_SHORT).show()
}
pendingQrAccountNumber = null
}
override fun onCreateView(inflater: LayoutInflater, container: ViewGroup?, savedInstanceState: Bundle?): View {
_binding = FragmentCardsBinding.inflate(inflater, container, false)
return binding.root
@@ -136,7 +171,7 @@ ViewCompat.setOnApplyWindowInsetsListener(binding.contentLayout) { v, insets ->
// Swipe-down on the manage card to dismiss manage mode
binding.manageCardView.root.setOnTouchListener { _, event ->
if (!isManageMode) return@setOnTouchListener false
if (!isManageMode && !isTapMode) return@setOnTouchListener false
val mgr = binding.manageCardView.root
when (event.action) {
android.view.MotionEvent.ACTION_DOWN -> {
@@ -163,7 +198,7 @@ ViewCompat.setOnApplyWindowInsetsListener(binding.contentLayout) { v, insets ->
val dy = (event.rawY - swipeDragStartRawY).coerceAtLeast(0f)
swipeIsDragging = false
if (dy > 130f) {
setManageMode(false)
if (isTapMode) setTapMode(false) else setManageMode(false)
} else {
// Snap back
mgr.animate().translationY(0f).scaleX(1f).scaleY(1f)
@@ -183,7 +218,7 @@ ViewCompat.setOnApplyWindowInsetsListener(binding.contentLayout) { v, insets ->
if (item is CardItem.Mib) {
Toast.makeText(requireContext(), R.string.mib_qr_nfc_not_supported, Toast.LENGTH_SHORT).show()
} else {
pendingQrAccountNumber = (item as CardItem.Bml).account.accountNumber
pendingQrCardNumber = (item as CardItem.Bml).account.accountNumber
qrLauncher.launch(Intent(requireContext(), QrScannerActivity::class.java))
}
}
@@ -192,8 +227,17 @@ ViewCompat.setOnApplyWindowInsetsListener(binding.contentLayout) { v, insets ->
binding.btnTapToPay.isEnabled = nfcAvailable
binding.btnTapToPay.setOnClickListener {
val item = cards.getOrNull(currentCardPosition) ?: return@setOnClickListener
val msg = if (item is CardItem.Mib) R.string.mib_qr_nfc_not_supported else R.string.work_in_progress
Toast.makeText(requireContext(), msg, Toast.LENGTH_SHORT).show()
if (item is CardItem.Mib) {
Toast.makeText(requireContext(), R.string.mib_qr_nfc_not_supported, Toast.LENGTH_SHORT).show()
return@setOnClickListener
}
val bmlItem = item as CardItem.Bml
val prefs = requireContext().getSharedPreferences("prefs", Context.MODE_PRIVATE)
if (prefs.getBoolean("biometrics_transfer_confirm", false)) {
showBiometricPromptForTap(bmlItem)
} else {
setTapMode(true, bmlItem)
}
}
val wip = View.OnClickListener {
@@ -254,6 +298,7 @@ ViewCompat.setOnApplyWindowInsetsListener(binding.contentLayout) { v, insets ->
binding.llPayButtons.visibility = View.GONE
binding.llManageButtons.visibility = View.VISIBLE
binding.llDefaultCardRow.visibility = View.VISIBLE
binding.llHideDashboardRow.visibility = View.VISIBLE
binding.manageCardView.root.visibility = View.VISIBLE
// Set switch state (clear listener first to avoid triggering on programmatic set)
@@ -274,6 +319,17 @@ ViewCompat.setOnApplyWindowInsetsListener(binding.contentLayout) { v, insets ->
}
}
val accountNumber = (item as? CardItem.Bml)?.account?.accountNumber
?: (item as? CardItem.Mib)?.card?.maskedCardNumber
binding.switchHideFromDashboard.setOnCheckedChangeListener(null)
binding.switchHideFromDashboard.isChecked = accountNumber != null &&
store.getHiddenDashboardCardNumbers().contains(accountNumber)
binding.switchHideFromDashboard.setOnCheckedChangeListener { _, isChecked ->
if (accountNumber != null) {
store.setCardHiddenFromDashboard(accountNumber, isChecked)
}
}
// After layout pass, compute offsets, save carousel snapshot, and animate
binding.contentLayout.doOnNextLayout {
val mgr = binding.manageCardView.root
@@ -365,7 +421,9 @@ ViewCompat.setOnApplyWindowInsetsListener(binding.contentLayout) { v, insets ->
binding.llPayButtons.visibility = View.VISIBLE
binding.llManageButtons.visibility = View.GONE
binding.llDefaultCardRow.visibility = View.GONE
binding.llHideDashboardRow.visibility = View.GONE
binding.switchDefaultCard.setOnCheckedChangeListener(null)
binding.switchHideFromDashboard.setOnCheckedChangeListener(null)
buildDots(cards.size, currentCardPosition)
}
.start()
@@ -378,6 +436,236 @@ ViewCompat.setOnApplyWindowInsetsListener(binding.contentLayout) { v, insets ->
.start()
}
// ── Tap-to-pay mode ────────────────────────────────────────────────────────
private fun setTapMode(enabled: Boolean, item: CardItem.Bml? = null) {
isTapMode = enabled
requireActivity().title = getString(if (enabled) R.string.card_pay_nfc else R.string.nav_pay_with_card)
if (enabled) enterTapMode(item!!) else exitTapMode()
}
private fun showBiometricPromptForTap(item: CardItem.Bml) {
val bmgr = BiometricManager.from(requireContext())
if (bmgr.canAuthenticate(BiometricManager.Authenticators.BIOMETRIC_STRONG) != BiometricManager.BIOMETRIC_SUCCESS) {
setTapMode(true, item)
return
}
val prompt = BiometricPrompt(this, ContextCompat.getMainExecutor(requireContext()),
object : BiometricPrompt.AuthenticationCallback() {
override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) {
setTapMode(true, item)
}
override fun onAuthenticationError(errorCode: Int, errString: CharSequence) { }
})
prompt.authenticate(
BiometricPrompt.PromptInfo.Builder()
.setTitle(getString(R.string.card_pay_nfc))
.setSubtitle(item.account.accountBriefName)
.setNegativeButtonText(getString(R.string.cancel))
.build()
)
}
private fun enterTapMode(item: CardItem.Bml) {
// Bind card data to the shared manage card view
val cv = binding.manageCardView
cv.tvCardOwner.text = item.account.accountBriefName
cv.tvCardNumber.text = formatMasked(item.account.accountNumber)
loadCardImage(cv.ivCardImage, BmlCardParser.cardImageAsset(item.account))
val isActive = item.account.statusDesc.equals("Active", ignoreCase = true)
bindCardStatus(cv.tvCardStatus, item.account.statusDesc.takeUnless { isActive })
cv.root.alpha = if (isActive) 1f else 0.45f
// Snapshot carousel card position before layout changes (for animation)
val contentLoc = IntArray(2).also { binding.contentLayout.getLocationOnScreen(it) }
val lm = binding.rvCards.layoutManager as? LinearLayoutManager
val srcView = lm?.findViewByPosition(currentCardPosition)
val srcLoc = IntArray(2).also {
srcView?.getLocationOnScreen(it) ?: run { it[0] = contentLoc[0]; it[1] = contentLoc[1] }
}
val srcScreenTop = (srcLoc[1] - contentLoc[1]).toFloat()
val srcCenterX = (srcLoc[0] - contentLoc[0]).toFloat() + cardWidth / 2f
val textLoc = IntArray(2).also { binding.tvSelectedCardType.getLocationOnScreen(it) }
val textSrcScreenTop = (textLoc[1] - contentLoc[1]).toFloat()
carouselCardLayoutTop = srcScreenTop
carouselCardCenterX = srcCenterX
carouselTextLayoutTop = textSrcScreenTop
// Apply layout changes
binding.btnManageCard.visibility = View.GONE
binding.topSpacer.visibility = View.GONE
binding.rvCards.visibility = View.GONE
binding.pageIndicator.visibility = View.GONE
binding.divider.visibility = View.GONE
binding.llPayButtons.visibility = View.GONE
binding.llManageButtons.visibility = View.GONE
binding.llDefaultCardRow.visibility = View.GONE
binding.manageCardView.root.visibility = View.VISIBLE
binding.flTapMode.visibility = View.VISIBLE
// Build tap mode content: animation view + cancel button
binding.flTapMode.removeAllViews()
val animView = NfcTapAnimationView(requireContext())
tapAnimView = animView
val dp = resources.displayMetrics.density
val cancelBtn = MaterialButton(requireContext(), null,
com.google.android.material.R.attr.materialButtonOutlinedStyle
).apply { setText(R.string.cancel); setOnClickListener { setTapMode(false) } }
val cancelWrapper = LinearLayout(requireContext()).apply {
orientation = LinearLayout.VERTICAL
gravity = Gravity.CENTER_HORIZONTAL
setPadding(0, 0, 0, (24 * dp).toInt())
addView(cancelBtn)
}
val container = LinearLayout(requireContext()).apply {
orientation = LinearLayout.VERTICAL
layoutParams = ViewGroup.LayoutParams(ViewGroup.LayoutParams.MATCH_PARENT, ViewGroup.LayoutParams.MATCH_PARENT)
addView(View(requireContext()).apply { // spacer pushes content below card
layoutParams = LinearLayout.LayoutParams(LinearLayout.LayoutParams.MATCH_PARENT, 0, 1f)
})
addView(animView.apply {
layoutParams = LinearLayout.LayoutParams(LinearLayout.LayoutParams.MATCH_PARENT, 0, 3f)
})
addView(cancelWrapper.apply {
layoutParams = LinearLayout.LayoutParams(LinearLayout.LayoutParams.MATCH_PARENT, LinearLayout.LayoutParams.WRAP_CONTENT)
})
}
binding.flTapMode.addView(container)
// Animate card up from carousel position (same as manage mode)
binding.contentLayout.doOnNextLayout {
val mgr = binding.manageCardView.root
val dstLoc = IntArray(2).also { mgr.getLocationOnScreen(it) }
val dstTop = (dstLoc[1] - contentLoc[1]).toFloat()
val dstCenterX = (dstLoc[0] - contentLoc[0]).toFloat() + mgr.width / 2f
mgr.pivotX = mgr.width / 2f
mgr.pivotY = 0f
mgr.scaleX = if (mgr.width > 0) cardWidth.toFloat() / mgr.width.toFloat() else 1f
mgr.scaleY = mgr.scaleX
mgr.translationX = srcCenterX - dstCenterX
mgr.translationY = srcScreenTop - dstTop
mgr.animate()
.scaleX(1f).scaleY(1f)
.translationX(0f).translationY(0f)
.setDuration(380).setInterpolator(DecelerateInterpolator()).start()
val textDstLoc = IntArray(2).also { binding.tvSelectedCardType.getLocationOnScreen(it) }
binding.tvSelectedCardType.translationY = textSrcScreenTop - (textDstLoc[1] - contentLoc[1]).toFloat()
binding.tvSelectedCardType.animate()
.translationY(0f)
.setDuration(380).setInterpolator(DecelerateInterpolator()).start()
}
fetchAndArmToken(item)
}
private fun exitTapMode() {
tapAnimView?.stopAnimation()
tapAnimView = null
BmlHostCardEmulatorService.clearToken()
BmlHostCardEmulatorService.onTransactionComplete = null
binding.manageCardView.root.animate().cancel()
binding.tvSelectedCardType.animate().cancel()
val mgr = binding.manageCardView.root
val contentLoc = IntArray(2).also { binding.contentLayout.getLocationOnScreen(it) }
val mgrLoc = IntArray(2).also { mgr.getLocationOnScreen(it) }
val mgrLayoutTop = (mgrLoc[1] - contentLoc[1]).toFloat() - mgr.translationY
val mgrLayoutCenterX = (mgrLoc[0] - contentLoc[0]).toFloat() - mgr.translationX + mgr.width / 2f
val textLoc = IntArray(2).also { binding.tvSelectedCardType.getLocationOnScreen(it) }
val textLayoutTop = (textLoc[1] - contentLoc[1]).toFloat() - binding.tvSelectedCardType.translationY
mgr.pivotX = mgr.width / 2f
mgr.pivotY = 0f
mgr.animate()
.scaleX(if (mgr.width > 0) cardWidth.toFloat() / mgr.width.toFloat() else 1f)
.scaleY(if (mgr.width > 0) cardWidth.toFloat() / mgr.width.toFloat() else 1f)
.translationX(carouselCardCenterX - mgrLayoutCenterX)
.translationY(carouselCardLayoutTop - mgrLayoutTop)
.setDuration(320)
.setInterpolator(AccelerateInterpolator())
.withEndAction {
mgr.scaleX = 1f; mgr.scaleY = 1f
mgr.translationX = 0f; mgr.translationY = 0f
mgr.visibility = View.GONE
binding.tvSelectedCardType.translationY = 0f
binding.flTapMode.visibility = View.GONE
binding.flTapMode.removeAllViews()
binding.btnManageCard.visibility = View.VISIBLE
binding.topSpacer.visibility = View.VISIBLE
binding.rvCards.visibility = View.VISIBLE
binding.divider.visibility = View.VISIBLE
binding.llPayButtons.visibility = View.VISIBLE
buildDots(cards.size, currentCardPosition)
}
.start()
binding.tvSelectedCardType.animate()
.translationY(carouselTextLayoutTop - textLayoutTop)
.setDuration(320)
.setInterpolator(AccelerateInterpolator())
.withEndAction { binding.tvSelectedCardType.translationY = 0f }
.start()
}
private fun fetchAndArmToken(item: CardItem.Bml) {
val app = requireActivity().application as BasedBankApp
viewLifecycleOwner.lifecycleScope.launch {
val loginId = item.account.loginTag.removePrefix("bml_")
val session = app.bmlSessionFor(item.account)
val otpSeed = CredentialStore(requireContext()).loadBmlCredentials(loginId)?.otpSeed
if (session == null || otpSeed == null) {
if (isTapMode) {
Toast.makeText(requireContext(),
if (session == null) getString(R.string.transfer_session_unavailable)
else "OTP unavailable",
Toast.LENGTH_SHORT).show()
setTapMode(false)
}
return@launch
}
(activity as? HomeActivity)?.setRefreshing(true)
val otp = Totp.generate(otpSeed)
val result = withContext(Dispatchers.IO) {
runCatching { BmlTapToPayClient().fetchTokens(session, item.account.internalId, otp) }
}
(activity as? HomeActivity)?.setRefreshing(false)
val token = result.getOrNull()?.firstOrNull()
if (!isTapMode) return@launch // user cancelled while we were fetching
if (token == null) {
if (isTapMode) {
Toast.makeText(requireContext(),
result.exceptionOrNull()?.message ?: "Failed to get payment token",
Toast.LENGTH_SHORT).show()
setTapMode(false)
}
return@launch
}
BmlHostCardEmulatorService.setToken(token)
BmlHostCardEmulatorService.onTransactionComplete = { success ->
view?.post {
if (!isTapMode) return@post
setTapMode(false)
if (success) Toast.makeText(requireContext(), "Payment complete", Toast.LENGTH_SHORT).show()
}
}
}
}
private fun rebuildCards() {
// Remember which card is currently selected by identity so we can restore position after reorder
val currentCard = cards.getOrNull(currentCardPosition)
@@ -412,6 +700,30 @@ ViewCompat.setOnApplyWindowInsetsListener(binding.contentLayout) { v, insets ->
buildDots(cards.size, currentCardPosition)
updateCardInfo(currentCardPosition)
}
// Auto-enter tap mode when launched from shortcut, NFC prompt, or dashboard
if (!autoTapModeTriggered && arguments?.getBoolean(ARG_AUTO_TAP_MODE) == true) {
val targetAccount = arguments?.getString(ARG_AUTO_TAP_ACCOUNT)
val targetCard = if (targetAccount != null)
cards.filterIsInstance<CardItem.Bml>().firstOrNull { it.account.accountNumber == targetAccount }
else
cards.filterIsInstance<CardItem.Bml>().firstOrNull()
if (targetCard != null) {
autoTapModeTriggered = true
// Scroll to the target card first
val pos = cards.indexOf(targetCard)
if (pos >= 0) {
currentCardPosition = pos
binding.rvCards.scrollToPosition(pos)
}
val prefs = requireContext().getSharedPreferences("prefs", Context.MODE_PRIVATE)
if (prefs.getBoolean("biometrics_transfer_confirm", false)) {
showBiometricPromptForTap(targetCard)
} else {
setTapMode(true, targetCard)
}
}
}
}
private fun applyCardScales() {
@@ -433,7 +745,7 @@ ViewCompat.setOnApplyWindowInsetsListener(binding.contentLayout) { v, insets ->
}
private fun buildDots(count: Int, selected: Int) {
if (isManageMode) return
if (isManageMode || isTapMode) return
binding.pageIndicator.removeAllViews()
if (count <= 1) {
binding.pageIndicator.visibility = View.GONE
@@ -469,6 +781,10 @@ ViewCompat.setOnApplyWindowInsetsListener(binding.contentLayout) { v, insets ->
}
fun onBackPressed(): Boolean {
if (isTapMode) {
setTapMode(false)
return true
}
if (isManageMode) {
setManageMode(false)
return true
@@ -476,12 +792,24 @@ ViewCompat.setOnApplyWindowInsetsListener(binding.contentLayout) { v, insets ->
return false
}
override fun onPause() {
super.onPause()
if (isTapMode) {
BmlHostCardEmulatorService.clearToken()
BmlHostCardEmulatorService.onTransactionComplete = null
}
}
override fun onResume() {
super.onResume()
requireActivity().title = getString(R.string.nav_pay_with_card)
}
override fun onDestroyView() {
tapAnimView?.stopAnimation()
tapAnimView = null
BmlHostCardEmulatorService.clearToken()
BmlHostCardEmulatorService.onTransactionComplete = null
super.onDestroyView()
_binding = null
}
@@ -543,7 +871,103 @@ ViewCompat.setOnApplyWindowInsetsListener(binding.contentLayout) { v, insets ->
}
}
// ── NFC animation view ─────────────────────────────────────────────────────
private inner class NfcTapAnimationView(context: Context) : View(context) {
private val paint = Paint(Paint.ANTI_ALIAS_FLAG)
private val animator = ValueAnimator.ofFloat(0f, 1f).apply {
duration = 1600
repeatCount = ValueAnimator.INFINITE
repeatMode = ValueAnimator.RESTART
addUpdateListener { invalidate() }
start()
}
fun stopAnimation() = animator.cancel()
override fun onDraw(canvas: Canvas) {
val w = width.toFloat(); val h = height.toFloat()
if (w <= 0f || h <= 0f) return
val dp = resources.displayMetrics.density
val progress = animator.animatedFraction
val cx = w / 2f; val cy = h / 2f + 24 * dp
val colorOnSurface = MaterialColors.getColor(this,
com.google.android.material.R.attr.colorOnSurface, android.graphics.Color.BLACK)
val colorPrimary = MaterialColors.getColor(this,
com.google.android.material.R.attr.colorPrimary, android.graphics.Color.BLUE)
val colorSurfaceVariant = MaterialColors.getColor(this,
com.google.android.material.R.attr.colorSurfaceVariant, android.graphics.Color.LTGRAY)
// POS terminal (top center)
val posW = 44 * dp; val posH = 72 * dp
val posX = cx - posW / 2f; val posY = cy - 170 * dp
// Phone (bottom center)
val phoneW = 52 * dp; val phoneH = 90 * dp
val phoneX = cx - phoneW / 2f; val phoneY = cy + 30 * dp
// POS terminal body
paint.style = Paint.Style.FILL; paint.color = colorSurfaceVariant
canvas.drawRoundRect(posX, posY, posX + posW, posY + posH, 7 * dp, 7 * dp, paint)
paint.style = Paint.Style.STROKE; paint.strokeWidth = 2.5f * dp; paint.color = colorOnSurface
canvas.drawRoundRect(posX, posY, posX + posW, posY + posH, 7 * dp, 7 * dp, paint)
// POS screen
paint.style = Paint.Style.FILL; paint.color = colorPrimary; paint.alpha = 70
canvas.drawRoundRect(posX + 4 * dp, posY + 6 * dp,
posX + posW - 4 * dp, posY + posH * 0.45f, 4 * dp, 4 * dp, paint)
paint.alpha = 255
// POS card slot
paint.style = Paint.Style.STROKE; paint.strokeWidth = 2 * dp; paint.color = colorOnSurface
canvas.drawLine(posX + 6 * dp, posY + posH * 0.72f, posX + posW - 6 * dp, posY + posH * 0.72f, paint)
// Phone body
paint.style = Paint.Style.FILL; paint.color = colorSurfaceVariant
canvas.drawRoundRect(phoneX, phoneY, phoneX + phoneW, phoneY + phoneH, 8 * dp, 8 * dp, paint)
paint.style = Paint.Style.STROKE; paint.strokeWidth = 2.5f * dp; paint.color = colorOnSurface
canvas.drawRoundRect(phoneX, phoneY, phoneX + phoneW, phoneY + phoneH, 8 * dp, 8 * dp, paint)
// Phone screen
paint.style = Paint.Style.FILL; paint.color = colorPrimary; paint.alpha = 70
canvas.drawRoundRect(phoneX + 4 * dp, phoneY + 10 * dp,
phoneX + phoneW - 4 * dp, phoneY + phoneH - 15 * dp, 4 * dp, 4 * dp, paint)
paint.alpha = 255
// Animated NFC rings originating from phone top, travelling upward toward POS
val gapTop = posY + posH + 4 * dp
val originY = phoneY
val maxR = (originY - gapTop) - 4 * dp
paint.style = Paint.Style.STROKE; paint.strokeWidth = 3 * dp
for (i in 0..2) {
val p = ((progress + i / 3f) % 1f)
val r = (p * maxR + 6 * dp).coerceAtMost(maxR)
paint.color = colorPrimary; paint.alpha = ((1f - p) * 200).toInt().coerceIn(0, 255)
canvas.drawArc(RectF(cx - r, originY - r, cx + r, originY + r), -160f, 140f, false, paint)
}
paint.alpha = 255
// Label
paint.style = Paint.Style.FILL; paint.color = colorOnSurface; paint.alpha = 160
paint.textSize = 15 * dp; paint.textAlign = Paint.Align.CENTER
canvas.drawText(context.getString(R.string.card_pay_nfc), cx, phoneY + phoneH + 28 * dp, paint)
paint.alpha = 255; paint.textAlign = Paint.Align.LEFT
}
}
companion object {
private const val ARG_AUTO_TAP_MODE = "auto_tap_mode"
private const val ARG_AUTO_TAP_ACCOUNT = "auto_tap_account"
fun newInstanceWithAutoTapMode(accountNumber: String? = null) = CardsFragment().apply {
arguments = Bundle().apply {
putBoolean(ARG_AUTO_TAP_MODE, true)
if (accountNumber != null) putString(ARG_AUTO_TAP_ACCOUNT, accountNumber)
}
}
fun cardImageAsset(card: MibCard): String? = when (card.cardType) {
"51" -> "cards/mib/faisa_card.png"
"53" -> "cards/mib/visa_black_platinum.png"
app/src/main/java/sh/sar/basedbank/ui/home/TransferFragment.kt
+427 -94
View File
@@ -95,6 +95,7 @@ class TransferFragment : Fragment() {
// BML QR merchant payment mode (set when navigated from a card QR scan)
private var bmlQrInfo: BmlQrPayInfo? = null
private var bmlGatewayQr = false // true for pay.bml.com.mv QRs (requires pre-initiate step)
private var bmlQrLookupAttempted = false // prevents re-lookup after user clears the merchant
private val dropdownProfileImageCache = mutableMapOf<String, Bitmap>()
// BML business profile OTP flow state
@@ -139,6 +140,28 @@ class TransferFragment : Fragment() {
Toast.makeText(requireContext(), R.string.transfer_qr_invalid, Toast.LENGTH_SHORT).show()
return@registerForActivityResult
}
// Cards can't pay PayMV QR — fall back to default account or clear selection
val isCard = selectedAccount?.let {
it.profileType == "BML_PREPAID" || it.profileType == "BML_CREDIT" || it.profileType == "BML_DEBIT"
} ?: false
if (isCard) {
Toast.makeText(requireContext(), R.string.card_qr_paymv_unsupported, Toast.LENGTH_SHORT).show()
val defaultNum = CredentialStore(requireContext()).getDefaultAccountNumber()
val defaultAcc = defaultNum?.let { num -> viewModel.accounts.value?.firstOrNull { it.accountNumber == num } }
selectedAccount = defaultAcc
binding.tilAmount.prefixText = null
if (defaultAcc != null) {
updateAmountPrefix(defaultAcc)
showFromCard(defaultAcc)
} else {
binding.cardFromInfo.visibility = View.GONE
binding.tilFrom.visibility = View.VISIBLE
binding.actvFrom.setText("", false)
}
updateTransferButton()
}
if (qr.amount != null) binding.etAmount.setText(qr.amount)
if (qr.purpose != null) binding.etRemarks.setText(qr.purpose)
prefillToFromContact(qr.accountNumber, "")
@@ -191,13 +214,15 @@ class TransferFragment : Fragment() {
accountNumber: String,
displayName: String,
amount: String?,
remarks: String?
remarks: String?,
fromAccountNumber: String? = null
) = TransferFragment().apply {
arguments = Bundle().apply {
putString(ARG_ACCOUNT, accountNumber)
putString(ARG_NAME, displayName)
putString(ARG_SUBTITLE, accountNumber)
putString(ARG_COLOR, "#607D8B")
if (fromAccountNumber != null) putString(ARG_FROM_ACCOUNT, fromAccountNumber)
if (amount != null) putString(ARG_AMOUNT_PREFILL, amount)
if (remarks != null) putString(ARG_REMARKS_PREFILL, remarks)
}
@@ -221,6 +246,10 @@ class TransferFragment : Fragment() {
childFragmentManager.setFragmentResultListener(ContactPickerSheetFragment.REQUEST_KEY, viewLifecycleOwner) { _, bundle ->
val accountNumber = bundle.getString(ContactPickerSheetFragment.KEY_ACCOUNT_NUMBER) ?: return@setFragmentResultListener
if (accountNumber.startsWith("bmlqr:")) {
lookupBmlQrMerchant(accountNumber.removePrefix("bmlqr:"))
return@setFragmentResultListener
}
val label = bundle.getString(ContactPickerSheetFragment.KEY_LABEL) ?: ""
val subtitle = bundle.getString(ContactPickerSheetFragment.KEY_SUBTITLE) ?: accountNumber
val colorHex = bundle.getString(ContactPickerSheetFragment.KEY_COLOR) ?: "#607D8B"
@@ -268,6 +297,7 @@ class TransferFragment : Fragment() {
}
private fun lookupBmlQrMerchant(qrUrl: String) {
bmlQrLookupAttempted = true
bmlGatewayQr = qrUrl.startsWith("https://pay.bml.com.mv/app/")
val base64Url = android.util.Base64.encodeToString(
qrUrl.toByteArray(Charsets.UTF_8), android.util.Base64.NO_WRAP)
@@ -292,6 +322,16 @@ class TransferFragment : Fragment() {
return@launch
}
bmlQrInfo = info
if (info.amount == 0.0) {
RecentsCache.save(requireContext(), RecentPick(
accountNumber = "bmlqr:$qrUrl",
displayName = info.merchantName,
subtitle = info.merchantAddress.ifBlank { "BML Merchant" },
colorHex = "#0066A1",
imageHash = null,
isProfileImage = false
))
}
// Auto-select the user's default BML card if no card was pre-selected
if (selectedAccount == null) {
@@ -398,6 +438,14 @@ class TransferFragment : Fragment() {
updateTransferButton()
}
}
// On a cold start (e.g. share intent), anyBmlSession() may be null when
// onViewCreated runs. Retry the lookup once sessions are available.
val pendingBmlQrUrl = arguments?.getString(ARG_BML_QR_URL)
if (pendingBmlQrUrl != null && !bmlQrLookupAttempted) {
val app = requireActivity().application as BasedBankApp
if (app.anyBmlSession() != null) lookupBmlQrMerchant(pendingBmlQrUrl)
}
}
}
@@ -573,8 +621,21 @@ class TransferFragment : Fragment() {
private fun lookupAccount() {
if (selectedAccount == null) {
Toast.makeText(requireContext(), R.string.transfer_select_source_first, Toast.LENGTH_SHORT).show()
return
val defaultNum = CredentialStore(requireContext()).getDefaultAccountNumber()
if (defaultNum != null) {
val allAccounts = viewModel.accounts.value ?: emptyList()
val defaultAcc = allAccounts.firstOrNull { it.accountNumber == defaultNum }
if (defaultAcc != null) {
selectedAccount = defaultAcc
updateAmountPrefix(defaultAcc)
showFromCard(defaultAcc)
updateTransferButton()
}
}
if (selectedAccount == null) {
Toast.makeText(requireContext(), R.string.transfer_no_from_account, Toast.LENGTH_SHORT).show()
return
}
}
val accountNumber = AccountInputParser.normalize(binding.etTo.text?.toString()?.trim() ?: "")
if (accountNumber.isBlank()) {
@@ -857,13 +918,20 @@ class TransferFragment : Fragment() {
message: String? = null,
customView: android.view.View? = null,
biometricSubtitle: String,
onConfirmed: () -> Unit
onConfirmed: (AlertDialog, android.widget.FrameLayout) -> Unit
) {
val imm = requireContext().getSystemService(Context.INPUT_METHOD_SERVICE) as android.view.inputmethod.InputMethodManager
imm.hideSoftInputFromWindow(requireView().windowToken, 0)
val frame = android.widget.FrameLayout(requireContext())
if (customView != null) frame.addView(customView)
val builder = MaterialAlertDialogBuilder(requireContext())
.setTitle(title)
.setPositiveButton(R.string.transfer_confirm) { _, _ -> onConfirmed() }
.setNegativeButton(android.R.string.cancel, null)
if (customView != null) builder.setView(customView) else builder.setMessage(message)
.setPositiveButton(R.string.transfer_confirm, null)
.setNegativeButton(android.R.string.cancel) { d, _ -> d.dismiss() }
.setCancelable(false)
if (customView != null) builder.setView(frame) else builder.setMessage(message)
val dialog = builder.show()
val prefs = requireContext().getSharedPreferences("prefs", Context.MODE_PRIVATE)
val biometricTransferConfirm = prefs.getBoolean("biometrics_transfer_confirm", false)
@@ -874,8 +942,7 @@ class TransferFragment : Fragment() {
val prompt = BiometricPrompt(this, ContextCompat.getMainExecutor(requireContext()),
object : BiometricPrompt.AuthenticationCallback() {
override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) {
dialog.dismiss()
onConfirmed()
onConfirmed(dialog, frame)
}
override fun onAuthenticationError(errorCode: Int, errString: CharSequence) {
if (errorCode != BiometricPrompt.ERROR_CANCELED &&
@@ -894,6 +961,10 @@ class TransferFragment : Fragment() {
.build()
)
}
} else {
dialog.getButton(AlertDialog.BUTTON_POSITIVE).setOnClickListener {
onConfirmed(dialog, frame)
}
}
}
@@ -912,11 +983,27 @@ class TransferFragment : Fragment() {
Toast.makeText(requireContext(), R.string.transfer_missing_internal_id, Toast.LENGTH_SHORT).show()
return
}
val qrFromTypeLabel = AccountListParser.from(src)?.typeLabel
?: BmlDashboardParser.productLabel(src.accountTypeName)
val qrFromDetail = listOfNotNull("BML", qrFromTypeLabel.ifBlank { null }).joinToString(" · ")
val qrConfirmView = buildTransferConfirmView(
amountCurrency = info.currency,
amountValue = "%.2f".format(amount),
fromName = src.accountBriefName,
fromNumber = src.accountNumber,
fromDetail = qrFromDetail,
toName = info.merchantName,
toNumber = "",
toDetail = info.merchantAddress.ifBlank { "BML Merchant" }
)
showConfirmWithBiometric(
title = getString(R.string.transfer),
message = "Pay ${info.currency} ${"%.2f".format(amount)} to ${info.merchantName}?\n\nFrom: ${src.accountBriefName} · ${src.accountNumber}",
customView = qrConfirmView,
biometricSubtitle = "${info.currency} ${"%.2f".format(amount)}${info.merchantName}",
onConfirmed = { executeBmlQrPayment(src, debitAccount, info, amount) }
onConfirmed = { dialog, frame ->
showProcessingInDialog(dialog, frame)
executeBmlQrPayment(src, debitAccount, info, amount, dialog, frame)
}
)
return
}
@@ -971,18 +1058,17 @@ class TransferFragment : Fragment() {
val isUsdToMvr = currency.equals("USD", ignoreCase = true) && destCurrency.equals("MVR", ignoreCase = true)
val isSrcCredit = src.profileType == "BML_CREDIT"
val mainMsg = "Send $currency $amountStr to $destDisplay?\n\nFrom: ${src.accountBriefName} · ${src.accountNumber}"
val doTransfer: () -> Unit = {
val doTransfer: (AlertDialog, android.widget.FrameLayout) -> Unit = { dialog, frame ->
if (isBmlBusiness) {
// Business profile: async OTP channel selection flow
// Business profile: async OTP channel selection flow — dismiss dialog first
dialog.dismiss()
startBmlBusinessOtpFlow(
src, resolvedAccountNumber, destDisplay, amount, amountStr, remarks,
isSrcCard, isDestMib, currency, allAccounts, allContacts, capturedToAvatar
)
} else {
showProcessingInDialog(dialog, frame)
binding.btnTransfer.isEnabled = false
(activity as? HomeActivity)?.setRefreshing(true)
viewLifecycleOwner.lifecycleScope.launch {
val (ok, msg, receipt) = withContext(Dispatchers.IO) {
if (!isSrcBml) {
@@ -992,14 +1078,15 @@ class TransferFragment : Fragment() {
}
}
binding.btnTransfer.isEnabled = true
(activity as? HomeActivity)?.setRefreshing(false)
if (ok && receipt != null) {
ReceiptStore.save(requireContext(), receipt)
clearForm()
val activity = requireActivity() as HomeActivity
activity.triggerRefresh()
dialog.dismiss()
activity.showWithBackStack(TransferReceiptFragment.newInstance(receipt, capturedToAvatar))
} else if (!ok) {
dialog.dismiss()
if (msg == "CONNECTIVITY") {
(activity as? HomeActivity)?.showConnectivityBanner(getString(R.string.connectivity_no_internet))
} else {
@@ -1010,56 +1097,202 @@ class TransferFragment : Fragment() {
}
}
val warningView: android.view.View? = if (isUsdToMvr || isSrcCredit) {
val ctx = requireContext()
val dp = resources.displayMetrics.density
LinearLayout(ctx).apply {
orientation = LinearLayout.VERTICAL
setPadding((24 * dp).toInt(), (16 * dp).toInt(), (24 * dp).toInt(), 0)
addView(TextView(ctx).apply { text = mainMsg })
if (isUsdToMvr) addView(TextView(ctx).apply {
text = "⚠ You are transferring from a USD account to an MVR account. The currency will be converted at the bank's rate and this cannot be reversed!"
setTextColor(Color.RED)
textSize = 16f
typeface = Typeface.DEFAULT_BOLD
setPadding(0, (16 * dp).toInt(), 0, 0)
})
if (isSrcCredit) addView(TextView(ctx).apply {
text = "⚠ Transferring from a credit card is treated as a cash advance. Cash advance fees will be charged on the 10th of the month."
setTextColor(Color.RED)
textSize = 16f
typeface = Typeface.DEFAULT_BOLD
setPadding(0, (16 * dp).toInt(), 0, 0)
})
val fromTypeLabel = AccountListParser.from(src)?.typeLabel
?: if (src.bank == "BML") BmlDashboardParser.productLabel(src.accountTypeName)
else src.accountTypeName.ifBlank { src.profileType }
val fromBankLabel = when (src.bank) {
"BML" -> "BML"
"FAHIPAY" -> "Fahipay"
"MIB" -> "MIB"
else -> src.bank
}
val fromDetail = listOfNotNull(fromBankLabel.ifBlank { null }, fromTypeLabel.ifBlank { null }).joinToString(" · ")
val toTypeLabel = resolvedToOwnAccount?.let { acc ->
AccountListParser.from(acc)?.typeLabel
?: if (acc.bank == "BML") BmlDashboardParser.productLabel(acc.accountTypeName)
else acc.accountTypeName.ifBlank { acc.profileType }
}
val toBankLabel = resolvedToOwnAccount?.let { acc ->
when (acc.bank) {
"BML" -> "BML"
"FAHIPAY" -> "Fahipay"
"MIB" -> "MIB"
else -> acc.bank
}
} else null
} ?: when {
bankNameCapture.equals("MALBMVMV", ignoreCase = true) -> "BML"
bankNameCapture.equals("MADVMVMV", ignoreCase = true) -> "MIB"
bankNameCapture.isNotBlank() -> bankNameCapture
isDestMib -> "MIB"
else -> when (selectedFahipayService) {
"RAASTAS" -> "Ooredoo · Raastas"
"OOREDOO_BILL" -> "Ooredoo · Bill Pay"
"DHIRAAGU_RELOAD" -> "Dhiraagu · Reload"
"DHIRAAGU_BILL" -> "Dhiraagu · Bill Pay"
else -> ""
}
}
val toDetail = listOfNotNull(toBankLabel.ifBlank { null }, toTypeLabel?.ifBlank { null }).joinToString(" · ")
val warnings = buildList {
if (isUsdToMvr) add("⚠ You are transferring from a USD account to an MVR account. The currency will be converted at the bank's rate and this cannot be reversed!")
if (isSrcCredit) add("⚠ Transferring from a credit card is treated as a cash advance. Cash advance fees will be charged on the 10th of the month.")
}
val confirmView = buildTransferConfirmView(
amountCurrency = currency,
amountValue = "%.2f".format(amount),
fromName = src.accountBriefName,
fromNumber = src.accountNumber,
fromDetail = fromDetail,
toName = destDisplay,
toNumber = resolvedAccountNumber,
toDetail = toDetail,
warningTexts = warnings
)
showConfirmWithBiometric(
title = getString(R.string.transfer),
message = if (warningView == null) mainMsg else null,
customView = warningView,
biometricSubtitle = "$currency $amountStr$destDisplay",
onConfirmed = { doTransfer() }
customView = confirmView,
biometricSubtitle = "$currency ${"%.2f".format(amount)}$destDisplay",
onConfirmed = { dialog, frame -> doTransfer(dialog, frame) }
)
}
private fun buildTransferConfirmView(
amountCurrency: String,
amountValue: String,
fromName: String,
fromNumber: String,
fromDetail: String,
toName: String,
toNumber: String,
toDetail: String,
warningTexts: List<String> = emptyList()
): android.view.View {
val ctx = requireContext()
val dp = resources.displayMetrics.density
val colorOnSurface = com.google.android.material.color.MaterialColors.getColor(
requireView(), com.google.android.material.R.attr.colorOnSurface, Color.BLACK)
val colorMuted = com.google.android.material.color.MaterialColors.getColor(
requireView(), com.google.android.material.R.attr.colorOnSurfaceVariant, Color.GRAY)
val colorPrimary = com.google.android.material.color.MaterialColors.getColor(
requireView(), com.google.android.material.R.attr.colorPrimary, Color.BLUE)
val MATCH = LinearLayout.LayoutParams.MATCH_PARENT
val WRAP = LinearLayout.LayoutParams.WRAP_CONTENT
fun lp(w: Int = MATCH, h: Int = WRAP, init: LinearLayout.LayoutParams.() -> Unit = {}) =
LinearLayout.LayoutParams(w, h).apply(init)
fun accountBlock(label: String, name: String, number: String, detail: String) =
LinearLayout(ctx).apply {
orientation = LinearLayout.VERTICAL
gravity = Gravity.CENTER_HORIZONTAL
layoutParams = lp()
addView(TextView(ctx).apply {
text = label
textSize = 10f
isAllCaps = true
letterSpacing = 0.12f
setTextColor(colorMuted)
gravity = Gravity.CENTER
})
addView(TextView(ctx).apply {
text = name
textSize = 16f
setTypeface(null, Typeface.BOLD)
setTextColor(colorOnSurface)
gravity = Gravity.CENTER
layoutParams = lp { topMargin = (2 * dp).toInt() }
})
if (number.isNotBlank()) addView(TextView(ctx).apply {
text = number
textSize = 13f
setTextColor(colorMuted)
gravity = Gravity.CENTER
})
if (detail.isNotBlank()) addView(TextView(ctx).apply {
text = detail
textSize = 12f
setTextColor(colorMuted)
gravity = Gravity.CENTER
alpha = 0.75f
})
}
return LinearLayout(ctx).apply {
orientation = LinearLayout.VERTICAL
gravity = Gravity.CENTER_HORIZONTAL
setPadding((20 * dp).toInt(), (8 * dp).toInt(), (20 * dp).toInt(), (8 * dp).toInt())
// Currency + amount on same line, centered, baseline-aligned
addView(LinearLayout(ctx).apply {
orientation = LinearLayout.HORIZONTAL
gravity = Gravity.CENTER_HORIZONTAL
layoutParams = lp { bottomMargin = (20 * dp).toInt() }
addView(TextView(ctx).apply {
text = "$amountCurrency "
textSize = 16f
setTextColor(colorMuted)
layoutParams = LinearLayout.LayoutParams(WRAP, WRAP)
})
addView(TextView(ctx).apply {
text = amountValue
textSize = 34f
setTypeface(null, Typeface.BOLD)
setTextColor(colorPrimary)
})
})
addView(accountBlock("From", fromName, fromNumber, fromDetail))
// Down arrow — centered
addView(ImageView(ctx).apply {
setImageResource(R.drawable.ic_arrow_right)
rotation = 90f
setColorFilter(colorMuted)
layoutParams = lp(WRAP, WRAP) {
gravity = Gravity.CENTER_HORIZONTAL
width = (24 * dp).toInt()
height = (24 * dp).toInt()
topMargin = (12 * dp).toInt()
bottomMargin = (12 * dp).toInt()
}
})
addView(accountBlock("To", toName, toNumber, toDetail))
for (warning in warningTexts) {
addView(TextView(ctx).apply {
text = warning
setTextColor(Color.RED)
textSize = 14f
setTypeface(null, Typeface.BOLD)
layoutParams = lp { topMargin = (16 * dp).toInt() }
})
}
}
}
private fun executeBmlQrPayment(
src: BankAccount,
debitAccount: String,
info: BmlQrPayInfo,
amount: Double
amount: Double,
dialog: AlertDialog,
frame: android.widget.FrameLayout
) {
val app = requireActivity().application as BasedBankApp
val loginId = src.loginTag.removePrefix("bml_")
val session = bmlSessionFor(src) ?: run {
dialog.dismiss()
Toast.makeText(requireContext(), R.string.transfer_session_unavailable, Toast.LENGTH_SHORT).show()
return
}
val otp = CredentialStore(requireContext()).loadBmlCredentials(loginId)?.otpSeed
?.let { Totp.generate(it) }
?: run { Toast.makeText(requireContext(), "OTP unavailable", Toast.LENGTH_SHORT).show(); return }
?: run { dialog.dismiss(); Toast.makeText(requireContext(), "OTP unavailable", Toast.LENGTH_SHORT).show(); return }
binding.btnTransfer.isEnabled = false
(activity as? HomeActivity)?.setRefreshing(true)
viewLifecycleOwner.lifecycleScope.launch {
val result = withContext(Dispatchers.IO) {
@@ -1080,75 +1313,174 @@ class TransferFragment : Fragment() {
sh.sar.basedbank.api.bml.BmlQrPayResult(false, errorMessage = e.message ?: "Payment failed")
}
}
(activity as? HomeActivity)?.setRefreshing(false)
if (_binding == null) return@launch
if (result == null) {
dialog.dismiss()
binding.btnTransfer.isEnabled = true
Toast.makeText(requireContext(), "Failed to initiate payment", Toast.LENGTH_LONG).show()
return@launch
}
if (result.success) {
showBmlQrSuccessDialog(
merchant = result.merchant.ifBlank { info.merchantName },
amount = result.amount.ifBlank { "%.2f".format(amount) },
currency = result.currency.ifBlank { info.currency }
)
showSuccessInDialog(
dialog, frame,
amountCurrency = result.currency.ifBlank { info.currency },
amountValue = result.amount.ifBlank { "%.2f".format(amount) },
fromName = src.accountBriefName,
toName = result.merchant.ifBlank { info.merchantName }
) {
clearForm()
(activity as? HomeActivity)?.triggerRefresh()
}
} else {
dialog.dismiss()
binding.btnTransfer.isEnabled = true
Toast.makeText(requireContext(), result.errorMessage, Toast.LENGTH_LONG).show()
}
}
}
private fun showBmlQrSuccessDialog(merchant: String, amount: String, currency: String) {
private fun showProcessingInDialog(dialog: AlertDialog, frame: android.widget.FrameLayout) {
dialog.getButton(AlertDialog.BUTTON_POSITIVE)?.visibility = View.GONE
dialog.getButton(AlertDialog.BUTTON_NEGATIVE)?.visibility = View.GONE
dialog.setCancelable(false)
val ctx = requireContext()
val dp = resources.displayMetrics.density
val container = android.widget.LinearLayout(ctx).apply {
orientation = android.widget.LinearLayout.VERTICAL
gravity = android.view.Gravity.CENTER_HORIZONTAL
setPadding((24 * dp).toInt(), (24 * dp).toInt(), (24 * dp).toInt(), (8 * dp).toInt())
val spinner = CircularProgressDrawable(ctx).apply {
setStyle(CircularProgressDrawable.LARGE)
setColorSchemeColors(com.google.android.material.color.MaterialColors.getColor(
requireView(), com.google.android.material.R.attr.colorPrimary, Color.GRAY))
start()
}
container.addView(android.widget.ImageView(ctx).apply {
setImageResource(R.drawable.ic_check_circle)
setColorFilter(android.graphics.Color.parseColor("#4CAF50"))
layoutParams = android.widget.LinearLayout.LayoutParams(
(64 * dp).toInt(), (64 * dp).toInt()
).apply { gravity = android.view.Gravity.CENTER_HORIZONTAL; bottomMargin = (16 * dp).toInt() }
frame.removeAllViews()
frame.addView(LinearLayout(ctx).apply {
orientation = LinearLayout.VERTICAL
gravity = Gravity.CENTER_HORIZONTAL
setPadding((24 * dp).toInt(), (24 * dp).toInt(), (24 * dp).toInt(), (24 * dp).toInt())
addView(ImageView(ctx).apply {
setImageDrawable(spinner)
layoutParams = LinearLayout.LayoutParams((48 * dp).toInt(), (48 * dp).toInt()).apply {
gravity = Gravity.CENTER_HORIZONTAL
bottomMargin = (12 * dp).toInt()
}
})
addView(TextView(ctx).apply {
text = "Processing..."
textSize = 16f
gravity = Gravity.CENTER
setTextColor(com.google.android.material.color.MaterialColors.getColor(
requireView(), com.google.android.material.R.attr.colorOnSurface, Color.BLACK))
})
})
container.addView(android.widget.TextView(ctx).apply {
text = "$currency $amount"
textSize = 28f
setTypeface(null, android.graphics.Typeface.BOLD)
setTextColor(com.google.android.material.color.MaterialColors.getColor(
requireView(), com.google.android.material.R.attr.colorOnSurface, android.graphics.Color.BLACK))
gravity = android.view.Gravity.CENTER
layoutParams = android.widget.LinearLayout.LayoutParams(
android.widget.LinearLayout.LayoutParams.WRAP_CONTENT,
android.widget.LinearLayout.LayoutParams.WRAP_CONTENT
).apply { gravity = android.view.Gravity.CENTER_HORIZONTAL; bottomMargin = (8 * dp).toInt() }
})
container.addView(android.widget.TextView(ctx).apply {
text = merchant
textSize = 14f
setTextColor(com.google.android.material.color.MaterialColors.getColor(
requireView(), com.google.android.material.R.attr.colorOnSurfaceVariant, android.graphics.Color.GRAY))
gravity = android.view.Gravity.CENTER
layoutParams = android.widget.LinearLayout.LayoutParams(
android.widget.LinearLayout.LayoutParams.WRAP_CONTENT,
android.widget.LinearLayout.LayoutParams.WRAP_CONTENT
).apply { gravity = android.view.Gravity.CENTER_HORIZONTAL }
})
MaterialAlertDialogBuilder(ctx)
.setTitle(R.string.bml_qr_payment_success)
.setView(container)
.setPositiveButton(android.R.string.ok) { _, _ ->
requireActivity().onBackPressedDispatcher.onBackPressed()
}
.setCancelable(false)
.show()
}
private fun showSuccessInDialog(
dialog: AlertDialog,
frame: android.widget.FrameLayout,
amountCurrency: String,
amountValue: String,
fromName: String,
toName: String,
onDone: () -> Unit
) {
val ctx = requireContext()
val dp = resources.displayMetrics.density
val colorOnSurface = com.google.android.material.color.MaterialColors.getColor(
requireView(), com.google.android.material.R.attr.colorOnSurface, Color.BLACK)
val colorMuted = com.google.android.material.color.MaterialColors.getColor(
requireView(), com.google.android.material.R.attr.colorOnSurfaceVariant, Color.GRAY)
val colorPrimary = com.google.android.material.color.MaterialColors.getColor(
requireView(), com.google.android.material.R.attr.colorPrimary, Color.BLUE)
val MATCH = LinearLayout.LayoutParams.MATCH_PARENT
val WRAP = LinearLayout.LayoutParams.WRAP_CONTENT
frame.removeAllViews()
frame.addView(LinearLayout(ctx).apply {
orientation = LinearLayout.VERTICAL
gravity = Gravity.CENTER_HORIZONTAL
setPadding((24 * dp).toInt(), (20 * dp).toInt(), (24 * dp).toInt(), (8 * dp).toInt())
// Checkmark
addView(ImageView(ctx).apply {
setImageResource(R.drawable.ic_check_circle)
setColorFilter(Color.parseColor("#4CAF50"))
layoutParams = LinearLayout.LayoutParams((64 * dp).toInt(), (64 * dp).toInt()).apply {
gravity = Gravity.CENTER_HORIZONTAL
bottomMargin = (16 * dp).toInt()
}
})
// Currency + amount
addView(LinearLayout(ctx).apply {
orientation = LinearLayout.HORIZONTAL
gravity = Gravity.CENTER_HORIZONTAL
layoutParams = LinearLayout.LayoutParams(MATCH, WRAP).apply {
bottomMargin = (16 * dp).toInt()
}
addView(TextView(ctx).apply {
text = "$amountCurrency "
textSize = 16f
setTextColor(colorMuted)
layoutParams = LinearLayout.LayoutParams(WRAP, WRAP)
})
addView(TextView(ctx).apply {
text = amountValue
textSize = 28f
setTypeface(null, Typeface.BOLD)
setTextColor(colorPrimary)
})
})
// From row
addView(LinearLayout(ctx).apply {
orientation = LinearLayout.HORIZONTAL
gravity = Gravity.CENTER_HORIZONTAL
layoutParams = LinearLayout.LayoutParams(MATCH, WRAP)
addView(TextView(ctx).apply {
text = "From "
textSize = 12f
setTextColor(colorMuted)
layoutParams = LinearLayout.LayoutParams(WRAP, WRAP)
})
addView(TextView(ctx).apply {
text = fromName
textSize = 13f
setTypeface(null, Typeface.BOLD)
setTextColor(colorOnSurface)
gravity = Gravity.CENTER
})
})
// To row
addView(LinearLayout(ctx).apply {
orientation = LinearLayout.HORIZONTAL
gravity = Gravity.CENTER_HORIZONTAL
layoutParams = LinearLayout.LayoutParams(MATCH, WRAP).apply {
topMargin = (4 * dp).toInt()
}
addView(TextView(ctx).apply {
text = "To "
textSize = 12f
setTextColor(colorMuted)
layoutParams = LinearLayout.LayoutParams(WRAP, WRAP)
})
addView(TextView(ctx).apply {
text = toName
textSize = 13f
setTypeface(null, Typeface.BOLD)
setTextColor(colorOnSurface)
gravity = Gravity.CENTER
})
})
})
val okBtn = dialog.getButton(AlertDialog.BUTTON_POSITIVE)
okBtn?.visibility = View.VISIBLE
okBtn?.text = "OK"
okBtn?.setOnClickListener { dialog.dismiss(); onDone() }
}
private fun doMibTransfer(
src: BankAccount,
destAccount: String,
@@ -1718,6 +2050,7 @@ class TransferFragment : Fragment() {
requireActivity().title = getString(R.string.transfer)
}
override fun onDestroyView() {
super.onDestroyView()
_binding = null
app/src/main/java/sh/sar/basedbank/util/CredentialStore.kt
+23
View File
@@ -627,6 +627,29 @@ class CredentialStore(context: Context) {
editor.apply()
}
// ── Default transfer/QR account ───────────────────────────────────────────
/** Account number the user has pinned as their default source for transfers and PayMV QR, or null. */
fun getDefaultAccountNumber(): String? = prefs.getString("default_account_number", null)
fun setDefaultAccountNumber(accountNumber: String?) {
val editor = prefs.edit()
if (accountNumber == null) editor.remove("default_account_number")
else editor.putString("default_account_number", accountNumber)
editor.apply()
}
// ── Dashboard card visibility ─────────────────────────────────────────────
fun getHiddenDashboardCardNumbers(): Set<String> =
prefs.getStringSet("hidden_dashboard_cards", emptySet()) ?: emptySet()
fun setCardHiddenFromDashboard(accountNumber: String, hidden: Boolean) {
val current = getHiddenDashboardCardNumbers().toMutableSet()
if (hidden) current.add(accountNumber) else current.remove(accountNumber)
prefs.edit().putStringSet("hidden_dashboard_cards", current).apply()
}
// ── MIB profile visibility (per loginId) ─────────────────────────────────
/** Returns the set of MIB profile IDs the user has chosen to hide (for a given loginId). */
app/src/main/java/sh/sar/basedbank/util/PaymvQrParser.kt
+1 -1
View File
@@ -41,7 +41,7 @@ object PaymvQrParser {
PaymvQrData(
accountNumber = merchantInfo?.get("03"),
amount = root["54"],
amount = root["54"]?.takeIf { it != "***" },
purpose = additionalData?.get("08"),
merchantName = root["59"]
)
app/src/main/res/drawable/ic_nfc.xml
+36 -4
View File
@@ -2,9 +2,41 @@
<vector xmlns:android="http://schemas.android.com/apk/res/android"
android:width="24dp"
android:height="24dp"
android:viewportWidth="24"
android:viewportHeight="24">
android:viewportWidth="48"
android:viewportHeight="48">
<!-- Phone outline -->
<path
android:fillColor="?attr/colorOnSurface"
android:pathData="M20,2L4,2C2.9,2 2,2.9 2,4l0,16c0,1.1 0.9,2 2,2l16,0c1.1,0 2,-0.9 2,-2L22,4C22,2.9 21.1,2 20,2zM13,18l-2,0 0,-1c-2.76,0 -5,-2.24 -5,-5s2.24,-5 5,-5 5,2.24 5,5l-2,0c0,-1.65 -1.35,-3 -3,-3s-3,1.35 -3,3 1.35,3 3,3l0,-2 2,3zM19,12l-2,0c0,-2.76 -2.24,-5 -5,-5l0,-2C15.87,5 19,8.13 19,12z"/>
android:fillColor="#00000000"
android:strokeColor="?attr/colorOnSurface"
android:strokeWidth="2"
android:strokeLineCap="round"
android:strokeLineJoin="round"
android:pathData="M6.08,8.6 L20.45,8.6 A1.58,1.58,0,0,1,22.03,10.18 L22.03,37.81 A1.58,1.58,0,0,1,20.45,39.39 L6.08,39.39 A1.58,1.58,0,0,1,4.5,37.81 L4.5,10.18 A1.58,1.58,0,0,1,6.08,8.6 Z"/>
<!-- Top notch line -->
<path
android:fillColor="#00000000"
android:strokeColor="?attr/colorOnSurface"
android:strokeWidth="2"
android:strokeLineCap="round"
android:pathData="M4.5,12.55 L22.03,12.55"/>
<!-- Bottom notch line -->
<path
android:fillColor="#00000000"
android:strokeColor="?attr/colorOnSurface"
android:strokeWidth="2"
android:strokeLineCap="round"
android:pathData="M4.5,35.45 L22.03,35.45"/>
<!-- NFC waves (outer, mid, inner) -->
<path
android:fillColor="#00000000"
android:strokeColor="?attr/colorOnSurface"
android:strokeWidth="2"
android:strokeLineCap="round"
android:strokeLineJoin="round"
android:pathData="M36.07,9.29 a18.28,18.28,0,0,1,0,29.42 m-4,-24.16 a11.84,11.84,0,0,1,5,9.45 11.84,11.84,0,0,1,-5,9.45 m-3.68,-14 a5.67,5.67,0,0,1,0,9.1"/>
</vector>
app/src/main/res/drawable/ic_shortcut_pay_card_fg.xml
+38 -4
View File
@@ -4,13 +4,47 @@
android:height="108dp"
android:viewportWidth="108"
android:viewportHeight="108">
<group
android:translateX="30"
android:translateY="30"
android:scaleX="2"
android:scaleY="2">
android:scaleX="1.0"
android:scaleY="1.0">
<!-- Phone outline -->
<path
android:fillColor="#FFFFFF"
android:pathData="M20,4H4C2.89,4 2.01,4.89 2.01,6L2,18c0,1.11 0.89,2 2,2h16c1.11,0 2,-0.89 2,-2V6C22,4.89 21.11,4 20,4zM20,18H4v-6h16V18zM20,8H4V6h16V8z" />
android:fillColor="#00000000"
android:strokeColor="#FFFFFF"
android:strokeWidth="2.5"
android:strokeLineCap="round"
android:strokeLineJoin="round"
android:pathData="M6.08,8.6 L20.45,8.6 A1.58,1.58,0,0,1,22.03,10.18 L22.03,37.81 A1.58,1.58,0,0,1,20.45,39.39 L6.08,39.39 A1.58,1.58,0,0,1,4.5,37.81 L4.5,10.18 A1.58,1.58,0,0,1,6.08,8.6 Z"/>
<!-- Top notch line -->
<path
android:fillColor="#00000000"
android:strokeColor="#FFFFFF"
android:strokeWidth="2.5"
android:strokeLineCap="round"
android:pathData="M4.5,12.55 L22.03,12.55"/>
<!-- Bottom notch line -->
<path
android:fillColor="#00000000"
android:strokeColor="#FFFFFF"
android:strokeWidth="2.5"
android:strokeLineCap="round"
android:pathData="M4.5,35.45 L22.03,35.45"/>
<!-- NFC waves -->
<path
android:fillColor="#00000000"
android:strokeColor="#FFFFFF"
android:strokeWidth="2.5"
android:strokeLineCap="round"
android:strokeLineJoin="round"
android:pathData="M36.07,9.29 a18.28,18.28,0,0,1,0,29.42 m-4,-24.16 a11.84,11.84,0,0,1,5,9.45 11.84,11.84,0,0,1,-5,9.45 m-3.68,-14 a5.67,5.67,0,0,1,0,9.1"/>
</group>
</vector>
app/src/main/res/layout/activity_home.xml
+1
View File
@@ -87,6 +87,7 @@ app:menu="@menu/bottom_nav_menu" />
android:layout_height="match_parent"
android:layout_gravity="start"
android:fitsSystemWindows="true"
app:headerLayout="@layout/nav_header"
app:menu="@menu/drawer_menu" />
</androidx.drawerlayout.widget.DrawerLayout>
app/src/main/res/layout/fragment_cards.xml
+34
View File
@@ -93,6 +93,7 @@
<!-- Divider -->
<View
android:id="@+id/divider"
android:layout_width="match_parent"
android:layout_height="1dp"
android:layout_marginHorizontal="24dp"
@@ -173,6 +174,32 @@
</LinearLayout>
<!-- Hide from dashboard toggle (manage mode only) -->
<LinearLayout
android:id="@+id/llHideDashboardRow"
android:layout_width="match_parent"
android:layout_height="wrap_content"
android:orientation="horizontal"
android:gravity="center_vertical"
android:paddingHorizontal="20dp"
android:paddingTop="4dp"
android:paddingBottom="4dp"
android:visibility="gone">
<TextView
android:layout_width="0dp"
android:layout_height="wrap_content"
android:layout_weight="1"
android:text="@string/card_hide_from_dashboard"
android:textAppearance="?attr/textAppearanceBodyMedium" />
<com.google.android.material.materialswitch.MaterialSwitch
android:id="@+id/switchHideFromDashboard"
android:layout_width="wrap_content"
android:layout_height="wrap_content" />
</LinearLayout>
<!-- Card management actions (manage mode only) -->
<LinearLayout
android:id="@+id/llManageButtons"
@@ -242,6 +269,13 @@
</LinearLayout>
<!-- Tap-to-pay overlay: shown in tap mode, sits above contentLayout -->
<FrameLayout
android:id="@+id/flTapMode"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:visibility="gone" />
<!-- Loading state -->
<LinearLayout
android:id="@+id/loadingView"
app/src/main/res/layout/item_account_history_header.xml
+49
View File
@@ -182,6 +182,55 @@
</LinearLayout>
<!-- Default account divider + row (shown only for non-card accounts) -->
<View
android:id="@+id/dividerDefaultAccount"
android:layout_width="match_parent"
android:layout_height="1dp"
android:layout_marginTop="16dp"
android:background="?attr/colorOutlineVariant"
android:visibility="gone" />
<LinearLayout
android:id="@+id/llDefaultAccountRow"
android:layout_width="match_parent"
android:layout_height="wrap_content"
android:orientation="horizontal"
android:gravity="center_vertical"
android:layout_marginTop="12dp"
android:visibility="gone">
<LinearLayout
android:layout_width="0dp"
android:layout_height="wrap_content"
android:layout_weight="1"
android:orientation="vertical">
<TextView
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:text="Default account"
android:textAppearance="?attr/textAppearanceBodyMedium"
android:textColor="?attr/colorOnSurface" />
<TextView
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:text="Auto-selected for transfers and PayMV QR"
android:textAppearance="?attr/textAppearanceLabelSmall"
android:textColor="?attr/colorOnSurfaceVariant"
android:layout_marginTop="2dp" />
</LinearLayout>
<com.google.android.material.materialswitch.MaterialSwitch
android:id="@+id/switchDefaultAccount"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_marginStart="12dp" />
</LinearLayout>
</LinearLayout>
</com.google.android.material.card.MaterialCardView>
app/src/main/res/layout/item_contact.xml
+9 -9
View File
@@ -26,15 +26,6 @@
app:layout_constraintTop_toTopOf="parent"
app:layout_constraintBottom_toBottomOf="parent">
<ImageButton
android:id="@+id/btnTransferContact"
android:layout_width="36dp"
android:layout_height="36dp"
android:background="?attr/selectableItemBackgroundBorderless"
android:src="@drawable/ic_send"
android:padding="6dp"
android:contentDescription="@string/transfer" />
<ImageButton
android:id="@+id/btnEditContact"
android:layout_width="36dp"
@@ -54,6 +45,15 @@
android:tint="?attr/colorError"
android:contentDescription="@string/contact_delete" />
<ImageButton
android:id="@+id/btnTransferContact"
android:layout_width="36dp"
android:layout_height="36dp"
android:background="?attr/selectableItemBackgroundBorderless"
android:src="@drawable/ic_send"
android:padding="6dp"
android:contentDescription="@string/transfer" />
</LinearLayout>
<LinearLayout
app/src/main/res/layout/nav_header.xml
+25
View File
@@ -0,0 +1,25 @@
<?xml version="1.0" encoding="utf-8"?>
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
android:layout_width="match_parent"
android:layout_height="wrap_content"
android:orientation="horizontal"
android:gravity="center_vertical"
android:paddingStart="16dp"
android:paddingEnd="16dp"
android:paddingTop="24dp"
android:paddingBottom="16dp">
<ImageView
android:layout_width="40dp"
android:layout_height="40dp"
android:src="@mipmap/ic_launcher"
android:contentDescription="@string/app_name" />
<TextView
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_marginStart="12dp"
android:text="@string/app_name"
android:textAppearance="?attr/textAppearanceTitleMedium" />
</LinearLayout>
app/src/main/res/values/strings.xml
+4 -1
View File
@@ -238,14 +238,16 @@
<string name="transfer_lookup_account">Look up account</string>
<string name="transfer_clear_recipient">Clear recipient</string>
<string name="transfer_pick_contact">Pick contact</string>
<string name="transfer_scan_qr">Scan QR</string>
<string name="transfer_scan_qr">Scan to Pay</string>
<string name="qr_pick_image">Pick image</string>
<string name="transfer_qr_invalid">Invalid or unsupported QR code</string>
<string name="card_qr_paymv_unsupported">PayMV QR is not supported for card payments — switching to transfer</string>
<string name="qr_camera_permission_title">Camera permission required</string>
<string name="qr_camera_permission_message">Camera access is needed to scan QR codes. Please grant the permission in Settings.</string>
<string name="camera_permission_profile_message">Camera access is needed to take a photo. Please grant the permission in Settings.</string>
<string name="go_to_settings">Go to Settings</string>
<string name="transfer_select_source_first">Select a source account first</string>
<string name="transfer_no_from_account">Please set a default account or select From account first</string>
<string name="transfer_enter_account_first">Enter an account number first</string>
<string name="transfer_account_not_found">Account not found</string>
<string name="transfer_session_unavailable">Session unavailable — please re-login</string>
@@ -332,6 +334,7 @@
<string name="mib_qr_nfc_not_supported">Skill issue on MIB side, Not supported</string>
<string name="card_manage">Manage Card</string>
<string name="card_set_as_default">Set as Default Card</string>
<string name="card_hide_from_dashboard">Hide from Dashboard</string>
<string name="card_action_change_pin">Change PIN</string>
<string name="card_action_freeze">Freeze</string>
<string name="card_action_block">Block</string>
app/src/main/res/xml/bml_aid_list.xml
+24
View File
@@ -0,0 +1,24 @@
<?xml version="1.0" encoding="utf-8"?>
<host-apdu-service xmlns:android="http://schemas.android.com/apk/res/android"
android:description="@string/app_name"
android:requireDeviceUnlock="false">
<aid-group
android:description="@string/app_name"
android:category="payment">
<!-- PPSE: 2PAY.SYS.DDF01 -->
<aid-filter android:name="325041592E5359532E4444463031" />
<!-- Visa -->
<aid-filter android:name="A0000000031010" />
<!-- Mastercard -->
<aid-filter android:name="A0000000041010" />
<!-- Amex -->
<aid-filter android:name="A000000025" />
</aid-group>
</host-apdu-service>
app/src/main/res/xml/shortcuts.xml
+4 -4
View File
@@ -28,13 +28,13 @@
</shortcut>
<shortcut
android:shortcutId="pay_with_card"
android:shortcutId="tap_to_pay"
android:enabled="true"
android:icon="@drawable/ic_shortcut_pay_card"
android:shortcutShortLabel="@string/nav_pay_with_card"
android:shortcutLongLabel="@string/nav_pay_with_card">
android:shortcutShortLabel="@string/card_pay_nfc"
android:shortcutLongLabel="@string/card_pay_nfc">
<intent
android:action="sh.sar.basedbank.OPEN_PAY_WITH_CARD"
android:action="sh.sar.basedbank.TAP_TO_PAY"
android:targetPackage="sh.sar.basedbank"
android:targetClass="sh.sar.basedbank.MainActivity" />
<categories android:name="android.shortcut.conversation" />
docs/README.md
+21
View File
@@ -0,0 +1,21 @@
# Thijooree Documentation
---
## App Internals
| Section | Description |
|---|---|
| [thijooree/](thijooree/README.md) | UI flows, routing logic, parsers, and security audit for the Android client |
---
## Bank & Service APIs
| Section | Description |
|---|---|
| [bmlapi/](bmlapi/README.md) | Bank of Maldives — hybrid web/OAuth login, dashboard, transfers, cards, QR payments, tap-to-pay |
| [mibapi/](mibapi/README.md) | MIB Faisanet — Blowfish-encrypted API + WebView session, accounts, transfers, contacts |
| [fahipayapi/](fahipayapi/README.md) | Fahipay digital wallet — login, balance, history, contacts |
| [dhiraaguapi/](dhiraaguapi/README.md) | Dhiraagu Easy Pay — number lookup for reload / bill pay |
| [ooredooapi/](ooredooapi/README.md) | Ooredoo Quick Pay — number validation for Raastas / bill pay |
docs/bmlapi/11-foreign-limits.md
+1 -1
View File
@@ -144,4 +144,4 @@ Each channel object:
---
[← Account Validation](10-validate.md)
[← Account Validation](10-validate.md) · [Next → Tap-to-Pay](12-tap-to-pay.md)
docs/bmlapi/12-tap-to-pay.md
+254
View File
@@ -0,0 +1,254 @@
# Tap-to-Pay (NFC / HCE)
BML supports contactless NFC payments via Host Card Emulation (HCE). The app fetches single-use payment tokens from the server, then emulates an EMV mag-stripe contactless card using Android's `HostApduService`.
---
## Overview
```
1. Fetch tokens → POST /api/mobile/walletpayments/gettoken (TOTP-authenticated)
2. HCE exchange → Android NFC subsystem drives the APDU exchange with the POS terminal
```
---
## Step 1 — Fetch Payment Tokens
### Endpoint
```
POST https://www.bankofmaldives.com.mv/internetbanking/api/mobile/walletpayments/gettoken
```
### Headers
| Header | Value |
|---|---|
| `Authorization` | `Bearer <access_token>` |
| `User-Agent` | `bml-mobile-banking/348 ({manufacturer}; Android {version}; {model})` |
| `x-app-version` | `2.1.44.348` |
| `Content-Type` | `application/json` |
### Three-Step OTP Flow
Token retrieval requires TOTP verification and completes in three POSTs to the same endpoint.
#### Step 1a — Initiate
```json
{
"type": "track2",
"cardid": "<cardId>",
"quantity": 3
}
```
Expected response: `{ "code": 99 }` (OTP required)
If `"code": 0` is returned directly the payload contains tokens immediately (skip to parsing).
#### Step 1b — Request OTP Channel
```json
{
"type": "track2",
"cardid": "<cardId>",
"quantity": 3,
"channel": "token"
}
```
Expected response: `{ "code": 22 }` (OTP generated on BML side; TOTP is used locally)
#### Step 1c — Submit TOTP
```json
{
"type": "track2",
"cardid": "<cardId>",
"quantity": 3,
"channel": "token",
"otp": "<TOTP>"
}
```
Expected response: `{ "code": 0, "payload": [...] }`
The OTP is a standard TOTP (RFC 6238, SHA-1, 30-second window, 6 digits) derived from the stored BML authenticator seed.
### Token Response
```json
{
"code": 0,
"payload": [
{
"token": "4761360000000000",
"expiry": "2512",
"app_code": "A0000000031010",
"service_code": "000",
"data": "0960919802623742",
"valid_until": "2025-12-01 12:00:00.000"
}
]
}
```
### Token Fields
| Field | Description |
|---|---|
| `token` | PAN-equivalent single-use token (used as Track 2 primary account number) |
| `expiry` | Expiry in `YYMM` format (e.g. `"2512"` = December 2025) |
| `app_code` | AID (Application Identifier) hex string — identifies the card network |
| `service_code` | 3-digit service code for Track 2 |
| `data` | Discretionary data appended to Track 2 |
| `valid_until` | Server-side expiry timestamp for the token |
### AID to Card Network Mapping
| AID prefix | Network |
|---|---|
| `A0000000031010` | Visa |
| `A0000000041010` | Mastercard |
| `A000000025...` | Amex |
| (other) | BML |
---
## Step 2 — HCE APDU Exchange
Once a token is set, Android's NFC subsystem routes contactless commands to the app's `HostApduService`. The flow follows the EMV mag-stripe contactless profile.
### APDU Exchange Flow
```
POS Terminal Android HCE
| |
| SELECT PPSE (INS=A4) |
|--------------------------------------->|
| FCI Template (6F) + 9000 |
|<---------------------------------------|
| |
| SELECT AID (INS=A4) |
|--------------------------------------->|
| FCI Template (6F) + 9000 |
|<---------------------------------------|
| |
| GET PROCESSING OPTIONS (INS=A8) |
|--------------------------------------->|
| Response Message Template (80) + 9000 |
|<---------------------------------------|
| |
| READ RECORD (INS=B2) |
|--------------------------------------->|
| Record Template (70) + 9000 |
|<---------------------------------------|
```
### APDU Command Bytes
| INS | Hex | Command |
|---|---|---|
| `SELECT` | `0xA4` | Select PPSE or AID |
| `GET PROCESSING OPTIONS` | `0xA8` | Request AIP + AFL |
| `READ RECORD` | `0xB2` | Read Track 2 data |
### SELECT PPSE Response
PPSE AID: `2PAY.SYS.DDF01` = `325041592E5359532E4444463031`
```
6F <len>
84 <len> 325041592E5359532E4444463031 ← DF Name (PPSE)
A5 <len>
BF0C <len>
61 <len>
4F <len> <AID> ← ADF Name
87 01 01 ← Application Priority Indicator
9000
```
### SELECT AID Response
```
6F <len>
84 <len> <AID> ← Dedicated File Name
A5 <len>
50 <len> <label-ascii-as-hex> ← Application Label (e.g. "VISA")
9F38 02 9F6602 ← PDOL: TTQ (2 bytes)
9000
```
The application label is derived from the AID prefix (see mapping table above).
### GET PROCESSING OPTIONS Response
```
80 06 0080 08010100
9000
```
| Field | Value | Meaning |
|---|---|---|
| Tag `80` | — | Response Message Template 1 |
| AIP | `0080` | Mag-stripe mode |
| AFL | `08010100` | SFI=1, records 11, 0 offline auth records |
### READ RECORD Response
```
70 <len>
57 <len> <track2-data> ← Track 2 Equivalent Data
9000
```
Track 2 format:
```
{token} D {expiry} {serviceCode} {data} [F]
```
The trailing `F` nibble is appended when the total length is odd (standard Track 2 padding).
Example from a real token:
```
4761360000000000 D 2512 000 0960919802623742
→ 4761360000000000D2512000096091980262374 2F (padded)
```
### Status Words
| SW | Meaning |
|---|---|
| `9000` | Success |
| `6F00` | Generic / unknown error |
| `6D00` | Instruction not supported |
---
## TLV Encoding
All APDU responses use BER-TLV encoding. Tags are 1 or 2 bytes (hex string). Length follows DER short/long form:
| Length range | Encoding |
|---|---|
| 0127 bytes | `LL` (1 byte) |
| 128255 bytes | `81 LL` (2 bytes) |
| 25665535 bytes | `82 HH LL` (3 bytes) |
---
## Prerequisites
- Valid `access_token` from [OAuth Token Exchange](03-oauth-token.md)
- TOTP seed enrolled via BML app (same seed used for login 2FA)
- `cardId` from the dashboard — see [Dashboard](04-dashboard.md)
---
&nbsp;
---
[← Foreign Limits](11-foreign-limits.md) · [Next → QR Payment](13-qr-payment.md)
docs/bmlapi/13-qr-payment.md
+243
View File
@@ -0,0 +1,243 @@
# QR Payment
BML supports QR-based payments via the PayMV network. There are two QR types — static merchant QRs (no preset amount) and gateway QRs (amount preset by merchant). Both are paid via the same 3-step TOTP-authenticated flow.
---
## QR Code Types
| Type code | Name | Amount |
|---|---|---|
| `QRS` | Static QR | `0.00` — user enters amount |
| `QRR` | Gateway / dynamic QR | Preset by merchant |
---
## QR Code Formats
BML QR codes appear in two formats.
### 1. Plain URL QR
```
https://pay.bml.com.mv/app/<base64-encoded-url>
```
The entire URL is base64-encoded and passed directly to the payrequest lookup API.
### 2. Combined EMV-style QR
Used in Fahipay/PayMV combo QRs that embed multiple payment networks. The BML gateway URL is embedded as a TLV value at a fixed path.
TLV path: **root tag `35` → sub-tag `20` → sub-sub-tag `01`**
The value at tag `01` is the full `https://pay.bml.com.mv/app/...` URL.
---
## PayMV QR Format (TLV)
PayMV QRs (static, PayMV-native) use a decimal TLV encoding (not BER-TLV):
```
<2-digit decimal tag><2-digit decimal length><value>...
```
### Root-level tags (key fields for scanning)
| Tag | Field |
|---|---|
| `26` | Merchant account information (container) |
| `54` | Transaction amount |
| `59` | Merchant / recipient name |
| `62` | Additional data (container) |
### Sub-tags
| Parent | Tag | Field |
|---|---|---|
| `26` | `03` | Account number |
| `62` | `08` | Payment purpose / reference |
> For the full PayMV QR format spec including generation (receive-payment QRs), acquirer BIC mapping, CRC algorithm, and all tags — see [PayMV QR Format](../thijooree/18-paymv-qr-format.md).
---
## Step 1 — Resolve QR to Merchant Details
### Endpoint
```
GET https://www.bankofmaldives.com.mv/internetbanking/api/mobile/walletpayments/payrequest/{base64Url}
```
`{base64Url}` is the full QR URL (e.g. `https://pay.bml.com.mv/app/...`) base64-encoded with standard encoding (with padding).
### Headers
| Header | Value |
|---|---|
| `Authorization` | `Bearer <access_token>` |
| `User-Agent` | `bml-mobile-banking/348 ({manufacturer}; Android {version}; {model})` |
| `x-app-version` | `2.1.44.348` |
```bash
curl --request GET \
--url 'https://www.bankofmaldives.com.mv/internetbanking/api/mobile/walletpayments/payrequest/<base64Url>' \
--header 'Authorization: Bearer <access_token>' \
--header 'User-Agent: bml-mobile-banking/348 ({manufacturer}; Android {version}; {model})' \
--header 'x-app-version: 2.1.44.348'
```
### Response
```json
{
"success": true,
"payload": {
"trxn_hash": "<base64Url>",
"narrative1": "Merchant Name",
"narrative2": "Address Line 1",
"narrative3": "Address Line 2",
"amount": "1.03",
"currency": "MVR"
}
}
```
### Response Fields
| Field | Description |
|---|---|
| `trxn_hash` | The base64 URL — used as `requestId` in payment steps |
| `narrative1` | Merchant name |
| `narrative2` | Merchant address line 1 |
| `narrative3` | Merchant address line 2 |
| `amount` | Payment amount (`"0.00"` for static QRS) |
| `currency` | Currency code (typically `"MVR"`) |
---
## Step 2 — Pay (3-Step TOTP Flow)
All three steps POST to the same endpoint:
```
POST https://www.bankofmaldives.com.mv/internetbanking/api/mobile/walletpayments/pay
```
### Headers
| Header | Value |
|---|---|
| `Authorization` | `Bearer <access_token>` |
| `User-Agent` | `bml-mobile-banking/348 ({manufacturer}; Android {version}; {model})` |
| `x-app-version` | `2.1.44.348` |
| `Content-Type` | `application/json` |
| `Accept` | `application/json` |
### Step 2a — Initiate (no channel)
```json
{
"action": "approve",
"debitAccount": "<internalAccountId>",
"requestId": "<trxn_hash>",
"amount": 1.03,
"currency": "MVR"
}
```
Expected response: `{ "success": true, "code": 99 }` (OTP required)
> **Note:** This step may be skipped. The app proceeds directly to Step 2b if the gateway already indicates OTP is required.
### Step 2b — Request OTP Channel
```json
{
"action": "approve",
"debitAccount": "<internalAccountId>",
"requestId": "<trxn_hash>",
"amount": 1.03,
"currency": "MVR",
"channel": "token"
}
```
Expected response: `{ "success": true, "code": 22 }` (OTP generated)
### Step 2c — Confirm with TOTP
```json
{
"action": "approve",
"debitAccount": "<internalAccountId>",
"requestId": "<trxn_hash>",
"amount": 1.03,
"currency": "MVR",
"channel": "token",
"otp": "<TOTP>"
}
```
Expected response:
```json
{
"success": true,
"code": 0,
"payload": {
"merchant": "Merchant Name",
"amount": "1.03",
"currency": "MVR"
}
}
```
On failure:
```json
{
"success": false,
"message": "Payment failed"
}
```
---
## Request Fields
| Field | Type | Description |
|---|---|---|
| `action` | `string` | Always `"approve"` |
| `debitAccount` | `string` | Internal account UUID (not the display account number) — from dashboard `internalId` field |
| `requestId` | `string` | The `trxn_hash` from the payrequest lookup |
| `amount` | `number` | Payment amount as a number (e.g. `1.03`) |
| `currency` | `string` | Currency code (e.g. `"MVR"`) |
| `channel` | `string` | `"token"` — present in steps 2b and 2c only |
| `otp` | `string` | TOTP code — present in step 2c only |
> The `debitAccount` field takes the internal UUID from the dashboard response, **not** the displayed account number. See [Dashboard](04-dashboard.md) for the account object structure.
---
## OTP
The OTP is a standard TOTP (RFC 6238, SHA-1, 30-second window, 6 digits) derived from the stored BML authenticator seed — the same seed used for login 2FA.
---
## Prerequisites
- Valid `access_token` from [OAuth Token Exchange](03-oauth-token.md)
- TOTP seed enrolled via BML app
- Account `internalId` from [Dashboard](04-dashboard.md)
---
&nbsp;
---
[← Tap-to-Pay](12-tap-to-pay.md)
docs/bmlapi/README.md
+2
View File
@@ -188,6 +188,8 @@ The access token expires after `expires_in` seconds (typically 3600). On a `401`
| 9 | [Contacts](09-contacts.md) | Saved beneficiaries — list, save, delete |
| 10 | [Account Validation](10-validate.md) | Validate BML accounts, aliases, and MIB accounts |
| 11 | [Foreign Limits](11-foreign-limits.md) | USD foreign transaction limits by card and channel |
| 12 | [Tap-to-Pay](12-tap-to-pay.md) | NFC HCE contactless payment — token fetch and EMV APDU exchange |
| 13 | [QR Payment](13-qr-payment.md) | PayMV QR payment — QR formats, payrequest lookup, 3-step pay flow |
---
docs/ooredooapi/01-number-validation.md
+24 -14
View File
@@ -32,19 +32,23 @@ curl --request GET \
## Responses
All responses wrap the result in a top-level `data` object.
### Success — Prepaid
```json
{
"custType": "PRE",
"msisdn": "9609654321"
"data": {
"custType": "PRE",
"msisdn": "9609654321"
}
}
```
| Field | Type | Description |
|---|---|---|
| `custType` | `string` | `"PRE"` = prepaid customer |
| `msisdn` | `string` | The MSISDN that was queried |
| `data.custType` | `string` | `"PRE"` = prepaid customer |
| `data.msisdn` | `string` | The MSISDN that was queried |
→ Offer **Raastas** top-up only.
@@ -54,8 +58,10 @@ curl --request GET \
```json
{
"custType": "POST",
"msisdn": "9609123456"
"data": {
"custType": "POST",
"msisdn": "9609123456"
}
}
```
@@ -67,8 +73,10 @@ curl --request GET \
```json
{
"custType": "HYBRID",
"msisdn": "9609789012"
"data": {
"custType": "HYBRID",
"msisdn": "9609789012"
}
}
```
@@ -80,18 +88,20 @@ curl --request GET \
```json
{
"custType": null,
"errorMessage": "Data Not Found",
"msisdn": "9609000000"
"data": {
"custType": null,
"errorMessage": "Data Not Found",
"msisdn": "9609000000"
}
}
```
| Field | Type | Description |
|---|---|---|
| `custType` | `null` | Number is not an Ooredoo subscriber |
| `errorMessage` | `string` | `"Data Not Found"` |
| `data.custType` | `null` | Number is not an Ooredoo subscriber |
| `data.errorMessage` | `string` | `"Data Not Found"` |
Treat `custType: null` as unsupported — fall back to Dhiraagu lookup.
Treat `custType: null` or absent as unsupported — fall back to Dhiraagu lookup.
---
docs/thijooree/00-app-overview.md
+143
View File
@@ -0,0 +1,143 @@
# App Overview
Architecture overview of the app's entry point, main container, navigation system, and global session lifecycle.
---
## Entry Point — `MainActivity`
`MainActivity` is a transparent trampoline activity. On `onCreate` it reads app state and immediately forwards to the correct destination with no visible UI of its own:
| Condition | Destination |
|---|---|
| Onboarding not done | `OnboardingActivity` |
| No saved credentials | `LoginActivity` |
| Security lock configured | `LockActivity` |
| All checks pass | `HomeActivity` |
### Intent Actions
External intents (from NFC, shortcuts, or notifications) are passed through to `HomeActivity` via the same forwarding intent:
| Action | Effect |
|---|---|
| `OPEN_TRANSFER` | Opens transfer screen |
| `OPEN_SCAN_QR` | Opens QR scanner |
| `OPEN_PAY_WITH_CARD` | Opens BML card QR payment |
| `TAP_TO_PAY` | Opens BML tap-to-pay NFC flow |
`BmlTapToPayActivity` is a dedicated NFC entry point registered in the manifest. It immediately re-fires a `TAP_TO_PAY` intent to `MainActivity` and finishes.
---
## Main Container — `HomeActivity`
`HomeActivity` is the persistent shell containing all in-app screens. It owns:
- The `NavHostFragment` and `NavController`
- The `DrawerLayout` and `NavigationView`
- The `BottomNavigationView`
- The toolbar (lock icon + hide-amounts eye icon)
- The connectivity banner
- The autolock timer
- The MIB session keepAlive scheduler
### Toolbar
| Icon | Behavior |
|---|---|
| Lock icon | Immediately locks the app → `LockActivity` (animated with scale + alpha) |
| Eye icon | Toggles `hideAmounts` in `HomeViewModel`; all balance displays redact to `••••` |
### Auto-refresh
On launch and after unlock `HomeActivity.autoRefresh()` fires parallel login refresh calls for all banks with active sessions. Each bank runs independently — a failure in one bank does not block the others.
### Connectivity Banner
A persistent banner appears at the top of `HomeActivity` when network connectivity is lost. It disappears automatically when connectivity is restored. Per-bank connectivity errors (e.g., session expired) are surfaced via `HomeViewModel.connectivityErrors`.
---
## Navigation Modes
The user can choose between two navigation modes in Settings → Appearance:
### Drawer (default)
A slide-out navigation drawer containing up to 10 configurable nav items. The hamburger icon in the toolbar opens it.
### Bottom Navigation
A bottom bar with 3 configurable slots plus a fixed **Dashboard** tab (always leftmost) and a **More** tab (always rightmost). Tapping **More** opens `NavMoreSheetFragment` — a bottom sheet listing all items not assigned to the 3 visible slots.
---
## Navigation Slots
10 possible navigation destinations can be assigned to slots. The user reorders them via drag-and-drop in Settings → Appearance.
| Destination | Default slot |
|---|---|
| Accounts | 1 |
| Transfer | 2 |
| Activities | 3 |
| Contacts | 4 |
| Financing | 5 |
| OTP | 6 |
| PayMV QR | 7 |
| BML QR Pay | 8 |
| Transfer History | 9 |
| Settings | 10 |
Two **Quick Action** slots appear as FAB-style buttons on the dashboard and are independently configurable.
---
## Autolock
Autolock fires after a configurable period of user inactivity. Any touch event resets the timer.
| Timeout option |
|---|
| 30 seconds |
| 1 minute |
| 3 minutes |
| 5 minutes |
| Never |
When the timeout expires a 10-second countdown warning dialog appears. If dismissed, the timer resets. If ignored, the app calls `LockActivity` and clears `app.isUnlocked`.
---
## Global State — `BasedBankApp`
`BasedBankApp` holds all in-memory session data. Nothing is stored to disk except encrypted credentials.
| Field | Description |
|---|---|
| `isUnlocked` | Set to `true` after successful lock-screen auth; guards against process-restart bypass |
| `mibSessions` | Map of MIB profile ID → active session (cookies + DH key) |
| `bmlSessions` | Map of BML profile ID → OAuth token pair |
| `fahipaySessions` | Map of Fahipay login ID → authID + session cookie |
| `mibLoginFlows` | Active `MibLoginFlow` instances per profile |
| `bmlLoginFlows` | Active `BmlLoginFlow` instances per profile |
| `mibMutex` | Coroutine mutex — serializes all MIB API calls to prevent session corruption |
### Profile Visibility
Each stored profile has a visibility flag. Hidden profiles are excluded from the accounts list and from all API refresh cycles until re-enabled in Settings → Logins.
---
## MIB Session KeepAlive
MIB web sessions expire after approximately 30 seconds of inactivity. `HomeActivity` schedules a coroutine that calls the MIB keepAlive endpoint every 25 seconds for each active MIB session while the app is in the foreground.
---
&nbsp;
---
[← README](README.md) &nbsp;&nbsp;&nbsp; **Next →** [Onboarding](01-onboarding.md)
docs/thijooree/01-onboarding.md
+83
View File
@@ -0,0 +1,83 @@
# Onboarding
Shown once on first launch. Walks the user through language selection, security setup, and appearance configuration before creating any credentials.
---
## Activity — `OnboardingActivity`
`OnboardingActivity` hosts three sequential fragments managed by a `ViewPager2` with manual paging (swipe disabled). Progress dots are shown below the pager.
Each fragment has a **Continue** button that is only enabled after the user satisfies a completion requirement. Scrolling to the bottom of a slide is required before Continue activates on content slides.
---
## Slide 1 — Language & Welcome (`OnboardingFragment`)
- Displays a welcome illustration and app name
- Language selector chip group (English / Dhivehi)
- Selecting a language immediately updates the app locale
- Continue button becomes active once a language is selected (or immediately if system locale is already supported)
---
## Slide 2 — Security Setup (`SecuritySetupFragment`)
The user chooses a lock method to protect the app.
### Lock Methods
| Method | Description |
|---|---|
| PIN | 48 digit numeric PIN |
| Pattern | Grid pattern draw (minimum 4 nodes) |
### PIN Entry
- Two `EditText` fields: PIN + confirm PIN
- Continue activates only when both fields match and length ≥ 4
### Pattern Entry
- Custom `PatternView` widget
- Draws connecting lines between touched grid nodes in real time
- Two-phase: draw → confirm (must match first drawing)
- Continue activates after a valid matching pattern is confirmed
### Key Derivation
The chosen PIN or pattern string is hardened with **PBKDF2-HMAC-SHA256** (100 000 iterations, random 16-byte salt) before storage. The derived key is stored in encrypted `SharedPreferences` via `CredentialStore`.
### Biometric Option
After setting a PIN or pattern an optional **Enable Biometrics** toggle appears. If enabled, biometric authentication (fingerprint / face — `BIOMETRIC_WEAK`) can be used as an alternative to the PIN/pattern at the lock screen and optionally for transfer confirmation.
---
## Slide 3 — Configure (`OnboardingConfigureFragment`)
Appearance and navigation preferences, set before first login.
### Options
| Setting | Choices |
|---|---|
| Navigation mode | Drawer / Bottom Navigation |
| Theme | System default / Light / Dark |
| Accent colour | Chip selector (several Material colours) |
All preferences are written to `CredentialStore` / `SharedPreferences` immediately on selection so that `HomeActivity` inherits them on first launch.
---
## Completion
When the user taps Continue on slide 3, `OnboardingActivity` sets the `onboardingDone` flag and finishes. `MainActivity` then routes to `LoginActivity` (no credentials yet) on the next launch or immediately via `startActivity`.
---
&nbsp;
---
[← App Overview](00-app-overview.md) &nbsp;&nbsp;&nbsp; **Next →** [Lock Screen](02-lock-screen.md)
docs/thijooree/02-lock-screen.md
+82
View File
@@ -0,0 +1,82 @@
# Lock Screen
`LockActivity` is shown whenever the app is locked — on cold start (when credentials exist), after the autolock timer fires, or when the user taps the lock icon in the toolbar.
---
## Authentication Methods
The app attempts authentication in priority order:
1. **Biometrics** — if enrolled and enabled, `BiometricPrompt` is presented automatically on open
2. **PIN** — numeric keypad
3. **Pattern**`PatternView` grid
The user can switch between biometric and PIN/pattern manually.
---
## Biometric Authentication
Uses Android `BiometricPrompt` with `BIOMETRIC_WEAK` (fingerprint or face depending on device). A successful biometric result sets `app.isUnlocked = true` and calls `MainActivity` to route to `HomeActivity`.
On biometric failure or cancellation the screen falls back to PIN/pattern entry.
---
## PIN Entry
- A custom on-screen numeric keypad (09 + backspace + confirm)
- The entered digits are shown as filled/unfilled circles (no digit echo)
- Confirm fires verification immediately when the correct number of digits is entered
---
## Pattern Entry
- The same `PatternView` widget used in onboarding, in verify-only mode
- The drawn pattern is hashed and compared against the stored derived key
---
## Verification
The entered PIN or pattern is run through **PBKDF2-HMAC-SHA256** with the stored salt and compared to the stored hash. On match:
1. `app.isUnlocked = true`
2. `LockActivity` finishes
3. `MainActivity` routes to `HomeActivity`
On mismatch the attempt counter increments and an error shake animation plays.
---
## Brute-Force Protection
| Threshold | Behaviour |
|---|---|
| 14 wrong attempts | Error label shown, counter visible |
| 5 wrong attempts | 30-second lockout; keypad/pattern disabled |
| After lockout | Counter resets; user may try again |
The attempt counter and lockout timestamp are stored in **plain** `SharedPreferences` (not encrypted) — a known limitation documented in the security audit. The app does not wipe credentials after repeated failures.
---
## `app.isUnlocked` Guard
`app.isUnlocked` is an in-memory flag that is `false` on every process start. Even if an attacker bypasses `LockActivity` via `adb`, `HomeActivity` checks this flag and re-fires `LockActivity` on resume if it is `false`. This prevents cold-start bypass.
---
## Screenshot Protection
`FLAG_SECURE` is set on `LockActivity`'s window, preventing screenshots and screen recording. This is always on for the lock screen regardless of the user's global screenshots setting.
---
&nbsp;
---
[← Onboarding](01-onboarding.md) &nbsp;&nbsp;&nbsp; **Next →** [Login](03-login.md)
docs/thijooree/03-login.md
+96
View File
@@ -0,0 +1,96 @@
# Login
`LoginActivity` handles adding bank accounts. It is shown on first launch (after onboarding) and also opened from Settings → Logins → Add Account.
---
## Fragment Flow
```
LoginActivity
└─ BankSelectionFragment ← pick a bank
└─ CredentialsFragment ← enter credentials for that bank
```
---
## Bank Selection — `BankSelectionFragment`
A scrollable list of supported banks presented as selectable cards:
| Bank | Notes |
|---|---|
| MIB (Maldives Islamic Bank) | Username + password |
| BML (Bank of Maldives) | Username + password |
| Fahipay | Mobile number + password |
Tapping a card navigates to `CredentialsFragment` with the selected bank pre-set.
---
## Credentials — `CredentialsFragment`
### MIB Login
Fields:
- Username
- Password
Flow on submit:
1. `MibLoginFlow.login()` — performs Diffie-Hellman key exchange, then authenticates with Blowfish/ECB-encrypted credentials
2. On success, fetches `operatingProfiles` — the list of CIF profiles (Individual, Sole Propr, etc.)
3. Each profile is stored as a `MibAccount` with `bank = "MIB"` and `cifType` from the API
4. Sessions are stored in `BasedBankApp.mibSessions`
### BML Login
Fields:
- Username (customer ID)
- Password
Flow on submit:
1. `BmlLoginFlow.login()` — OAuth password grant → access token + refresh token
2. Fetches dashboard → list of CASA accounts + cards
3. Each account/card stored as `MibAccount` with `bank = "BML"`
4. Tokens stored in `BasedBankApp.bmlSessions`
### Fahipay Login
Fields:
- Mobile number (7-digit local, auto-prefixed with +960)
- Password
Flow on submit:
1. `FahipayLoginFlow.login()` — authenticates against Fahipay API
2. On success, stores `authID` + `__Secure-sess` cookie
3. Single wallet account stored with `bank = "FAHIPAY"`
---
## Multi-Profile Support
Each MIB login can have multiple CIF profiles (e.g., an individual and a business account under the same username). Each profile appears as a separate entry in the accounts list and can be toggled independently in Settings → Logins.
BML and Fahipay each yield a single profile per login.
Adding the same bank login a second time merges its profiles into the existing login rather than creating a duplicate.
---
## Credential Storage
All credentials (username, password, tokens, session cookies) are encrypted via `CredentialStore`, which uses Android `EncryptedSharedPreferences` backed by a hardware-keystore key where available.
---
## After Login
`CredentialsFragment` calls `app.autoRefresh()` after a successful login, then navigates back to `LoginActivity`'s result which routes to `HomeActivity` (or back to Settings if called from there).
---
&nbsp;
---
[← Lock Screen](02-lock-screen.md) &nbsp;&nbsp;&nbsp; **Next →** [Accounts](04-accounts.md)
docs/thijooree/04-accounts.md
+68
View File
@@ -0,0 +1,68 @@
# Accounts
The accounts screen is typically the default home destination. It shows all active bank accounts and cards grouped by bank and profile.
---
## Fragment — `AccountsFragment`
Hosts a `RecyclerView` driven by `AccountsAdapter`. Observes `HomeViewModel.accounts` (a `LiveData<List<MibAccount>>`). The list is filtered to only include accounts whose profile visibility flag is enabled.
A **pull-to-refresh** gesture triggers `HomeActivity.autoRefresh()`, which re-fetches all bank dashboards in parallel.
---
## List Structure — `AccountsAdapter`
The adapter renders a mixed list of section headers and account rows.
### Section Headers
Accounts are grouped by bank + CIF type (for MIB) or bank name (for BML/Fahipay). Each group starts with a header row showing:
- Bank name and logo
- For MIB: `cifType` (e.g., `"Individual"`, `"Sole Propr"`) — never hardcoded, always from API
- Profile image (circular avatar, if set)
### Account / Card Rows
Each row is bound from an `AccountListDisplay` object produced by `AccountListParser.from(account)`. See [Account Parser Architecture](PARSERS.md) for mapping details.
| Field | Row element |
|---|---|
| `name` | Account or card name |
| `number` | Masked account/card number |
| `typeLabel` | Product type chip (e.g., `"Savings"`, `"Visa Platinum"`) |
| `balance` | Balance string (hidden as `••••` when hide-amounts is active) |
| `isCard` | Switches between account layout and card layout |
| `cardBrandIcon` | Visa / Mastercard / Amex logo drawable |
| `statusLabel` | Shown as an amber chip if non-null (e.g., `"Inactive"`) |
### Quick-Transfer Shortcut
Each account row has a **Send** button. Tapping it opens `TransferFragment` with the source account pre-selected.
---
## Account Tap — History
Tapping any account row navigates to `AccountHistoryFragment` for that account.
---
## Hide Amounts
When the toolbar eye icon is toggled (or `HomeViewModel.hideAmounts` is `true`), all balance strings in the adapter are replaced with `"••••"` without re-fetching data.
---
## Empty State
If no accounts are loaded (either no credentials or all profiles hidden), the screen shows an empty-state illustration with a prompt to add an account.
---
&nbsp;
---
[← Login](03-login.md) &nbsp;&nbsp;&nbsp; **Next →** [Account History](05-account-history.md)
docs/thijooree/05-account-history.md
+72
View File
@@ -0,0 +1,72 @@
# Account History
Displays the transaction history for a single account. Opened by tapping an account row in the accounts list.
---
## Fragment — `AccountHistoryFragment`
Receives the selected `MibAccount` via navigation arguments.
---
## Data Loading
On open, the fragment calls the appropriate bank API to fetch the first page of transactions:
| Bank | API |
|---|---|
| MIB | MIB transaction history endpoint (Blowfish-encrypted) |
| BML | BML transaction history endpoint (OAuth Bearer) |
| Fahipay | Fahipay wallet transaction list |
Results are mapped to a common display model and shown in a `RecyclerView`.
---
## Infinite Scroll
The list supports **infinite scroll** (pagination). When the user scrolls near the bottom of the loaded items, the next page is automatically fetched and appended. A loading spinner appears at the bottom while a page is in flight.
Page state (current page, total pages) is tracked in the fragment's `ViewModel`. If the last page has been reached the spinner is hidden and no further requests are made.
---
## Search / Filter
A search bar at the top of the screen filters the loaded transaction list by:
- Description / narrative text
- Amount string
Filtering is performed locally on already-loaded pages — it does not trigger a new API call. Clearing the search bar restores the full list.
---
## Transaction Rows
Each row shows:
- Transaction date and time
- Description / merchant name
- Debit or credit indicator
- Amount (hidden as `••••` when hide-amounts is active)
- Running balance (where available from the bank API)
---
## Image Loading
Some MIB transaction entries include merchant logo URLs. These are loaded asynchronously into the row's image view with a generic fallback icon. Images are cached in memory for the session.
---
## Empty State
If no transactions exist (new account or API returned empty list) an empty-state message is shown.
---
&nbsp;
---
[← Accounts](04-accounts.md) &nbsp;&nbsp;&nbsp; **Next →** [Transfer History](06-transfer-history.md)
docs/thijooree/06-transfer-history.md
+55
View File
@@ -0,0 +1,55 @@
# Transfer History
Shows a merged, chronologically sorted list of outgoing transfers across all connected bank accounts.
---
## Fragment — `TransferHistoryFragment`
Observes `HomeViewModel` for loaded account data and triggers parallel history fetches.
---
## Data Loading
On open, the fragment launches parallel coroutines — one per active bank session — to fetch transfer/payment history from each bank's API. Results arrive independently and are merged into a single sorted list as each bank completes.
| Bank | Source |
|---|---|
| MIB | MIB transfer history endpoint |
| BML | BML payment history endpoint |
| Fahipay | Fahipay payment history |
A per-bank loading indicator is shown while that bank's data is in flight. If one bank fails (session expired, network error) its section shows an error row rather than crashing the whole list.
---
## List Display
The merged list is sorted by date descending (newest first). Each row shows:
- Bank logo / icon
- Recipient name or account number
- Date and time
- Amount (hidden as `••••` when hide-amounts is active)
- Transfer status (where available)
---
## Pull-to-Refresh
A pull-to-refresh gesture re-fires all parallel fetches and rebuilds the merged list.
---
## Empty State
If no transfers are found across any bank, an empty-state illustration is shown.
---
&nbsp;
---
[← Account History](05-account-history.md) &nbsp;&nbsp;&nbsp; **Next →** [Transfer](07-transfer.md)
docs/thijooree/07-transfer.md
+106
View File
@@ -0,0 +1,106 @@
# Transfer
The transfer screen initiates account-to-account fund transfers. It supports MIB, BML, and Fahipay as source banks and handles all bank-specific authentication and OTP steps.
---
## Fragment — `TransferFragment`
Opened via:
- Navigation menu
- Quick-transfer button on an account row (source pre-selected)
- `OPEN_TRANSFER` intent action
- QR scan result (recipient and optional amount pre-filled)
---
## Source Account Selection
A dropdown lists all visible accounts parsed via `AccountListParser.from(acc)?.balance`. The selected source account determines which bank's transfer flow is used.
---
## Recipient Entry
The user can specify a recipient in three ways:
1. **Manual entry** — type an account number directly
2. **Contact picker** — opens `ContactPickerSheetFragment` to select a saved contact
3. **QR scan** — opens the camera scanner; a PayMV QR result pre-fills the account number, amount, and remarks
---
## Fields
| Field | Notes |
|---|---|
| Source account | Dropdown; balance shown below |
| Recipient account number | Text input or filled from contact/QR |
| Recipient name | Auto-looked up from bank API after account number entry |
| Amount | Numeric; pre-filled from QR if available |
| Remarks / purpose | Free text; pre-filled from QR if available |
---
## Recipient Lookup
After the user finishes entering a recipient account number, the app calls the source bank's name-lookup API:
- **MIB**: account name lookup via MIB API
- **BML**: beneficiary lookup via BML API
- **Fahipay**: account name resolution via Fahipay API
The resolved name is displayed below the account number field for the user to confirm.
---
## Biometric Gate
If biometric-for-transfers is enabled in Settings → Security, `BiometricPrompt` is shown before the transfer is submitted. A failed or cancelled biometric blocks submission.
---
## Bank-Specific Flows
### MIB Transfer
1. Validates fields
2. (If biometric gate) prompts biometrics
3. Submits transfer via `MibLoginFlow` using active MIB session (serialized through `mibMutex`)
4. On success, shows `TransferReceiptFragment`
### BML Transfer
1. Validates fields
2. (If biometric gate) prompts biometrics
3. Initiates BML transfer — server responds with OTP required
4. Navigates to `OtpFragment` to collect the TOTP
5. Re-submits with OTP
6. On success, shows `TransferReceiptFragment`
### Fahipay Transfer
1. Validates fields
2. (If biometric gate) prompts biometrics
3. Submits via Fahipay API using stored `authID` + session cookie
4. On success, shows `TransferReceiptFragment`
---
## Transfer Receipt
On success the fragment navigates to `TransferReceiptFragment` passing the completed transfer details.
---
## Error Handling
All bank API errors are shown as a `Snackbar` or inline error message. Session expiry triggers a re-authentication prompt rather than a crash.
---
&nbsp;
---
[← Transfer History](06-transfer-history.md) &nbsp;&nbsp;&nbsp; **Next →** [Contacts](08-contacts.md)
docs/thijooree/08-contacts.md
+80
View File
@@ -0,0 +1,80 @@
# Contacts
The contacts screen stores and manages frequently used transfer recipients. Contacts are local to the app and never synced externally.
---
## Fragment — `ContactsFragment`
Displays the full contact list as a `RecyclerView`. Observes `HomeViewModel.contacts` and `HomeViewModel.contactCategories`.
---
## Contact List
Each contact row shows:
- Circular avatar (profile image if set, otherwise initials placeholder)
- Display name
- Account number(s)
- Category chip (if assigned)
Tapping a contact row opens `AddContactSheetFragment` in edit mode.
Tapping the **Transfer** button on a contact row opens `TransferFragment` with the recipient pre-filled.
---
## Categories
Contacts can be assigned to user-defined categories (e.g., "Family", "Business"). Categories appear as filter chips at the top of the list. Tapping a chip filters the list to that category. Tapping again clears the filter.
---
## Add Contact — `AddContactSheetFragment`
A bottom sheet for creating or editing a contact.
### Fields
| Field | Notes |
|---|---|
| Name | Display name |
| Account number | Primary transfer account number |
| Bank | Optional — for display only |
| Category | Optional; selectable from existing categories or create new |
| Profile image | Optional; select from gallery or camera |
### Profile Image
The pencil icon next to the avatar opens a chooser:
- **Gallery** — pick from device gallery
- **Camera** — capture a new photo (temp file in `cacheDir`)
The image is stored locally in `filesDir/profile_images/` via `ProfileImageStore` with key `"contact_{id}"`.
### Save
On save, the contact is persisted to the local database and `HomeViewModel.contacts` is refreshed.
### Delete
A delete button (with confirmation dialog) removes the contact and its profile image.
---
## Contact Picker — `ContactPickerSheetFragment`
A compact bottom sheet version of the contact list, used by `TransferFragment` when the user taps **Choose Contact**.
- Shows all contacts with avatar and name
- Search bar filters by name or account number
- Tapping a contact returns the selection to `TransferFragment` and dismisses the sheet
- Profile images use a `"local:{key}"` synthetic hash prefix to identify locally stored images
---
&nbsp;
---
[← Transfer](07-transfer.md) &nbsp;&nbsp;&nbsp; **Next →** [Activities](09-activities.md)
docs/thijooree/09-activities.md
+65
View File
@@ -0,0 +1,65 @@
# Activities
The activities screen shows a local log of completed transfers initiated within the app, along with receipt viewing and sharing.
---
## Fragment — `ActivitiesFragment`
Displays a chronological `RecyclerView` of locally stored transfer records. These records are written by the app at transfer completion time — they are not fetched from bank APIs.
---
## Activity List
Each row shows:
- Bank logo
- Recipient name and account number
- Transfer amount (hidden as `••••` when hide-amounts is active)
- Date and time
- Status badge (Completed / Failed)
Tapping a row opens `TransferReceiptFragment` for that record.
---
## Transfer Receipt — `TransferReceiptFragment`
A full-screen receipt view shown immediately after a successful transfer and accessible later from the activities list.
### Receipt Fields
| Field | Notes |
|---|---|
| Bank | Source bank logo and name |
| From account | Sender account number |
| To account | Recipient account number |
| Recipient name | As resolved at transfer time |
| Amount | Formatted with currency |
| Remarks | Transfer purpose text |
| Reference number | Bank-issued transaction reference |
| Date and time | Transfer timestamp |
| Status | Completed / Failed |
### Actions
- **Share** — generates a text or image summary of the receipt and opens the system share sheet
- **Save to Gallery** — renders the receipt as a bitmap and saves it to the device's Pictures folder (requires `WRITE_EXTERNAL_STORAGE` on API < 29, or `MediaStore` on API 29+)
### Screenshot Note
If `FLAG_SECURE` is active (user has enabled the screenshots restriction), the Save to Gallery action uses an off-screen rendering path that bypasses the restriction for the explicit save action only.
---
## Empty State
If no local transfer records exist, an empty-state illustration is shown with a prompt to make a transfer.
---
&nbsp;
---
[← Contacts](08-contacts.md) &nbsp;&nbsp;&nbsp; **Next →** [OTP Screen](10-otp-screen.md)
docs/thijooree/10-otp-screen.md
+62
View File
@@ -0,0 +1,62 @@
# OTP Screen
Displays the current TOTP (Time-based One-Time Password) code for each enrolled bank authenticator. Used when confirming transfers, QR payments, or other 2FA-protected operations.
---
## Fragment — `OtpFragment`
Hosts one card per enrolled bank authenticator. Banks with no stored TOTP seed are not shown.
---
## TOTP Display
Each card shows:
- Bank logo and name
- The current 6-digit TOTP code (large text)
- A circular countdown ring showing time remaining in the current 30-second window
- The code refreshes automatically when the window expires — no user interaction needed
### Algorithm
Standard RFC 6238 TOTP:
- Hash: SHA-1
- Window: 30 seconds
- Digits: 6
- Seed: stored per-bank in `CredentialStore` (encrypted)
---
## Supported Banks
| Bank | Seed source |
|---|---|
| BML | Enrolled via BML app setup; seed stored in `CredentialStore` |
| MIB | MIB business/corporate OTP seed (if applicable) |
---
## Background Name Refresh
When the screen opens, the fragment may fire a background API call to refresh the account holder name associated with each seed. This is a best-effort call — failure does not affect OTP display.
---
## Usage
The OTP screen is informational — the user copies the displayed code manually and enters it wherever required (e.g., in `TransferFragment`'s OTP dialog, or in an external portal). The code is never submitted automatically from this screen.
---
## Security
The TOTP seeds are stored encrypted in `CredentialStore`. They are never logged or included in error reports.
---
&nbsp;
---
[← Activities](09-activities.md) &nbsp;&nbsp;&nbsp; **Next →** [PayMV QR Screen](11-paymv-qr-screen.md)
docs/thijooree/11-paymv-qr-screen.md
+66
View File
@@ -0,0 +1,66 @@
# PayMV QR Screen
Handles both sides of PayMV/Favara QR payments: generating a receive-payment QR code and scanning a QR code to initiate a transfer.
---
## Fragment — `PayMvQrFragment`
Two tabs: **Receive** (generate QR) and **Send** (scan QR).
---
## Receive Tab — Generate QR
Generates a static PayMV QR code that others can scan to pay the user.
### Fields
| Field | Notes |
|---|---|
| Source account | Dropdown of all visible accounts; determines acquirer BIC |
| Amount | Optional — leave blank for open-amount QR |
| Purpose | Optional free-text payment purpose |
| Name | Auto-filled from the selected account's holder name |
### Generation
On tap **Generate**, the fragment builds a decimal TLV payload per the [PayMV QR Format](18-paymv-qr-format.md) spec:
1. Assembles all TLV fields (format indicator, point-of-initiation, tag 26 container, MCC, currency, amount if set, country, name, tag 62 container, tag 80 container)
2. Selects the acquirer BIC from the source account's bank (`MALBMVMV` / `MADVMVMV` / `FAHIMVMV`)
3. Appends `"6304"` and computes CRC-16/CCITT-FALSE over the full string
4. Renders the complete string as a QR code bitmap using the ZXing encoder
5. Displays the QR code full-screen with the account number and name below
### Share
A **Share** button exports the QR bitmap via the system share sheet (image/png).
---
## Send Tab — Scan QR
Scans a QR code and pre-fills the transfer screen.
### Scanner
Opens the device camera with a QR viewfinder overlay. Supported QR formats:
| QR type | Handling |
|---|---|
| PayMV / Favara decimal TLV | Parse account number (tag 26→03), amount (tag 54), name (tag 59), purpose (tag 62→08); navigate to `TransferFragment` pre-filled |
| BML plain URL (`https://pay.bml.com.mv/app/...`) | Navigate to `BmlQrPayFragment` |
| BML embedded in combined QR (root tag 35 → sub 20 → sub-sub 01) | Extract URL; navigate to `BmlQrPayFragment` |
### Error Handling
If the scanned code is not a recognized format, a `Snackbar` error is shown and the scanner remains open.
---
&nbsp;
---
[← OTP Screen](10-otp-screen.md) &nbsp;&nbsp;&nbsp; **Next →** [BML QR Pay](12-bml-qr-pay.md)
docs/thijooree/12-bml-qr-pay.md
+87
View File
@@ -0,0 +1,87 @@
# BML QR Pay
Handles BML gateway QR payments — scanning a merchant QR code and completing the 3-step TOTP-authenticated payment flow.
---
## Fragment — `BmlQrPayFragment`
Opened via:
- Scanning a BML plain URL QR in `PayMvQrFragment`
- Scanning a combined Fahipay/PayMV QR that embeds a BML gateway URL
- The `OPEN_PAY_WITH_CARD` intent action
---
## Step 1 — Resolve QR
The fragment receives a BML gateway URL (e.g., `https://pay.bml.com.mv/app/<base64>`).
It calls the BML `payrequest` lookup API (see [QR Payment](../bmlapi/13-qr-payment.md)) to resolve the URL to merchant details:
- Merchant name (narrative1)
- Merchant address (narrative2, narrative3)
- Amount (`"0.00"` for static QRS, or preset amount for QRR)
- Currency
The resolved details are displayed on screen for the user to review before paying.
---
## Source Account Selection
A dropdown lists all BML accounts. The selected account's internal UUID (`internalId`) is used as `debitAccount` in the payment request.
---
## Amount Entry
- If the QR is a **static QRS** (amount `"0.00"`), the amount field is editable and required
- If the QR is a **dynamic QRR**, the amount is pre-filled and read-only
---
## Step 2 — TOTP Payment
The payment uses the standard 3-step BML TOTP flow:
### 2a — Initiate
POST to `/walletpayments/pay` with `action: "approve"`, `debitAccount`, `requestId` (the `trxn_hash`), `amount`, `currency`. Expected response: `code: 99` (OTP required).
> This step may be skipped if the gateway already indicates OTP is required.
### 2b — Request OTP Channel
Same POST with `channel: "token"` added. Expected response: `code: 22` (OTP generated and sent to the authenticator).
### 2c — Confirm with TOTP
The fragment presents an OTP input dialog. The user opens the [OTP Screen](12-otp-screen.md) or reads the TOTP from their authenticator app, then enters the 6-digit code.
Same POST with `channel: "token"` and `otp: "<code>"`. On success: `code: 0` with merchant and amount in `payload`.
---
## Success
On successful payment a confirmation card is shown:
- Merchant name
- Amount paid
- Currency
A **Done** button dismisses the fragment.
---
## Error Handling
Failed payments (`success: false`) display the `message` field from the API response. The user may retry with a fresh TOTP code.
---
&nbsp;
---
[← PayMV QR Screen](11-paymv-qr-screen.md) &nbsp;&nbsp;&nbsp; **Next →** [Financing](13-financing.md)
docs/thijooree/13-financing.md
+62
View File
@@ -0,0 +1,62 @@
# Financing
Aggregates financing products across banks — MIB promotional deals and BML loan details — in a single screen.
---
## Fragment — `FinancingFragment`
Observes `HomeViewModel.financing` (MIB deals) and `HomeViewModel.bmlLoanDetails`.
---
## MIB Deals Section
Displays current MIB promotional financing offers fetched from the MIB API. Each deal card shows:
- Deal name / product title
- Key terms (profit rate, tenure, minimum/maximum amount)
- A **Learn More** action that opens the deal detail in an in-app WebView or external browser
Data is loaded once on fragment creation and refreshed on pull-to-refresh.
---
## BML Loans Section
Displays the user's active BML loan/financing accounts. Each card shows:
- Loan product name
- Outstanding balance
- Next instalment amount and due date
- Loan account number
Data comes from `HomeViewModel.bmlLoanDetails`, which is fetched from the BML loans API using the active BML session.
---
## Card Limits Section (BML)
`HomeViewModel.bmlLimits` provides credit card limit information for BML card accounts. Displayed alongside the loan section:
- Card name
- Total limit
- Available limit
- Used amount
---
## Pull-to-Refresh
Refreshes both MIB deals and BML loan/limit data independently. Each section shows its own loading indicator.
---
## Empty State
If no MIB session is active or no BML financing accounts exist, the respective section shows an empty-state message with a prompt to add the corresponding bank account.
---
&nbsp;
---
[← BML QR Pay](12-bml-qr-pay.md) &nbsp;&nbsp;&nbsp; **Next →** [Settings](14-settings.md)
docs/thijooree/14-settings.md
+71
View File
@@ -0,0 +1,71 @@
# Settings
The settings hub and the logins management screen.
---
## Settings Hub — `SettingsFragment`
A simple preference-list screen with navigation links to sub-sections:
| Entry | Destination |
|---|---|
| Logins | `SettingsLoginsFragment` |
| Security | `SettingsSecurityFragment` |
| Appearance | `SettingsAppearanceFragment` |
| Storage | `SettingsStorageFragment` |
---
## Logins — `SettingsLoginsFragment`
Manages all connected bank accounts and profiles.
### Account List
Each connected login is shown as a card. Within each login card, individual profiles (CIF profiles for MIB, or the single account for BML/Fahipay) are listed.
Each profile entry shows:
- Profile name / CIF type
- Account number(s)
- Profile image (circular avatar)
- Visibility toggle switch
### Visibility Toggle
Toggling a profile off hides it from the accounts list and excludes it from API refresh cycles. The session is kept alive — the profile can be re-enabled without re-logging in.
### Profile Image
A pencil icon (`ic_edit`) next to each profile opens an image chooser:
- **Gallery** — pick from device photo library
- **Camera** — capture via device camera (temp file: `cacheDir/profile_photo_tmp.jpg`)
Profile images are stored locally via `ProfileImageStore`:
- BML: key `bml_{profileId}`
- Fahipay: key `fahipay_{loginId}`
- MIB: uploaded to the MIB server via profile image API (P40); retrieved via hash (P41); deleted via P42
### Add Account
A **+** (Add) button navigates to `LoginActivity``BankSelectionFragment` to add a new bank login.
### Logout
A **Logout** button on each login card shows a confirmation dialog. On confirm:
- Session tokens are revoked where supported
- Credentials are removed from `CredentialStore`
- All associated `MibAccount` objects are removed from `BasedBankApp`
- The accounts list is refreshed
### Business OTP Seed (MIB)
For MIB corporate/business profiles, an **OTP Seed** entry allows importing a TOTP seed string. The seed is stored encrypted in `CredentialStore` and used by the [OTP Screen](12-otp-screen.md).
---
&nbsp;
---
[← Financing](13-financing.md) &nbsp;&nbsp;&nbsp; **Next →** [Settings — Security](15-settings-security.md)
docs/thijooree/15-settings-security.md
+59
View File
@@ -0,0 +1,59 @@
# Settings — Security
Controls the app lock method, biometric options, auto-lock timeout, and screenshot restriction.
---
## Fragment — `SettingsSecurityFragment`
---
## Change Lock Method
A **Change PIN** or **Change Pattern** button (label reflects current method) opens the security setup flow (same `SecuritySetupFragment` as onboarding) in change-mode. The user must first authenticate with the current PIN/pattern/biometric before the new one is accepted.
---
## Biometrics
A toggle to enable or disable biometric authentication (fingerprint / face — `BIOMETRIC_WEAK`).
- When enabled, `BiometricPrompt` is offered at the lock screen as an alternative to PIN/pattern
- A secondary toggle controls whether biometrics are also required for transfer confirmation
Biometric availability is checked via `BiometricManager.canAuthenticate()`. The toggle is disabled with an explanatory message if the device has no enrolled biometrics.
---
## Auto-Lock Timeout
A radio group or dropdown to set the inactivity timeout:
| Option | Timeout |
|---|---|
| 30 seconds | 30 s |
| 1 minute | 60 s |
| 3 minutes | 180 s |
| 5 minutes | 300 s |
| Never | Disabled |
The selection is stored in `SharedPreferences` and read by `HomeActivity` on each timer reset.
---
## Screenshots
A toggle for `FLAG_SECURE` on `HomeActivity`'s window.
- **On (default)**: screenshots and screen recording are blocked system-wide while the app is in the foreground
- **Off**: screenshots are allowed
The lock screen always has `FLAG_SECURE` regardless of this setting.
---
&nbsp;
---
[← Settings](14-settings.md) &nbsp;&nbsp;&nbsp; **Next →** [Settings — Appearance](16-settings-appearance.md)
docs/thijooree/16-settings-appearance.md
+86
View File
@@ -0,0 +1,86 @@
# Settings — Appearance
Controls navigation mode, nav slot assignment, theme, accent colour, and language.
---
## Fragment — `SettingsAppearanceFragment`
---
## Navigation Mode
A toggle/radio group:
| Mode | Description |
|---|---|
| Drawer | Slide-out navigation drawer (default) |
| Bottom Navigation | Bottom bar with 3 visible slots + Dashboard + More |
Changing mode takes effect immediately; `HomeActivity` recreates its navigation structure.
---
## Navigation Slot Customisation — `NavCustomization`
A drag-and-drop list of all 10 navigation destinations. The user reorders items to assign them to slots.
### Drawer Mode
All 10 items appear in the drawer in the configured order.
### Bottom Navigation Mode
- Slots 13 appear in the bottom bar
- Slot 410 appear in the **More** bottom sheet (`NavMoreSheetFragment`)
- Dashboard is always pinned as the first tab and is not part of the 10-item pool
### Quick Action Slots
Two dedicated quick-action slots are configured separately at the bottom of the customisation screen. These map to FAB-style buttons shown on the dashboard card.
### Persistence
The ordered list is serialised to `SharedPreferences` as a comma-separated string of destination IDs.
---
## Theme
A three-way selector:
| Option | Behaviour |
|---|---|
| System default | Follows the device's dark/light mode |
| Light | Forces light theme |
| Dark | Forces dark theme |
Applied via `AppCompatDelegate.setDefaultNightMode()`.
---
## Accent Colour
A horizontal chip row with several Material colour options. The selected accent is applied to the app's `MaterialTheme` colour scheme (primary / secondary).
---
## Language
A dropdown or chip selector:
| Option |
|---|
| System default |
| English |
| Dhivehi |
Applied via `AppCompatDelegate` locale override. Takes effect immediately (activity recreate).
---
&nbsp;
---
[← Settings — Security](15-settings-security.md) &nbsp;&nbsp;&nbsp; **Next →** [Settings — Storage](17-settings-storage.md)
docs/thijooree/17-settings-storage.md
+59
View File
@@ -0,0 +1,59 @@
# Settings — Storage
Manages locally cached data and profile images.
---
## Fragment — `SettingsStorageFragment`
Displays an overview of locally stored data categories with clear actions for each.
---
## Stored Data Categories
| Category | Location | Description |
|---|---|---|
| Profile images | `filesDir/profile_images/` | BML and Fahipay profile photos stored by `ProfileImageStore` |
| Contact images | `filesDir/profile_images/` | Contact avatar photos |
| Transaction image cache | In-memory / HTTP cache | Merchant logos loaded in account history |
| Camera temp file | `cacheDir/profile_photo_tmp.jpg` | Temp file from camera capture; automatically overwritten on next camera use |
| Transfer receipts | Local database | Completed transfer records shown in Activities |
---
## Clear Actions
### Clear Profile Images
Deletes all files in `filesDir/profile_images/` for BML and Fahipay profiles. MIB profile images are stored server-side and are not affected. After clearing, avatars fall back to the initials placeholder.
### Clear Contact Images
Deletes all contact profile images. Contact records are preserved.
### Clear All Caches
Clears:
- `cacheDir` contents (including camera temp file and HTTP response cache)
- In-memory image caches
Does **not** clear credentials, sessions, or transfer records.
### Clear Transfer History
Deletes all locally stored transfer receipt records from the database. This action is irreversible and requires a confirmation dialog.
---
## Storage Usage
The screen may show an approximate size for each category (calculated by summing file sizes in the respective directories).
---
&nbsp;
---
[← Settings — Appearance](16-settings-appearance.md)
docs/thijooree/18-paymv-qr-format.md
+176
View File
@@ -0,0 +1,176 @@
# PayMV QR Format
Documents the decimal TLV QR format used by the PayMV/Favara payment network in the Maldives — both generation (to receive payment) and parsing (to initiate a transfer by scanning).
---
## Encoding
PayMV QRs use a **decimal TLV** encoding — not binary BER-TLV. Every field is represented as ASCII text:
```
<2-digit decimal tag><2-digit decimal length><value>...
```
Example — tag `59`, value `"AHMED ALI"` (9 chars):
```
5909AHMED ALI
```
Tags and lengths are always exactly 2 decimal digits. Fields are concatenated directly with no separator.
---
## Root-Level Tags
| Tag | Field | Notes |
|---|---|---|
| `00` | Format indicator | Always `"01"` |
| `01` | Point-of-initiation method | `"11"` = static QR, `"12"` = dynamic QR |
| `26` | Merchant account information | Container — see sub-tags below |
| `35` | BML/gateway merchant info | Container — present in combined EMV+BML QRs only |
| `52` | Merchant category code | `"0000"` (generic) |
| `53` | Transaction currency | `"462"` = MVR (ISO 4217 numeric) |
| `54` | Transaction amount | Decimal string (e.g. `"1.50"`); absent for open-amount QRs |
| `58` | Country code | `"MV"` |
| `59` | Merchant / recipient name | Max 25 characters |
| `62` | Additional data field | Container — see sub-tags below |
| `63` | CRC | `6304` prefix + 4-char hex checksum — always last |
| `80` | Supplementary data | Container — timestamp and domain |
---
## Merchant Account Info — Tag `26` Sub-Tags
| Sub-Tag | Field | Example value |
|---|---|---|
| `00` | Domain | `"mv.favara.mpqr"` |
| `01` | Acquirer BIC | `"MALBMVMV"` (see table below) |
| `02` | Acquirer BIC (repeated) | Same as `01` |
| `03` | Account number | Beneficiary account number |
| `05` | Mobile number | E.164 format (e.g. `"+9607654321"`); optional |
| `10` | Network indicator | `"IPAY"` |
### Acquirer BIC Mapping
| Bank | Acquirer BIC |
|---|---|
| BML | `MALBMVMV` |
| MIB | `MADVMVMV` |
| Fahipay | `FAHIMVMV` |
---
## Additional Data — Tag `62` Sub-Tags
| Sub-Tag | Field | Notes |
|---|---|---|
| `05` | Reference / bill number | 9 random uppercase alphanumeric characters |
| `08` | Payment purpose | Free-form text entered by the payee |
---
## Supplementary Data — Tag `80` Sub-Tags
| Sub-Tag | Field | Notes |
|---|---|---|
| `00` | Domain | `"mv.favara.mpqr"` |
| `01` | Timestamp | ISO 8601 format: `"yyyy-MM-dd'T'HH:mm:ss.00000"` |
---
## CRC-16
The checksum uses **CRC-16/CCITT-FALSE** (polynomial `0x1021`, initial value `0xFFFF`). The CRC is computed over the entire payload string up to and including `"6304"`, then the 4-digit uppercase hex result is appended.
```python
def crc16(data: str) -> str:
crc = 0xFFFF
for c in data:
crc ^= (ord(c) & 0xFF) << 8
for _ in range(8):
if crc & 0x8000:
crc = ((crc << 1) & 0xFFFF) ^ 0x1021
else:
crc = (crc << 1) & 0xFFFF
return format(crc, '04X')
```
---
## Generating a Receive-Payment QR
To create a QR that others can scan to pay you:
```
00 02 01 ← Format indicator
01 02 11 ← Static QR
26 <len> ← Merchant account info
00 15 mv.favara.mpqr
01 08 MALBMVMV ← Acquirer BIC (BML example)
02 08 MALBMVMV ← Repeated
03 <len> <accountNumber>
05 <len> <+960XXXXXXX> ← Optional phone
10 04 IPAY
52 04 0000 ← MCC
53 03 462 ← MVR
54 <len> <amount> ← Omit tag entirely if open-amount
58 02 MV
59 <len> <name up to 25 chars>
62 <len>
05 09 <9 random alphanum chars> ← Reference
08 <len> <purpose text>
80 <len>
00 15 mv.favara.mpqr
01 <len> <yyyy-MM-dd'T'HH:mm:ss.00000> ← Timestamp
6304<CRC>
```
---
## Parsing a PayMV QR (Incoming Scan)
When scanning a QR code, extract the relevant fields:
| Field | TLV path | Used for |
|---|---|---|
| Account number | root→`26``03` | Transfer destination |
| Amount | root→`54` | Pre-fill transfer amount (may be absent) |
| Merchant name | root→`59` | Display recipient name |
| Purpose | root→`62``08` | Pre-fill transfer remarks |
---
## Extracting a BML Gateway URL from a Combined QR
Combined QRs (e.g. Fahipay card QRs that embed a BML gateway payment URL) encode the BML URL at a fixed TLV path:
```
root tag 35 → sub-tag 20 → sub-sub-tag 01
```
The value at sub-sub-tag `01` is a full `https://pay.bml.com.mv/app/...` URL. Extract it and hand off to the [BML QR Payment flow](../bmlapi/13-qr-payment.md).
Plain BML QR codes (not combined) start with `https://pay.bml.com.mv/app/` directly.
---
## Example Payload
Static QR for account `7700000000123`, holder `"AHMED ALI"`, open amount, purpose `"Rent"`:
```
000201010211268...520400005303462
5802MV5909AHMED ALI6225050912345ABCDEF0804Rent
80...63044A2B
```
(values abbreviated for clarity — actual tags are concatenated with no whitespace)
---
&nbsp;
---
[← README](README.md) &nbsp;&nbsp;&nbsp; **Next →** [Account Parser Architecture](19-parsers.md)
docs/PARSERS.md → docs/thijooree/19-parsers.md
+6
View File
@@ -83,3 +83,9 @@ Handles both CASA accounts and prepaid/credit cards.
`AccountsAdapter` calls `AccountListParser.from(account)` once per item (skipping `null` results) and binds the resulting `AccountListDisplay` directly. The adapter has zero bank-specific logic.
The transfer screen dropdown (`TransferFragment`) also uses `AccountListParser.from(acc)?.balance` for the source account balance display.
&nbsp;
---
[← PayMV QR Format](18-paymv-qr-format.md) &nbsp;&nbsp;&nbsp; **Next →** [Transfer Flows](20-transfer-flows.md)
docs/thijooree/20-transfer-flows.md
+247
View File
@@ -0,0 +1,247 @@
# Transfer Flows
The transfer screen (`TransferFragment`) handles all outgoing payments across MIB, BML, and Fahipay. This document covers how the UI routes transfers, how recipients are looked up, which combinations are allowed, and which are rejected.
---
## Entry Points
`TransferFragment` can be launched in several modes depending on context:
| Factory method | Behaviour |
|---|---|
| `newInstance(account, name, ...)` | Pre-fills the "To" card from a contact or recents pick |
| `newInstanceFrom(account)` | Pre-selects the given account in the "From" dropdown |
| `newInstanceFromQr(account, name, amount, remarks)` | Pre-fills recipient + optional amount/remarks from a PayMV QR scan |
| `newInstanceFromBmlQr(qrUrl, fromAccountNumber?)` | BML card/gateway QR merchant payment mode — locks recipient, may pre-fill amount |
| `newInstanceWithAutoScan()` | Opens the QR scanner immediately on load |
---
## Account Input Detection
The raw "To" field input is normalised first (spaces stripped, `+960`/`960` country prefix removed if the result is 7 digits), then classified:
| Pattern | Type |
|---|---|
| Starts with `9`, exactly 17 digits | `MIB_ACCOUNT` |
| Starts with `7`, exactly 13 digits | `BML_ACCOUNT` |
| Starts with `7` or `9`, exactly 7 digits | `PHONE` |
| Starts with `A` followed by 6 digits | `NATIONAL_ID` |
| Contains `@` | `EMAIL` |
| Anything else | `UNKNOWN` |
---
## Recipient Lookup
Lookup behaviour depends on the **source account's bank**.
### Fahipay source
Only `PHONE` input is accepted. Any other type is rejected immediately with an error on the "To" field.
Phone lookup hits both Dhiraagu and Ooredoo in parallel (order depends on the first digit):
- Numbers starting with `7`: Dhiraagu first, Ooredoo fallback
- Numbers starting with `9`: Ooredoo first, Dhiraagu fallback
The result maps to one or more Fahipay services:
| Carrier result | Service shown |
|---|---|
| Dhiraagu `RELOAD` | Dhiraagu Reload |
| Dhiraagu `BILL_PAY` | Dhiraagu Bill Pay |
| Ooredoo `PRE` or `HYBRID` | Raastas (prepaid top-up) |
| Ooredoo `POST` or `HYBRID` | Ooredoo Bill Pay |
If exactly one service matches, it is auto-selected. If multiple match (Ooredoo `HYBRID` gives two), a chip group is shown for the user to choose.
### BML source
1. If the input type is `MIB_ACCOUNT`, calls `BmlValidateClient.verifyMibAccount()`.
2. Otherwise calls `BmlValidateClient.validateAccount()`.
3. If either BML call fails and a MIB session is available, falls back to `MibTransferClient.lookup()`.
4. If both fail, shows the error from the MIB lookup (or a generic "account not found").
There is also a short-circuit: if the input matches a saved contact whose `transferCyDesc` is not `MVR`, the contact is used directly without a network lookup.
### MIB source
Calls `MibTransferClient.lookup()` directly. Errors from `MibLookupException` are shown verbatim to the user.
### BML-only session (no MIB session)
Falls back to `BmlValidateClient.validateAccount()` only.
---
## Transfer Type Routing
Once the source and destination are resolved, the transfer type is determined as follows. This applies for both BML personal (`doBmlTransfer`) and BML business (`startBmlBusinessOtpFlow`) — the routing logic is identical.
```
Source: BML
├── isSrcCard (BML_PREPAID / BML_CREDIT / BML_DEBIT)
│ └── type = CAD creditAccount = dest BML CASA internalId (or dest account number)
├── isDestMyCard (destination is user's own BML card)
│ └── type = CPA creditAccount = card internalId
├── isDestMib && currency == MVR
│ └── type = DOT creditAccount = MIB account number bank = "MIB"
├── isDestMib && currency == USD
│ └── Requires a saved BML contact for that MIB account (see Rejections)
│ type = DOT creditAccount = contact.benefNo (numeric) bank = null
└── everything else (BML → BML CASA, BML → other local bank)
└── type = IAT creditAccount = dest account number
```
```
Source: MIB
├── isDestMib (17-digit 9… account)
│ └── bankNo = 2 endpoint = transferInternal
└── everything else (BML or other local bank)
└── bankNo = 3 endpoint = transferLocal
```
```
Source: Fahipay
└── Routed to the selected service:
FAHIPAY_TRANSFER, RAASTAS, OOREDOO_BILL, DHIRAAGU_RELOAD, DHIRAAGU_BILL
```
---
## Rejected Combinations
These combinations are blocked before a transfer is attempted.
### BML USD → MIB (no saved contact)
**Condition:** source is BML, currency is USD, destination is a MIB account, and no BML contact exists for that account number.
**Result:** dialog shown — "Contact required". The user must first add the MIB account as a BML contact before a USD cross-bank transfer can proceed.
> This is enforced in `initiateTransfer()` before reaching `doBmlTransfer`.
---
### BML QR payment — non-card source
**Condition:** in BML QR merchant payment mode and the user selects a non-card account (i.e. not `BML_PREPAID`, `BML_CREDIT`, or `BML_DEBIT`) from the "From" dropdown.
**Result:** selection is rejected with a toast: "Unsupported for BML QR — select a card". The dropdown resets.
---
### Fahipay — non-phone destination
**Condition:** source is Fahipay and the input type is anything other than `PHONE`.
**Result:** inline error on the "To" field: "Only phone numbers are supported for Fahipay transfers."
---
### No source account selected
**Condition:** user taps the lookup button or the transfer button without selecting a "From" account.
**Result:** toast: "Please select a source account first."
---
### Inactive BML card as source
**Condition:** a BML card (`BML_PREPAID`, `BML_CREDIT`, `BML_DEBIT`) with `statusDesc != "Active"` appears in the dropdown but is not selectable — `getAccount()` returns `null` for it and `isEnabled()` returns `false`.
**Result:** the row is shown at 40% opacity and cannot be tapped.
---
### Missing internalId
**Condition:** a BML source account has a blank `internalId` (needed as the `debitAccount` in BML API calls).
**Result:** transfer is aborted with a toast: "Missing internal account ID — please refresh your accounts."
---
## Warnings (allowed but flagged)
These combinations proceed after user confirmation but show a prominent red warning in the confirm dialog.
### USD source → MVR destination
> "You are transferring from a USD account to an MVR account. The currency will be converted at the bank's rate and this cannot be reversed!"
**Condition:** `src.currencyName == "USD"` and the resolved destination account's currency is `MVR`.
---
### BML credit card as source
> "Transferring from a credit card is treated as a cash advance. Cash advance fees will be charged on the 10th of the month."
**Condition:** `src.profileType == "BML_CREDIT"`.
---
## BML Business Profile OTP Flow
Business profiles use a manual OTP delivered via email or SMS rather than a TOTP seed. The flow replaces the standard single-step confirm:
1. **Initiate**`startBmlBusinessOtpFlow()` calls `BmlAccountClient.fetchTransferChannels()` to list available channels (email, SMS).
2. **Channel selection** — a channel picker is shown inline. Transfer fields are locked (dimmed, disabled).
3. **Initiate with channel**`BmlTransferClient.initiateTransfer()` is called with the chosen channel, which triggers the OTP dispatch.
4. **OTP entry** — an OTP input field appears. The transfer button label changes to "Verify Payment".
5. **Confirm**`BmlTransferClient.confirmTransfer()` is called with the entered OTP (not a generated TOTP).
If channel fetch fails or returns empty, the flow is aborted and the form is re-enabled.
**Profile detection:** `isBusinessProfile()` checks `bmlProfilesMap[loginId]` for a profile entry matching `src.profileId` with `profileType == "business"`.
---
## BML QR Merchant Payment Flow
Triggered when the transfer screen is opened via `newInstanceFromBmlQr()` or when a BML ebanking/pay.bml URL is scanned from the QR scanner.
Two sub-modes:
| Mode | Trigger | Extra step |
|---|---|---|
| Static card QR | URL starts with `https://ebanking.bankofmaldives.com.mv/qrpay/` | None |
| Gateway QR | URL starts with `https://pay.bml.com.mv/app/` | `BmlQrPayClient.preInitiatePayment()` required before initiate |
Flow:
1. `lookupBmlQrMerchant()` — fetches merchant info via `BmlQrPayClient.lookupPayRequest()`. Locks the "To" row.
2. For dynamic QRs (`info.amount > 0`), pre-fills the amount and locks the amount field.
3. Remarks field is locked (not applicable for merchant payments).
4. On confirm: TOTP is generated, then `initiatePayment()` → (for gateway QR: `preInitiatePayment()` first) → `confirmPayment()` with a fresh TOTP.
5. On success: a success dialog is shown (no receipt saved). Back-press returns to previous screen.
---
## Transfer Button Enable Conditions
The transfer button is only enabled when all of the following are true:
- A source account is selected
- A recipient is resolved (`resolvedAccountNumber` not blank, or `bmlQrInfo` is set)
- Amount is greater than `0`
- No connectivity error for `NO_INTERNET` or for the source bank
---
&nbsp;
---
[← Account Parser Architecture](19-parsers.md)
docs/AI_SECURITY_CHECK.md → docs/thijooree/AI_SECURITY_CHECK.md
+6
View File
@@ -373,3 +373,9 @@ _None._
- **MIB Blowfish/ECB** — inherited upstream protocol weakness, not actionable without server-side changes.
- **DhiraaguClient JSON string interpolation** — low real-world risk given numeric-only input validation upstream.
- **`android:allowBackup="true"`** — flagged by automated scanners but effectively mitigated by the exclusion rules.
&nbsp;
---
[← Account Parser Architecture](19-parsers.md)
docs/thijooree/README.md
+37
View File
@@ -0,0 +1,37 @@
# App Internals
Documentation for app-specific logic — UI flows, routing decisions, and business rules implemented in the Android client.
---
## UI Flows
| Document | Description |
|---|---|
| [00 — App Overview](00-app-overview.md) | MainActivity routing, HomeActivity, navigation modes, autolock, global session state |
| [01 — Onboarding](01-onboarding.md) | Language selection, security setup (PIN/pattern), appearance configuration |
| [02 — Lock Screen](02-lock-screen.md) | LockActivity, PIN/pattern/biometric unlock, brute-force protection |
| [03 — Login](03-login.md) | Bank selection, credential entry, MIB/BML/Fahipay login flows, multi-profile support |
| [04 — Accounts](04-accounts.md) | Account list grouped display, AccountsAdapter, profile images, quick-transfer shortcut |
| [05 — Account History](05-account-history.md) | Paginated transaction history, search, infinite scroll |
| [06 — Transfer History](06-transfer-history.md) | Multi-bank merged transfer history, parallel loading |
| [07 — Transfer](07-transfer.md) | Recipient lookup, MIB/BML/Fahipay transfer flows, QR, biometric gate, BML OTP |
| [08 — Contacts](08-contacts.md) | Contact list, add/edit/delete, categories, contact picker sheet |
| [09 — Activities](09-activities.md) | Local transfer log, TransferReceiptFragment, share/save receipt |
| [10 — OTP Screen](10-otp-screen.md) | TOTP display, real-time countdown, enrolled bank authenticators |
| [11 — PayMV QR Screen](11-paymv-qr-screen.md) | Generate receive-payment QR, scan QR to initiate transfer |
| [12 — BML QR Pay](12-bml-qr-pay.md) | Scan BML merchant QR, merchant lookup, 3-step TOTP payment |
| [13 — Financing](13-financing.md) | MIB promotional deals, BML loans and card limits |
| [14 — Settings](14-settings.md) | Settings hub, logins management, profile images, add/logout accounts |
| [15 — Settings: Security](15-settings-security.md) | Change lock method, biometrics, auto-lock timeout, screenshots |
| [16 — Settings: Appearance](16-settings-appearance.md) | Navigation mode, slot drag-reorder, theme, accent colour, language |
| [17 — Settings: Storage](17-settings-storage.md) | Clear caches, profile images, transfer history |
## Reference
| Document | Description |
|---|---|
| [18 — PayMV QR Format](18-paymv-qr-format.md) | Decimal TLV encoding, all tags, CRC-16, QR generation recipe, parsing reference |
| [19 — Parsers](19-parsers.md) | Account display parser architecture — how raw bank API data is normalised into a unified `AccountListDisplay` model |
| [20 — Transfer Flows](20-transfer-flows.md) | TransferFragment entry points, recipient lookup, transfer type routing, rejected combinations, BML business OTP flow, BML QR merchant payments |
| [AI Security Audit](AI_SECURITY_CHECK.md) | Full source security audit — credential storage, network layer, manifest, data privacy |