4.2 KiB
Login
LoginActivity handles adding bank accounts. It is shown on first launch (after onboarding) and also opened from Settings → Logins → Add Account.
Fragment Flow
LoginActivity
└─ BankSelectionFragment ← pick a bank
└─ CredentialsFragment ← enter credentials for that bank
Bank Selection — BankSelectionFragment
A scrollable list of supported banks presented as selectable cards:
| Bank | Notes |
|---|---|
| MIB (Maldives Islamic Bank) | Username + password |
| BML (Bank of Maldives) | Username + password |
| Fahipay | Mobile number + password |
Tapping a card navigates to CredentialsFragment with the selected bank pre-set.
Credentials — CredentialsFragment
Shared Fields
For MIB and BML the form also includes an OTP seed field. The user can:
- Paste the raw base32 /
otpauth://seed directly intoetOtpSeed - Tap the QR scan button (
btnScanOtpSeed) to launch the QR scanner; the result is parsed byutil/OtpauthParserand written toetOtpSeed. If the QR contains multiple entries the user picks one via a dialog (CredentialsFragment.kt:67-84).
A live TOTP preview card under the field updates every second so the user can confirm the seed is correct before submitting. The seed is required for MIB and BML login button activation (updateLoginButtonState()).
MIB Login
Fields: Username, Password, OTP seed.
Flow on submit:
MibLoginFlow.login(username, passwordHash, otpSeed)— Diffie-Hellman key exchange, then Blowfish/ECB-encrypted credentials- On success, fetches
operatingProfiles— the list of CIF profiles - Each profile is stored as a
BankAccountwithbank = "MIB"andcifTypefrom the API MibProfileClient().fetchPersonalProfile(session)is called post-login to retrieve and persist the full account-holder name (used by the OTP screen and elsewhere)- Sessions are stored in
BasedBankApp.mibSessions
BML Login
Fields: Username (customer ID), Password, OTP seed.
Flow on submit (CredentialsFragment.kt:272-326):
BmlLoginFlow.login(username, password, otpSeed)— returns a list ofBmlProfile- For each non-business profile,
flow.activateProfile(profile, loginTag)runs;BmlActivationResult.SuccesspopulatesbmlAccountsand stores a per-profile session - Business profiles are skipped at login (user can enable them later via Settings → Logins; that path returns
BmlActivationResult.NeedsBusinessOtpand runs the OTP-channel flow) - Credentials saved via
store.saveBmlCredentials(loginId, username, password, otpSeed) - Tokens stored per profile in
BasedBankApp.bmlSessions
Fahipay Login
Fields: Mobile / ID-card, Password. Two-step TOTP — after the password is accepted the same screen re-uses itself to collect the TOTP, with fahipayAwaitingTotp = true (CredentialsFragment.kt:60) controlling the UI state.
Flow on submit:
FahipayLoginFlow.login()— authenticates against Fahipay API- Server responds with a TOTP challenge; user enters the code
- On success, stores
authID+__Secure-sesscookie - Single wallet account stored with
bank = "FAHIPAY"
Multi-Profile Support
Each MIB login can have multiple CIF profiles (e.g., an individual and a business account under the same username). Each profile appears as a separate entry in the accounts list and can be toggled independently in Settings → Logins.
BML can yield multiple profiles per login (personal + business). Fahipay yields a single profile.
Adding the same bank login a second time merges its profiles into the existing login rather than creating a duplicate.
Credential Storage
All credentials (username, password, tokens, session cookies) are encrypted via CredentialStore, which uses Android EncryptedSharedPreferences backed by a hardware-keystore key where available.
After Login
CredentialsFragment calls app.autoRefresh() after a successful login, then navigates back to LoginActivity's result which routes to HomeActivity (or back to Settings if called from there).
← Lock Screen Next → Accounts