shihaam/thijooree
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 9 Wiki Activity
160 Commits 1 Branch 10 Tags
d637877167533fffe80e991b1756adbe94380132
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Shihaam Abdul Rahman d637877167
All checks were successful
Auto Tag on Version Change / check-version (push) Successful in 6s
Details
update docs
2026-05-27 18:04:39 +05:00
.build/release
impprove ci performance
2026-05-24 00:29:40 +05:00
.gitea/workflows
update ci to fetch reponame as apk name
2026-05-15 17:20:05 +05:00
.idea
some android studio bs
2026-05-23 23:13:07 +05:00
app
add product group mapping for cards
2026-05-23 23:56:15 +05:00
docs
update docs
2026-05-24 00:27:59 +05:00
gradle
fix prod build
2026-05-18 00:43:05 +05:00
.gitignore
add support for fahipay login and view history
2026-05-16 21:31:34 +05:00
build.gradle.kts
repo init
2026-05-14 05:24:09 +05:00
gradle.properties
repo init
2026-05-14 05:24:09 +05:00
gradlew
repo init
2026-05-14 05:24:09 +05:00
gradlew.bat
repo init
2026-05-14 05:24:09 +05:00
ic_logo.png
update docs
2026-05-27 18:04:39 +05:00
LICENSE
add LICENSE
2026-05-17 00:48:13 +05:00
README.md
update docs
2026-05-27 18:04:39 +05:00
settings.gradle.kts
add support for PayMV QR scan
2026-05-14 05:24:24 +05:00

README.md

Thijooree

A native Android client for Maldivian banking services — MIB (Faisanet), BML (Bank of Maldives), and Fahipay. It is a pure client: requests go directly from your device to the banks' own servers using the same protocols as their official apps. No proxy, no backend, no middleman.

AI Slop Inside License: GPL v3 Android 8.0+ Jetpack Compose Maintained

What it does

  • Multi-bank dashboard — view balances across all your MIB, BML, and Fahipay accounts in one place, with a combined MVR and USD total
  • Transaction history — paginated, searchable transaction history per account for MIB CASA, BML CASA, BML prepaid cards, and Fahipay wallet
  • Transfers — send money between accounts and to saved contacts; supports MIB-to-MIB, BML-to-BML, and cross-bank (MIB↔BML via FAVARA); transfer receipts saved locally
  • Contacts — manage saved beneficiaries across all banks; validates Dhiraagu and Ooredoo numbers and shows the account owner name before you add
  • Fahipay — full wallet support including balance, history with merchant icons, and Fahipay favourites (Raastas, Reload, Ooredoo Bill, Dhiraagu Bill)
  • QR payments — scan PayMV QR codes to pre-fill transfers
  • BML foreign limits — view your foreign currency spending allowances and breakdowns by ATM / POS / ECOM
  • MIB financing — view active financing deals
  • Hide amounts — one-tap toggle to hide all balances on screen (e.g. in public)
  • Multi-account support — add multiple logins per bank (e.g. personal + business); BML supports multiple profiles per login with per-profile session tokens
  • Profile visibility — individually hide/show MIB or BML profiles from the dashboard without removing them

Authentication

The app requires your existing credentials for each bank — the same username/password/OTP seed you use with the official apps. It stores them encrypted using AES-256-GCM backed by the Android Keystore (hardware secure enclave).

Each bank's 2FA uses TOTP, so you need to have your OTP seed (the same secret used by your authenticator app).

MIB sessions persist their Blowfish DH key pair and app ID between launches (re-login only when the session expires). BML tokens are stored per-profile with refresh token support. Fahipay sessions persist the authId and __Secure-sess cookie.

Security

  • All credentials encrypted at rest with AES-256-GCM (Android Keystore)
  • Lock screen protected by PBKDF2-HMAC-SHA256 (100,000 iterations) with optional biometric unlock
  • FLAG_SECURE on by default — content hidden in app switcher and screenshots blocked
  • All sensitive data excluded from Android cloud backup
  • Zero analytics, crash reporters, or third-party SDKs — network traffic goes only to MIB, BML, Fahipay, and the Maldivian telecoms for number validation

See docs/AI_SECURITY_CHECK.md for the full security audit.

Supported banks

Bank Login Accounts History Transfers Contacts
MIB (Faisanet) username + password + TOTP
BML (Bank of Maldives) username + password + TOTP
Fahipay national ID + password + TOTP ✓ (favourites)

Requirements

  • Android 8.0+ (API 26)
  • Existing accounts with MIB, BML, or Fahipay
  • Your TOTP seed (base32 secret from your authenticator app setup) for each bank

Building

Open in Android Studio and run. No API keys or secrets required — all protocol constants are derived from the official apps and are included in the source.

The release signing config reads from environment variables (KEYSTORE_PASSWORD, KEY_ALIAS, KEY_PASSWORD).

How it works

BasedBank talks directly to each bank's existing mobile API using the same protocol as their official apps, reverse-engineered from the APKs. It does not use any intermediary server — requests go straight from your device to the bank.

  • MIB: Blowfish/ECB encrypted JSON over HTTPS with a Diffie-Hellman session key exchange
  • BML: PKCE OAuth 2.0 flow via the BML web login, exchanged for a Bearer token used on the mobile API
  • Fahipay: multipart form login with TOTP, session maintained via __Secure-sess cookie and authid header

Privacy

No data ever leaves your device except the API calls to the banking services themselves. See the security audit for a full list of every server the app connects to.

Disclaimer

This is an unofficial third-party app. It is not affiliated with, endorsed by, or supported by MIB, BML, or Fahipay. Use at your own risk. Review the source code before entering your banking credentials.

Reference in New Issue View Git Blame Copy Permalink
Description
Thijooree is a native Android client for Maldivian banking services.
Readme GPL-3.0 10 MiB
Languages
Kotlin 100%