MTCC's MVR 13 million taxi app: closed bids, family ties, and leaked ID cards

The state-owned Maldives Transport and Contracting Company launched the Malé Taxi Line on April 2 with much fanfare at a ceremony officiated by President Dr Mohamed Muizzu in Hulhumalé's Central Park.

It came amid rumours within the local tech community of a bid awarded to a company with no development experience. At the launch event, both MTCC and the state broadcaster PSM published a link to the app (maletaxi.web.app) – the default domain used to host Firebase applications – prompting a search for bugs. 

Within hours of the launch, Maldivian developers and security researchers began pulling the app apart. What started with questions about the bid process quickly snowballed into a collective, real-time investigation on X. Social media activist Midhuam Saud first raised concerns about the procurement. Members of the Maldives Developers Union examined the app's security. Researcher Fishie coordinated findings. Developer Raftalks tested the authentication. Others traced the connections between the contractor and MTCC staff through public records and social media.

The database of the app was wide open. Anyone could run a simple script and pull the entire user database, the researchers found. 

In similar cases, Fishie said he would usually have time to alert the authorities. "But this time I got reports from multiple sources about the leak and a lot of people in the industry knew about the leaked Firebase instance so we decided it would be safest to go public as soon as possible," he told the Maldives Independent.

Within days, the crowdsourced investigation assembled a detailed picture of what had gone wrong, and who was responsible.

Fixed Maldives, the company awarded with developing the app lacks experience in app development. According to the economic ministry's business registry, Fixed Maldives is a sole proprietorship registered to Ibrahim Abdulla of the Daisymaage house in Haa Dhaal Nolhivaranfaru. Its website lists networking services and CCTV cameras. There was no mention of software development.

The investigation soon learned that the owner of Fixed Maldives and MTCC Assistant General Manager Abdulla Farish are both registered at the same Nolhivaranfaru address (Daisymaage), uncovering a clear conflict of interest. Farish handled the tender and also led the project from MTCC’s side. 

The bid was open only to "invited suppliers," according to MTCC. Major Maldivian technology companies said they were neither invited nor aware of the tender.

Experienced Maldivian web developers who have built similar apps and currently work abroad say a high-quality taxi app on par with Uber or Grab would cost at most US$ 200,000 (MVR 2 million). However, MTCC awarded the contract to Fixed Maldives in the last quarter of 2025 for a total of MVR 13 million, Dhauru reported. The agreement also reportedly includes ongoing monthly payments for technical maintenance of the app. The company received two payments under the agreement, totalling about MVR 2 million.

The app's development proceeded without adequately informing the company's own IT department. No security audit or proper testing phase appear to have been conducted.

When it was launched, the app was not available on the App Store or Play Store. Only a website was released. 

But MTCC had a full year to prepare the app. The government enlisted the company in February 2025 to launch the service in the Greater Malé Region. The original start date was the first week of July 2025. Transport Minister Mohamed Ameen then gave deadlines of August 2025, January 2026 and Eid in March 2026 before the eventual launch last week. 

Meanwhile, evidence gathered by developers suggests that Sri Lankan parties were actively involved in writing the app's code.

Among them a developer named Thilan Theekshana, who works at a Sri Lankan company called "Forciva." Thilan's LinkedIn profile listed the Malé Taxi app under his work at Forciva. Ismail Hassan, a police officer with the code name "Ghost," who was described as a cybersecurity specialist, was also involved. The two met in Malé in January 2026. A video published on Thilan's Facebook shows Ismail Hassan and others gathered around a desk, discussing how to display driver information on the taxi app. 

The post was later taken down but it is archived.

MTCC CEO Ahmed Saudhee is a former deputy commissioner of police. The developers warned that an app that collects users' real-time location data and personal identification documents – developed with significant police involvement and no security audit – raises serious questions about the protection of citizens' data.

Researchers found the app's security to be critically inadequate. Customers' card details were found to be leaking through the app, and a simple script could breach the app's Firebase database without any barriers, resulting in tables containing user data being publicly exposed.

Most alarmingly, the database breach exposed the ID cards of registered users. Among them was the ID card of Ismail Hassan, the app's own lead developer.

When it first went live as a website, even its OTP verification system failed to work as intended.

When updating profile details, including mobile numbers and email addresses, the app prompts users to verify changes via a one-time password sent to the new contact, Software developer Raftalks told the Maldives Independent. In theory, this ensures that a number or email actually belongs to the person claiming it. In practice, it did nothing of the sort. 

Raftalks found that entering a random six-digit code – simply typing 123456 – was enough to bypass the verification entirely, allowing anyone to link another person's phone number or a fabricated email address to their account. The root flaw: the app was never actually checking whether the OTP was correct before saving the changes. 

“In that OTP verification screen, I was able to try with 123456 and it got saved. I was able to add someone else's mobile number and fake email to the profile. The security risk here is that OTP verification was not checked before updating the profile. This can potentially impersonate another user,” Raftalks explained. 

To demonstrate the flaw, Raftalks changed his profile details to the contact information of an MTCC employee.

Fishie said the app was not so much patched as shut down. "The only thing that was 'patched' was the Firebase rules to prevent public access," he said. The app is currently offline. 

“The major risk of firebase is scaling and price issues that arises with this,” said Fishie.

“Also I believe data like this should be stored on Maldivian soil where if anything happens we can take the data stores to count. Not to mention this would also mean that Google won't be provided our data." 

An experienced developer who reviewed the app's infrastructure told the Maldives Independent that the choice of Firebase as the backend – while not inherently flawed – leaves significant room for costly mistakes. "Firebase isn't entirely terrible if they do it right. But the thing about Firebase is that it can get expensive really fast if you're not careful with optimising the read/write. Very easy to get wrong," he explained.

For an app operating at the Maldives' scale, he estimated monthly costs could quietly balloon to around US$ 10,000 before developers even notice, triggering what he described as a likely scramble to fix things after the fact.

He noted that a self-hosted alternative such as Supabase  would handle the same workload at a fraction of the cost while giving the team greater control over security and data.

The muted public response from the local developer community speaks to a deeper problem, Fishie suggested. While there has been considerable activity behind the scenes, few have been willing to speak out openly. 

"Most are afraid of losing their jobs. There is a lot of activity from devs behind the scenes but publicly people are quiet," he told the Maldives Independent.

This makes the work of exposing such issues harder, since peer-reviewed findings carry more weight, Fishie said. But momentum is slowly building. At least one new developer stepping forward each time a case like this emerges, he noted.

However, what frustrates him most is that the outsourcing was unnecessary to begin with. The Maldives has more than enough local talent to build apps of this kind in-house, he said, pointing to homegrown products like the Avas app, Foodies by Loopcraft, Purple Lane, and Eeezap as proof. 

The taxi app space in particular has seen a wave of local development. "Taxi driving apps was the second tech boom in Maldives. First it was everyone making recharging apps. it's hard to argue that the capacity is not here. It's definitely there. Look up how many taxi app clones we have or even food delivery apps," he observed.  

The Male Taxi app saga is not the first time the government was accused of sidelining local developers. In 2016, a team of young Maldivians built Ride Maldives, an Uber-like motorcycle ride-sharing app. The app was ready to launch with over 200 drivers on the waitlist. The team met then-Economic Development Minister Mohamed Saeed to demo the app and seek government endorsement, according to Nasrullah Adnan, one of the founders, who went on to create LottieFiles, a globally used animation platform.

The next day, the ministry issued a press statement announcing the government would start its own motorcycle taxi service under a new regulation. The team was told to apply. The Transport Ministry took nearly a year to draft the regulation – stripping out the safety features the Ride Maldives team had designed –and refused to meet them for feedback. The team eventually abandoned the project.

"They took our base idea but stripped out all the safety measures we had put in place," Nasrullah recounted on X. In an open letter at the time, Ride Maldives said its original concept paper "may have been used in drafting the regulation" but the team had "no say or involvement whatsoever."

A government-linked company later launched a motorcycle taxi service, which also failed. Saeed has since returned to his former post as economic development minister under President Muizzu.

In 2015, a local company called Taviyani, the same company that operates Avas, the country's most widely used taxi app, registered the name “Male Taxi” at the economic ministry, raising questions about how Dhiraagu, the local telecom company which issues and registers ‘.mv’ domain names in the Maldives, had issued the same domain to MTCC. 

On March 28, Taviyani sent a letter to the MTCC managing director asking the company to cease and desist using the name. However, MTCC has continued using the name regardless, including on the vehicles' branding.

On Tuesday, opposition MP Mohamed Ibrahim sought a parliamentary inquiry into suspected corruption in the development of the taxi app. 

MTCC’s information officer did not respond to questions posed by the Maldives Independent despite repeated calls and messages over the three days.