I have the Bitwarden Android app. In the settings, I enabled automatic vault lock after 5 minutes. The Accessibility functionality ( allows for painting over apps to enhance the autofill experience ) is active ( part of Android settings ).
Now, I get logged out after 5 minutes as intended. If I open an app whos URI has been linked to an entry in the vault, there are two autofill options: ( let’s say Reddit ) and ‘Bitwarden vault’ which just allows you to access all logins. If I click Vault, I have to log in. However, if I click the option, IT AUTOFILLS REGARDLESS OF VAULT STATUS. I can routinely autofill items hours after the vault has been locked.
I can think of no setting that could cause this, so I have to assume this is a vulnerability.
Thinking about it, if there is access to even a single Item and one assumes the Vault is not a collection of individually encrypted Items, but a single encrypted file ( I would assume it’s an encrypted JSON file ), the only way this is possible is if the Vault stays decrypted even if you log out ( assuming this is not Android ‘saving’ the data )