I have the Bitwarden Android app. In the settings, I enabled automatic vault lock after 5 minutes. The Accessibility functionality ( allows for painting over apps to enhance the autofill experience ) is active ( part of Android settings ).

Now, I get logged out after 5 minutes as intended. If I open an app whos URI has been linked to an entry in the vault, there are two autofill options: ( let’s say Reddit ) and ‘Bitwarden vault’ which just allows you to access all logins. If I click Vault, I have to log in. However, if I click the option, IT AUTOFILLS REGARDLESS OF VAULT STATUS. I can routinely autofill items hours after the vault has been locked.

I can think of no setting that could cause this, so I have to assume this is a vulnerability.

EDIT:
Thinking about it, if there is access to even a single Item and one assumes the Vault is not a collection of individually encrypted Items, but a single encrypted file ( I would assume it’s an encrypted JSON file ), the only way this is possible is if the Vault stays decrypted even if you log out ( assuming this is not Android ‘saving’ the data )

Thanks for the post @AnonAustria13. If you could, would you reach out to our CS team for troubleshooting here: Contact | Bitwarden ?

If you would rather create an issue directly, feel free to fill out the issue template here: Issues · bitwarden/mobile · GitHub - that is the best place to provide the report and details for the engineering team to look at them ASAP.