Bitwarden app - Is it as safe as the browser extension?

I just got a new Samsung phone. Since it has current Android and security updates, and automatically does updates, so I am thinking of installing the BW app. It will make it easier to log in to the apps that I transferred from my old phone, since they all need to be logged into again… But I do have a few questions about the BW app:

  1. Is the app is considered as secure and reliable as the browser extension, which I currently use?
  2. What is the best way to unlock the vault of the app: My master PW, like the browser extension? Or another method like a PIN?
  3. When I close the BW app, does it completely log me out, or just lock it? If it just locks it, does the app enable you to completely log out so that both the memory and the encrypted .json file are purged from the phone?
  1. Yes for security. People sometimes mention that using autofill on Android is hit-and-miss, although it may be an Android issue. People seem to have better experience with Autofill on iOS. Note that you will need to initially configure Android to not kill BW on optimization, and configure BW for autofill.
  2. Long master password on small keyboard is frustrating. Also, you don’t want to be typing this out in awkward situations. Biometrics (usually fingerprint on Android) is best this way, but some people do use BW PIN as an authentication separate from what you use to unlock your phone (biometrics or phone PIN).
  3. Not if you do the configurations in 1 & 2. The logout option is currently in “Settings → Account security → Logout” which would purge the .json file and memory.

Thanks. Regarding your suggestions to 1) configure Android to not kill BW on optimization, and 2) configure BW for autofill. Can you provide some more detail on how to take those steps? Are they actual settings in the “Settings” function of the phone? Something I do when I install BW on the phone? Or something else?

Autofill & biometrics setup:

Turn-off battery optimization:

Thanks. I got the BW phone app set up today, seemed pretty forward, and everything seems to be working. I am using biometrics to unlock. Two questions so far:

  1. Is there a way to use biometrics to log in to the BW app, like I do to unlock it. The only options that seem available are to function like my web extension (master PW and then 2FA through an authenticator app) or “log in using device,” whatever that means. Just wondering if I can use biometrics (face or fingerprint) instead of the master PW to log into the app.
  2. Regarding apps in general (excluding financial apps), such as airline apps, etc. – Is it considered ok to simply close the app once done, which enables me to open it back up without logging in? Or, is it considered “best practice” to log out of any app when not using it. Which is kind of a PITA, but what do you think?
    Thanks again.
  1. What you are asking will be implemented using passkey, which is available in a limited form now. There is an option to set up passkeys to login on the web app on some browsers (like Chrome, but not FF); this is in beta. There is another option, “login with device” (a more mature feature), which basically uses another BW app (mobile, desktop) to approve a client (mobile, desktop, web, browser extension) that you have logged in with a password successfully in the past.
  1. With Android’s stronger security model, I personally think leaving the apps logged in is OK. The apps that are sensitive should be locked behind another authentication (Bitwarden, Email, Messages, 2FA apps, financial apps) if not logged out. I believe Samsung has an option to hide the apps, or lock the apps behind another biometrics if the app doesn’t support a lock.

If you are comfortable of not ever logging out of BW Android app, You might be able to use that app to approve other clients (which still have to be logged in with password successfully once). If you need to log out of Android app, then you can set up BW on your desktop to approve logins on the Android app, and keep at least one app running at all time to approve any client.

Unrooted Android security model is strong. Typically, a malware can’t get access to your encrypted vault file, memory, and keys persisted in the Android keystore, unless the malware is exploiting unpatched/0-day vulnerbilities. Keep your Android device fully encrypted (done by default), locked with a biometrics, and secure on your person (be mindful of security, don’t open PIN-locked phones/apps in public/areas with security cameras). Keep all your sensitive apps behind another lock (PIN/biometrics). So, keeping the BW app logged in all the time may be mostly OK, with autolock as short as you can stand (some people use immediately).

People have reported getting robbed of their phone, being forced to hand over the phone PIN and bank’s password as well. I haven’t seen people reporting being forced to hand over password manager’s password yet, but as this kind of app gets popular, it’s probably only a matter of time. So, liberally use 2FA without the “remember me” option. Put apps behind multiple locks if you need to. For example, you can use Samsung feature to put Bitwarden behind a lock with Biometrics (which may not allow phone PIN as an alternative), while using also the PIN unlock on Bitwarden.

ps: Face authentication on Android is easier to spoof than fingerprints. If you are afraid of being spoofed, I’d suggest not using that.

1 Like

Thanks, good info and very helpful. I think I will wait until the passkey feature is out of beta. (Just being extra cautious). Then I’ll use my face or fingerprint as the passkey. In any case, I do have a few f/u questions to your response above:

  1. Let’s say I set up my fingerprint or facial recognition on my phone as my BW passkey, to log into the BW app. Will I also use my phone then to log into my browser extension? In other words, will the BW passkey on my phone (i.e., the facial recognition or fingerprint reader) enable me to log into the browser extension as well? Or will I need a separate fingerprint reader or camera on the computer?
  2. You said to keep my Android device fully encrypted, “which is done by default.” And I did read that Android has been encrypted since ver 5.1 or so. My question: Is there any “setting” I should double-check to be sure my new phone is indeed encrypted? I haven’t messed with a lot of the security settings, but I’m just asking, to be sure.
  3. You suggest using 2FA without the “remember me” option. Do you mean when I log into an app or website and it offers the “Remember Me” checkbox, to leave that box unchecked? Or is the “remember me” a setting on my phone that I have to uncheck?
    Thanks again
  1. On my Android 13 phone, it’s under “Settings → Security → Encryption & credentials → Encrypt phone”. You most likely have “Hardware backed” indicator, which is extra good.

  2. On any app and website that offers to remember you when prompting for 2FA, don’t check that or uncheck it. Your phone security is tied to your Google account security on initial set up. But once you are past all that, your Google account is pretty easy to get into with the combination of password, google prompt, and biometrics (which is tied to a specially created Google passkey on my phone).

(1) I don’t know for sure. Android 14 is the one set up to be fully passkey capable, which I don’t have. But Windows platform looks like it is being setup to use passkeys on other devices via QR scanning (and probably NFC/bluetooth connection). Your platform/OS will have to support it. Your app will have to support it. Your browser will have to support it (with Chrome likeliest to be quickest). Right now, BW only allows passkey login to the Web vault (not fully supported on FF). You have to watch when they enable it for apps/browser extensions.

When Windows prompts for passkey/2FA device, it doesn’t ask for PIN or biometrics authentication, which I assume would depend on the device with the passkey (for you, Android). Your phone NFC/bluetooth connection to Windows would tell Windows that it has already correctly authenticate you.

OK, thanks. Regarding your #2 answer above, I have Android 14. It doesn’t have that path you decribe above. It says, “Security and privacy,” and then when you click on that, it runs a quick check and says, “Looks good, no security issues.” But there is no option for “encryption and credentials” and no “hardware backed” indicator that I can find.
As I had mentioned, I haven’t messed with the security settings, so I am guessing that everything is ok on my end.

1 Like