How does Bitwarden protect account passwords from being stolen by unauthorized applications on devices? If a device gets infected with a virus or trojan, would not the Bitwarden account and login password be stolen by the trojan virus?

Would all the account passwords stored in Bitwarden be leaked? What technology methods does Bitwarden use to maximize the protection of account passwords from being spied on by other applications on the device?

My phone is a OnePlus 9, the LE2110 model. The operating system I’m using is LineageOS lemonade, with the version being lineage-20.0-20231106-nightly-lemonade. I downloaded the app “Xiaohongshu” from Google Play. I also use an open-source proxy software for daily use of these apps. In recent times, I’ve been using the Chinese app “Xiaohongshu” to browse home renovation.
However, after browsing these posts, I received a promotional call from a customer service representative of a renovation company.
Strangely, I didn’t use my real phone number to register the account I used to browse these posts. Yet, it seems to know my real phone number and calls me with promotional content. I didn’t grant “Xiaohongshu” any permissions. So, is it “Xiaohongshu” spying on my preferences and habits, or is it another app?

I also received push notifications from various social and e-commerce platforms related to these products the day after I mentioned them in casual conversation.

How do I investigate which app in the phone system has a privacy issue of spying on my real phone number, daily browsing, and habits? How do apps or applications bypass the privacy and permission restrictions of the operating system to stealthily obtain my real phone number, daily browsing, and habits? What is this technology? What knowledge does it involve? What is the principle of this technology?

@Aorta Welcome to the forum!

If you acquire any kind of malware on your device, then unlocking Bitwarden on the compromised device would allow immediate theft of the full contents of your vault. It is your responsibility to keep your devices secure and to protect them against malware, and to avoid using Bitwarden on devices that you do not control.

For Bitwarden’s part, it can only protect your secrets while your vault is locked or logged out. Thus, you should set your “Vault Timeout” period to the shortest possible interval that doesn’t unduly interfere with your work patterns.

Usually Android does a much better (but not perfect) job than desktop systems of keeping apps separated from one another. Android has pretty good sandboxing, so ideally, even malicious apps cannot do much [aside from very rare and expensive 0-day vulnerabilities]. Since you mention that you are using lineageos - a custom android distribution (possibly rooted?) this does not necessarily hold anymore though. Depending on patch level of Android, and security features that are circumvented by your rom, the app might be able to spy on you.

I also use an open-source proxy software for daily use of these apps.

Depending on what layer the proxy is on, it can either see all contents of all HTTP traffic, w.r.t Bitwarden this would not gain them that much since vault entries are encrypted even on application layer level, or just the encrypted traffic, i.e what site you are connecting to but not the contents of the traffic.

Aside from that, I agree with @grb . Since you don’t know what security features are disabled on your rom, if you assume that malware was/is on your device consider your account compromised. Rotate your encryption key, and change your passwords. And for security, custom roms and shady apps are not a great combination.

If you used the official LineageOS build, and didn’t root the device, I personally wouldn’t jump to the conclusion that it’s the OS that is compromised. LineageOS is one of the best known / reviewed among custom ROMs, and who among the users do know in-and-outs of their custom ROMs? A typical malware can’t read the memory, can’t access the vault file, but maybe able to read the clipboard.

If you used a non-official build or rooted the device, that’s a different beast.

I personally would ask questions in a community more involved with LineageOS.

The devices discussed are not limited to phones but also include PCs, etc.

I used an official build and no rooted device, mods used BiTGApps.

Nowadays, it is not just Chinese software that seriously peeks into users’ privacy and resells it to commercial companies. Software from other free and democratic countries with the rule of law also steals user privacy in order to achieve long-term monopoly on business, wealth and status.

I generally only install well-known proprietary and open-source software, and I don’t casually click on unknown links. This is likely a case of software overstepping its bounds to spy on and sell user privacy, which is common in authoritarian countries, especially for companies that are not listed in free and democratic rule-of-law countries. Refer to: Reports on Pinduoduo company forming a hacker team to intentionally leave backdoor vulnerabilities to spy on user privacy.“Pinduoduo App Malware Detailed by Cybersecurity Researchers”‘I’ve never seen anything like this:’ One of China’s most popular apps has the ability to spy on its users, say experts

The devices discussed are not limited to phones but also include PCs, etc.

I used an official build and no rooted device, mods used BiTGApps.

Nowadays, it is not just Chinese software that seriously peeks into users’ privacy and resells it to commercial companies. Software from other free and democratic countries with the rule of law also steals user privacy in order to achieve long-term monopoly on business, wealth and status.

I generally only install well-known proprietary and open-source software, and I don’t casually click on unknown links. This is likely a case of software overstepping its bounds to spy on and sell user privacy, which is common in authoritarian countries, especially for companies that are not listed in free and democratic rule-of-law countries. Refer to: Reports on Pinduoduo company forming a hacker team to intentionally leave backdoor vulnerabilities to spy on user privacy.

The devices discussed are not limited to phones but also include PCs, etc.

I used an official build and no rooted device, mods used BiTGApps.

Nowadays, it is not just Chinese software that seriously peeks into users’ privacy and resells it to commercial companies. Software from other free and democratic countries with the rule of law also steals user privacy in order to achieve long-term monopoly on business, wealth and status.

I generally only install well-known proprietary and open-source software, and I don’t casually click on unknown links. This is likely a case of software overstepping its bounds to spy on and sell user privacy, which is common in authoritarian countries, especially for companies that are not listed in free and democratic rule-of-law countries. Refer to: Reports on Pinduoduo company forming a hacker team to intentionally leave backdoor vulnerabilities to spy on user privacy.“Pinduoduo App Malware Detailed by Cybersecurity Researchers”‘I’ve never seen anything like this:’ One of China’s most popular apps has the ability to spy on its users, say experts

Moreover, the password manager is set to automatically lock the password manager if no operation is performed for >5 minutes and automatically clear the clipboard after >30 seconds.

The ultimate answer for Bitwarden security on Windows PCs is to avoid getting malware in the first place. As Quexten has alluded to, once malware runs in the user space, it can be highly destructive. It can exfiltrate all your data files, including Bitwarden app’s and extension’s vaults, read your memory (including Bitwarden’s, which contains your vault contents and encryption key when unlocked), access the clipboard (including its history with copied passwords), and log all your keystrokes.

Bitwarden does keep the vault on disk encrypted, the memory content encrypted when locked, and has the minimal OS-supported protections. This info is from MS process explorer:
BW Protection

For users in authoritarian states where rule of law and civil liberties are lacking, running Windows PCs presents a significant security risk, especially if you need to use software developed by companies susceptible to government control. ChromeOS might be a better option in such situations.

I usually use Linux, Windows Enterprise Edition and Apple systems on my PC, and only install official software.
Moreover, the password manager is set to automatically lock the password manager if no operation is performed for >5 minutes and automatically clear the clipboard after >30 seconds.

Just to be clear, since you mentioned that it is “not just Chinese companies that spy”. Yes, I agree. I did not mean to suggest otherwise anywhere. My comments were more about unofficial Android ROMs that tend to disable security features. Really really cheap Android phones tend to also come with outdated Android (and some even with actual Malware on them).

Without forensic access to your phone, it is hard for anyone on this forum to say what / if something got stolen, but my personal recommendation is, that if you assume a certain possibility of Malware on a device, dump that device and consider the data on it compromised. You might be more or less risk-averse than me.

It is completely possible, that the advertisement you received was completely unrelated to your phone, and that they got the data from somewhere else.

1 Like

Yes, it is precisely because I do not conduct forensic examinations on devices such as phones to determine which aspect of my privacy is being infringed upon, which allows related companies to call me with marketing calls. Situations like this are not just limited to me, I believe it has happened to people in free, democratic, and rule-of-law countries as well. The content they discussed yesterday, their phones or PCs are pushing products related to that chat content today.

Here’s a marketing company claiming they can do this:

A marketing team within media giant Cox Media Group (CMG) claims it has the capability to listen to ambient conversations of consumers through embedded microphones in smartphones, smart TVs, and other devices to gather data and use it to target ads, according to a review of CMG marketing materials by 404 Media and details from a pitch given to an outside marketing professional. Called “Active Listening,” CMG claims the capability can identify potential customers “based on casual conversations in real time.”

And here’s an article debunking the story.

It’s theoretically possible for online marketers to eavesdrop on you, but there are significant technological hurdles to overcome before they can do that, and there’s a vanishingly small chance they would be able to pull something like this off without getting caught and punished.

The bottom line? It didn’t happen. 404 Media knew it didn’t happen, but they collected the hundreds of millions of clicks associated with this BS story anyway.

Maybe next time you see a story from 404 Media, you should tell them exactly what you think. In fact, say it out loud. And don’t worry, they won’t be able to hear you from a phone, TV, or speaker.