Implementing mTLS in the Bitwarden Apps

mTLS provides advanced security by mutually authenticating client and server using certificates. This prevents unauthorized access and protects against identity theft, significantly enhancing data security. Integrating mTLS across Bitwarden platforms, including iOS App, Android App, and browser extensions, would provide a massive security benefit, establishing Bitwarden as a trusted tool for sensitive data across all devices and environments.

There is a answer from 2018 in this post.

I sawed this german articel about an new framework used for the app.
Bitwarden bekommt native Apps (stadt-bremerhaven.de)
Maybe this new framework implements mTLS?!

I also need this…

I have been trying waiting for this for years as well. I do not trust a service like this to be exposed directly due to the blast radius of a simple bug. Having only the surface area of a mtls forward proxy is a lot easier to mitigate from bugs, specially when you write your own, and formally prove it as safe.

This has been the major factor that prevents me from recommending Bitwarden more broadly. Please devs, this shouldn’t be a huge change, and definitely makes a world of difference to many of us.

Here is an example integration for Xamarin:

And here is an example on how to retrieve from the Android KeyStore instead of an arbitrary file:

Ok so i did some further research.

I found this Pull Request with an working solution to the Problem.
The PR sadly got closed due trough this comment

Hi All, looks like lots of or community members were interested to see this feature being implemented, but we have some upcoming changes coming soon for our mobile app which is pretty significant, and unfortunately this contribution doesn’t align with that direction, now. What we are working on could fix this, or we could possibly revisit this feature once that is done. Unfortunately this PR would have to be closed. Thank you!

As explained in this Reddit post from @kspearrin, Bitwarden is moving away from the Xamarin framework and rewriting the mobile apps using Swift (for iOS) and Kotlin (for Android).

“Login and unlock vault with Passkey” behaves similarly to mTLS in terms of risk mitigation. Although I concur that mTLS seems more straightforward, I do believe that passkey will more quickly make it to production. Might be worth deciding if you consider the passkey approach a reasonable compromise.

My security concern is not encryption related, but the surface area exposed to attacks. By having a forward proxy and having it require mTLS authentication, I can prevent any bytes from reaching BitWarden’s server without authenticating there first. I then have to secure a single software stack (the forward proxy) than having to worry about multiple.

The typical approach to mitigating that concern seems to be to use a client-to-site VPN.

This FR is more about mTLS between the bitwarden client and the bitwarden server.

The typical approach, maybe… and that’s what I already do.

I disagree about the focus of the FR though. If you see the linked topic on the original post, it’s referring to using a reverse proxy with mTLS. To a client, if either the reverse proxy or Bitwarden server is negotiating the TLS session, it’s indifferent how the client has to behave. So as long as client support passing a system wide cert to whoever is terminating the TLS session, I’m good with that. :wink: