Implementing mTLS in the Bitwarden Apps

Bjoerek · February 28, 2024, 11:00am

mTLS provides advanced security by mutually authenticating client and server using certificates. This prevents unauthorized access and protects against identity theft, significantly enhancing data security. Integrating mTLS across Bitwarden platforms, including iOS App, Android App, and browser extensions, would provide a massive security benefit, establishing Bitwarden as a trusted tool for sensitive data across all devices and environments.

There is a answer from 2018 in this post.

Bjoerek · March 1, 2024, 7:10pm

I sawed this german articel about an new framework used for the app.
Bitwarden bekommt native Apps (stadt-bremerhaven.de)
Maybe this new framework implements mTLS?!

cyber-o · March 6, 2024, 12:13pm

I also need this…

bbf · April 10, 2024, 3:55pm

I have been trying waiting for this for years as well. I do not trust a service like this to be exposed directly due to the blast radius of a simple bug. Having only the surface area of a mtls forward proxy is a lot easier to mitigate from bugs, specially when you write your own, and formally prove it as safe.

This has been the major factor that prevents me from recommending Bitwarden more broadly. Please devs, this shouldn’t be a huge change, and definitely makes a world of difference to many of us.

bbf · April 11, 2024, 12:07am

Here is an example integration for Xamarin:

github.com

anaselhajjaji/Xamarin.MutualAuthent/blob/master/Android.Client/MainActivity.cs

using System;
using System.Text;
using System.IO;
using System.Threading.Tasks;
using System.Security.Cryptography.X509Certificates;
using System.Net.Security;
using System.Net.Sockets;
using System.Security.Authentication;

using Android.App;
using Android.Widget;
using Android.OS;
using Java.Security;
using Javax.Net.Ssl;

namespace Android.Client
{
    [Activity(Label = "Android.Client", MainLauncher = true, Icon = "@mipmap/icon")]
    public class MainActivity : Activity, IHandshakeCompletedListener
    {

This file has been truncated. show original

bbf · April 11, 2024, 12:10am

And here is an example on how to retrieve from the Android KeyStore instead of an arbitrary file:

Bjoerek · April 22, 2024, 1:22pm

Ok so i did some further research.

I found this Pull Request with an working solution to the Problem.
The PR sadly got closed due trough this comment

github.com/bitwarden/mobile

[PM-3089] mTLS - Authenticate with Client Certificate

bitwarden:main ← oguzhane:master

opened 06:21PM - 19 Jul 23 UTC

oguzhane

+980 -78

## Type of change - [ ] Bug fix - [x] New feature development - [ ] Tech debt… (refactoring, code cleanup, dependency upgrades, etc) - [ ] Build/deploy pipeline (DevOps) - [ ] Other ## Objective This PR brings ability to login a bitwarden server by using a client certificate. The functionility has been implemented for Android. User can import a X509 client certificate in pkcs#12 format to KeyStore or user can use existing certificates from keychain. See: #582 ## Code changes **CertificateService.cs**: responsible to interact with platform's native key management apis. **AdvancedPage.xaml**: page where user setup the certificate. **AndroidHttpsHandler.cs**: http handler that send the requests with client certificate ## Screenshots Demo https://github.com/bitwarden/mobile/assets/4419532/a100dfc5-abfa-481b-b4fb-fe8cff1f67ed ## Before you submit - Please check for formatting errors (`dotnet format --verify-no-changes`) (required) - Please add **unit tests** where it makes sense to do so (encouraged but not required) - If this change requires a **documentation update** - notify the documentation team - If this change has particular **deployment requirements** - notify the DevOps team

Hi All, looks like lots of or community members were interested to see this feature being implemented, but we have some upcoming changes coming soon for our mobile app which is pretty significant, and unfortunately this contribution doesn’t align with that direction, now. What we are working on could fix this, or we could possibly revisit this feature once that is done. Unfortunately this PR would have to be closed. Thank you!

grb · April 22, 2024, 2:52pm

As explained in this Reddit post from @kspearrin, Bitwarden is moving away from the Xamarin framework and rewriting the mobile apps using Swift (for iOS) and Kotlin (for Android).

DenBesten · April 22, 2024, 3:04pm

“Login and unlock vault with Passkey” behaves similarly to mTLS in terms of risk mitigation. Although I concur that mTLS seems more straightforward, I do believe that passkey will more quickly make it to production. Might be worth deciding if you consider the passkey approach a reasonable compromise.