I’ve discovered what I believe to be a potential security issue with the Bitwarden Android app. The issue is that you can unlock the vault by simply clearing the app from recents right after locking it.
Steps to reproduce:
- Launch and unlock Bitwarden vault
- Tap the three dot menu button in the top right, then tap ‘Lock’
- Wait a second or so, then clear Bitwarden from your recents.
- Open Bitwarden again, it will automatically unlock as if it was never locked
Note that this issue only occurs when ‘Session timeout’ is set to ‘Never’, but when manually locking the vault it should stay locked, right?