Potential security issue with the Bitwarden Android app

I’ve discovered what I believe to be a potential security issue with the Bitwarden Android app. The issue is that you can unlock the vault by simply clearing the app from recents right after locking it.

Steps to reproduce:

  1. Launch and unlock Bitwarden vault
  2. Tap the three dot menu button in the top right, then tap ‘Lock’
  3. Wait a second or so, then clear Bitwarden from your recents.
  4. Open Bitwarden again, it will automatically unlock as if it was never locked

Screen recording:

Note that this issue only occurs when ‘Session timeout’ is set to ‘Never’, but when manually locking the vault it should stay locked, right?

1 Like

Same behaviour on my Android phone with timeout set to never.
Works OK when timeout set to 5 minutes which I normally do.

IMHO yes.

You might also be interested in searching for/filing a bug at: Issues · bitwarden/clients · GitHub

Hi @tangerine Thanks for reporting this issue!

We have been unable to reproduce this error consistently. Can you please share more details about your device and Android version so we can investigate further? You can also open a Support Ticket (on the right side of the page) so we can communicate directly if you prefer.