github-starred/android
2
0
Fork 0
mirror of https://github.com/bitwarden/android.git synced 2026-05-07 03:23:29 -05:00
Code Issues 1.1k Packages Projects Releases 122 Wiki Activity

Cannot use/create passkeys with Mull #2007

New Issue
Closed
opened 2025-11-26 23:04:45 -06:00 by GiteaMirror · 16 comments
GiteaMirror commented 2025-11-26 23:04:45 -06:00
Owner
Copy Link

Originally created by @lucasmz-dev on GitHub (Sep 20, 2024).

Bitwarden Beta

  • I'm using the new native Bitwarden Beta app and I'm aware that legacy .NET app bugs should be reported in bitwarden/mobile

Steps To Reproduce

  1. Get Mull from F-Droid
  2. Try creating a passkey with it on e.g. GitHub

Expected Result

Successful creation and registration of the passkey

Actual Result

Error about "not being a privileged browser" shows up.

Screenshots or Videos

No response

Additional Context

There are two versions of Mull, I haven't tested both; one is from F-Droid and built, verified/signed by F-Droid, and one comes from DivestOS' app repo.

This works fine in regular Firefox.

Build Version

2024.8.1

Environment Details

  • Device: Moto G52 "rhode"
  • System version: CalyxOS 5.11.1, Android 14

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
Originally created by @lucasmz-dev on GitHub (Sep 20, 2024). ### Bitwarden Beta - [x] I'm using the new native Bitwarden Beta app and I'm aware that legacy .NET app bugs should be reported in [bitwarden/mobile](https://github.com/bitwarden/mobile) ### Steps To Reproduce 1. Get Mull from F-Droid 2. Try creating a passkey with it on e.g. GitHub ### Expected Result Successful creation and registration of the passkey ### Actual Result Error about "not being a privileged browser" shows up. ### Screenshots or Videos _No response_ ### Additional Context There are two versions of Mull, I haven't tested both; one is from F-Droid and built, verified/signed by F-Droid, and one comes from DivestOS' app repo. This works fine in regular Firefox. ### Build Version 2024.8.1 ### Environment Details - Device: Moto G52 "rhode" - System version: CalyxOS 5.11.1, Android 14 ### Issue Tracking Info - [x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
GiteaMirror added the bug label 2025-11-26 23:04:45 -06:00
GiteaMirror commented 2025-11-26 23:04:46 -06:00
Author
Owner
Copy Link

@bitwarden-bot commented on GitHub (Sep 20, 2024):

Thank you for your report! We've added this to our internal board for review.
ID: PM-12414

@bitwarden-bot commented on GitHub (Sep 20, 2024): Thank you for your report! We've added this to our internal board for review. ID: PM-12414
GiteaMirror commented 2025-11-26 23:04:46 -06:00
Author
Owner
Copy Link

@singh9596 commented on GitHub (Sep 22, 2024):

+1. It doesn't work even with the add-on

@singh9596 commented on GitHub (Sep 22, 2024): +1. It doesn't work even with the add-on
GiteaMirror commented 2025-11-26 23:04:47 -06:00
Author
Owner
Copy Link

@lucasmz-dev commented on GitHub (Sep 22, 2024):

using the add-on would also be inconvenient af this is meant to work with android, really

@lucasmz-dev commented on GitHub (Sep 22, 2024): using the add-on would also be inconvenient af this is meant to work with android, really
GiteaMirror commented 2025-11-26 23:04:47 -06:00
Author
Owner
Copy Link

@singh9596 commented on GitHub (Sep 22, 2024):

using the add-on would also be inconvenient af this is meant to work with android, really

Well, i tried with add on as well. It didn't work. Add-on is good for desktop but not for phones. Those pop-ups really spoils the browsing experience. Anyways. I guess it only works with chrome. None of the passkeys works on browsers other than chrome

@singh9596 commented on GitHub (Sep 22, 2024): > using the add-on would also be inconvenient af this is meant to work with android, really Well, i tried with add on as well. It didn't work. Add-on is good for desktop but not for phones. Those pop-ups really spoils the browsing experience. Anyways. I guess it only works with chrome. None of the passkeys works on browsers other than chrome
GiteaMirror commented 2025-11-26 23:04:47 -06:00
Author
Owner
Copy Link

@lucasmz-dev commented on GitHub (Sep 22, 2024):

@singhh9596 Can I ask what your setup is? Are you using stock Android?
To me, Bitwarden passkeys work for Firefox and forks, but not any Chromium based browsers at all even after changing the Android Credential Management flag. Mull has the extra issue of not being "privileged" which doesn't let me create passkeys.

microG passkeys do not work for me (neither would I want to use them, they're not backed up IG) due to https://gitlab.com/CalyxOS/calyxos/-/issues/2115

Also more on this issue from the CalyxOS side: https://gitlab.com/CalyxOS/calyxos/-/issues/2621

@lucasmz-dev commented on GitHub (Sep 22, 2024): @singhh9596 Can I ask what your setup is? Are you using stock Android? To me, Bitwarden passkeys work for Firefox and forks, but not any Chromium based browsers at all even after changing the Android Credential Management flag. Mull has the extra issue of not being "privileged" which doesn't let me create passkeys. microG passkeys do not work for me (neither would I want to use them, they're not backed up IG) due to https://gitlab.com/CalyxOS/calyxos/-/issues/2115 Also more on this issue from the CalyxOS side: https://gitlab.com/CalyxOS/calyxos/-/issues/2621
GiteaMirror commented 2025-11-26 23:04:48 -06:00
Author
Owner
Copy Link

@SkewedZeppelin commented on GitHub (Sep 24, 2024):

There are two versions of Mull

they're identical

Fennec and Mull benefit from microG installed for improved functionality of this: https://gitlab.com/relan/fennecbuild/-/issues/34#note_1666876427

Chromium and Firefox and forks expect real Play Services

Cromite has no support at all however

@SkewedZeppelin commented on GitHub (Sep 24, 2024): > There are two versions of Mull they're identical Fennec and Mull benefit from microG installed for improved functionality of this: https://gitlab.com/relan/fennecbuild/-/issues/34#note_1666876427 Chromium and Firefox and forks expect real Play Services Cromite has no support at all however
GiteaMirror commented 2025-11-26 23:04:48 -06:00
Author
Owner
Copy Link

@singh9596 commented on GitHub (Sep 24, 2024):

Uploading Screenshot_20240924_203711_Mull.jpg…

@singhh9596 Can I ask what your setup is? Are you using stock Android? To me, Bitwarden passkeys work for Firefox and forks, but not any Chromium based browsers at all even after changing the Android Credential Management flag. Mull has the extra issue of not being "privileged" which doesn't let me create passkeys.

microG passkeys do not work for me (neither would I want to use them, they're not backed up IG) due to https://gitlab.com/CalyxOS/calyxos/-/issues/2115

Also more on this issue from the CalyxOS side: https://gitlab.com/CalyxOS/calyxos/-/issues/2621

I've 2 devices. One is running on oneUI and the other one is on stock android. And I'm using mull (github version). I was thinking of migrating my data to samsung pass. But I'll have to manage 2 password managers.

@singh9596 commented on GitHub (Sep 24, 2024): ![Uploading Screenshot_20240924_203711_Mull.jpg…]() > @singhh9596 Can I ask what your setup is? Are you using stock Android? To me, Bitwarden passkeys work for Firefox and forks, but not any Chromium based browsers at all even after changing the Android Credential Management flag. Mull has the extra issue of not being "privileged" which doesn't let me create passkeys. > > microG passkeys do not work for me (neither would I want to use them, they're not backed up IG) due to https://gitlab.com/CalyxOS/calyxos/-/issues/2115 > > Also more on this issue from the CalyxOS side: https://gitlab.com/CalyxOS/calyxos/-/issues/2621 I've 2 devices. One is running on oneUI and the other one is on stock android. And I'm using mull (github version). I was thinking of migrating my data to samsung pass. But I'll have to manage 2 password managers.
GiteaMirror commented 2025-11-26 23:04:48 -06:00
Author
Owner
Copy Link

@lucasmz-dev commented on GitHub (Sep 24, 2024):

they're identical

They aren't signed the same though right? I would expect this to potentially be an issue if Bitwarden has to approve browsers

@lucasmz-dev commented on GitHub (Sep 24, 2024): > they're identical They aren't signed the same though right? I would expect this to potentially be an issue if Bitwarden has to approve browsers
GiteaMirror commented 2025-11-26 23:04:49 -06:00
Author
Owner
Copy Link

@SkewedZeppelin commented on GitHub (Sep 24, 2024):

@lucasmz-dev
fair, that is the only difference, otherwise they are the same codebase & variant

@SkewedZeppelin commented on GitHub (Sep 24, 2024): @lucasmz-dev fair, that is the only difference, otherwise they are the same codebase & variant
GiteaMirror commented 2025-11-26 23:04:49 -06:00
Author
Owner
Copy Link

@SaintPatrck commented on GitHub (Sep 26, 2024):

Thank you for reporting your issue. This is expected behavior. In order for Bitwarden to accept FIDO 2 requests from Mull (or any other browser) on behalf of other relying parties, it must be included in our list of known privileged applications.1 This is in accordance with the Android Credential Manager integration guidelines regarding privileged applications.2

@SaintPatrck commented on GitHub (Sep 26, 2024): Thank you for reporting your issue. This is expected behavior. In order for Bitwarden to accept FIDO 2 requests from Mull (or any other browser) on behalf of other relying parties, it must be included in our list of known privileged applications.[^1] This is in accordance with the Android Credential Manager integration guidelines regarding privileged applications.[^2] [^1]: [fido2_privileged_allow_list.json](https://github.com/bitwarden/android/blob/main/app/src/main/assets/fido2_privileged_allow_list.json) [^2]: [Credential Provider - Obtain an allowlist of privileged apps](https://developer.android.com/identity/sign-in/credential-provider#obtain-allowlist)
GiteaMirror commented 2025-11-26 23:04:49 -06:00
Author
Owner
Copy Link

@SkewedZeppelin commented on GitHub (Sep 26, 2024):

Since I already had issues with your CLA last time, here is the section if you want to add it:

    {
      "type": "android",
      "info": {
        "package_name": "us.spotco.fennec_dos",
        "signatures": [
          {
            "build": "release",
            "cert_fingerprint_sha256": "26:0E:0A:49:67:8C:78:B7:0C:02:D6:53:7A:DD:3B:6D:C0:A1:71:71:BB:DE:8C:E7:5F:D4:02:6A:8A:3E:18:D2"
          },
          {
            "build": "release",
            "cert_fingerprint_sha256": "FF:81:F5:BE:56:39:65:94:EE:E7:0F:EF:28:32:25:6E:15:21:41:22:E2:BA:9C:ED:D2:60:05:FF:D4:BC:AA:A8"
          }
        ]
      }
    },

the first key is from the official DivestOS.org version:

the second key is from the F-Droid.org built/signed version:

if you need some qualifier for its inclusion:

My Mulch was also supposed to be added a year ago: https://github.com/bitwarden/android/pull/2427#issuecomment-1778886888
Not sure what happened there, but here is that too:

    {
      "type": "android",
      "info": {
        "package_name": "us.spotco.mulch",
        "signatures": [
          {
            "build": "release",
            "cert_fingerprint_sha256": "26:0E:0A:49:67:8C:78:B7:0C:02:D6:53:7A:DD:3B:6D:C0:A1:71:71:BB:DE:8C:E7:5F:D4:02:6A:8A:3E:18:D2"
          }
        ]
      }
    },

version history for that is here: https://divestos.org/misc/ch-dates.txt

@SkewedZeppelin commented on GitHub (Sep 26, 2024): Since I already had issues with your CLA last time, here is the section if you want to add it: ``` { "type": "android", "info": { "package_name": "us.spotco.fennec_dos", "signatures": [ { "build": "release", "cert_fingerprint_sha256": "26:0E:0A:49:67:8C:78:B7:0C:02:D6:53:7A:DD:3B:6D:C0:A1:71:71:BB:DE:8C:E7:5F:D4:02:6A:8A:3E:18:D2" }, { "build": "release", "cert_fingerprint_sha256": "FF:81:F5:BE:56:39:65:94:EE:E7:0F:EF:28:32:25:6E:15:21:41:22:E2:BA:9C:ED:D2:60:05:FF:D4:BC:AA:A8" } ] } }, ``` the first key is from the official DivestOS.org version: - https://divestos.org/apks/official/fdroid/repo/us.spotco.fennec_dos_21290200.apk the second key is from the F-Droid.org built/signed version: - https://f-droid.org/repo/us.spotco.fennec_dos_21290200.apk - https://f-droid.org/repo/us.spotco.fennec_dos_21290200.apk.asc if you need some qualifier for its inclusion: - included here: https://github.com/bitwarden/mobile/blob/main/src/App/Platforms/Android/Autofill/AutofillHelpers.cs#L147 - via https://github.com/bitwarden/mobile/commit/ae763ebca86d77599223f3198dc9a11a58819624 - version history is here: https://divestos.org/misc/ffa-dates.txt - listed here: https://privacytests.org/android - download stats from F-Droid.org primary servers: https://divestos.org/images/fdroidstats/13215-us.spotco.fennec_dos.png My Mulch was also supposed to be added a year ago: https://github.com/bitwarden/android/pull/2427#issuecomment-1778886888 Not sure what happened there, but here is that too: ``` { "type": "android", "info": { "package_name": "us.spotco.mulch", "signatures": [ { "build": "release", "cert_fingerprint_sha256": "26:0E:0A:49:67:8C:78:B7:0C:02:D6:53:7A:DD:3B:6D:C0:A1:71:71:BB:DE:8C:E7:5F:D4:02:6A:8A:3E:18:D2" } ] } }, ``` version history for that is here: https://divestos.org/misc/ch-dates.txt
GiteaMirror commented 2025-11-26 23:04:49 -06:00
Author
Owner
Copy Link

@SkewedZeppelin commented on GitHub (Sep 26, 2024):

You might also consider adding Fennec F-Droid too of which I co-maintain, it is also already in the autofill list.

    {
      "type": "android",
      "info": {
        "package_name": "org.mozilla.fennec_fdroid",
        "signatures": [
          {
            "build": "release",
            "cert_fingerprint_sha256": "06:66:53:58:EF:D8:BA:05:BE:23:6A:47:A1:2C:B0:95:8D:7D:75:DD:93:9D:77:C2:B3:1F:53:98:53:7E:BD:C5"
          }
        ]
      }
    },

key is from the F-Droid.org built/signed version:

@SkewedZeppelin commented on GitHub (Sep 26, 2024): You might also consider adding Fennec F-Droid too of which I co-maintain, it is also already in the autofill list. ``` { "type": "android", "info": { "package_name": "org.mozilla.fennec_fdroid", "signatures": [ { "build": "release", "cert_fingerprint_sha256": "06:66:53:58:EF:D8:BA:05:BE:23:6A:47:A1:2C:B0:95:8D:7D:75:DD:93:9D:77:C2:B3:1F:53:98:53:7E:BD:C5" } ] } }, ``` key is from the F-Droid.org built/signed version: - https://f-droid.org/repo/org.mozilla.fennec_fdroid_1290200.apk
GiteaMirror commented 2025-11-26 23:04:50 -06:00
Author
Owner
Copy Link

@lucasmz-dev commented on GitHub (Oct 1, 2024):

Before just creating passkeys didn't work, now, it seems using them is also not working. I guess that was just a bug in the specification in the previous version of the Bitwarden beta native app.

Please do add these to the allowlist. Mull is a great browser, trusted by many. It is the chosen one for anyone using anything like Arkenfox on the desktop.

@lucasmz-dev commented on GitHub (Oct 1, 2024): Before just creating passkeys didn't work, now, it seems using them is also not working. I guess that was just a bug in the specification in the previous version of the Bitwarden beta native app. Please do add these to the allowlist. Mull is a great browser, trusted by many. It is *the* chosen one for anyone using anything like Arkenfox on the desktop.
GiteaMirror commented 2025-11-26 23:04:50 -06:00
Author
Owner
Copy Link

@lucasmz-dev commented on GitHub (Oct 4, 2024):

@SaintPatrck Maybe it'd make sense to re-open this since there would still be the need for this to implemented in the code?

@lucasmz-dev commented on GitHub (Oct 4, 2024): @SaintPatrck Maybe it'd make sense to re-open this since there would still be the need for this to implemented in the code?
GiteaMirror commented 2025-11-26 23:04:50 -06:00
Author
Owner
Copy Link

@lucasmz-dev commented on GitHub (Oct 4, 2024):

Ah nevermind! I see #4022!
Nice to see! Thank you so much for prioritizing this. Y'all amazing!

@lucasmz-dev commented on GitHub (Oct 4, 2024): Ah nevermind! I see #4022! Nice to see! Thank you so much for prioritizing this. Y'all amazing!
GiteaMirror commented 2025-11-26 23:04:51 -06:00
Author
Owner
Copy Link

@singh9596 commented on GitHub (Nov 16, 2024):

Working fine on android 14 now

@singh9596 commented on GitHub (Nov 16, 2024): Working fine on android 14 now
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
app:authenticator
app:password-manager
bug
bug-passkey
customer-support
duplicate
enhancement
good first issue
help wanted
needs-reply
needs-response
pull-request
Mirrored from GitHub Pull Request
 question
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/android#2007
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?