github-starred/android
2
0
Fork 0
mirror of https://github.com/bitwarden/android.git synced 2026-03-09 03:33:36 -05:00
Code Issues 144 Packages Projects Releases 116 Wiki Activity

[BWA-182] MTLS not used in icon retrieval logic. #2311

New Issue
Open
opened 2025-11-26 23:15:15 -06:00 by GiteaMirror · 9 comments
GiteaMirror commented 2025-11-26 23:15:15 -06:00
Owner
Copy Link

Originally created by @MijnSpam on GitHub (Aug 9, 2025).

Steps To Reproduce

First of all using MTLS with cloudflare tunnel. I can create and delete items just fine.
This generated no log rules as they pass successfully.

However in my cloudflare logs I see a block on rule being activated on: (Method GET)
/icons/ < ip of local pihole > /icon.png
and /icons/ < ip of selfhosted instance > /icon.png
As both do this on my DNS record and I see source IP to be sure it's my attempts I wonder if this is a app bug or not.
As user agent the following is mentioned
Dalvik/2.1.0 (Linux; U; Android 15; CPH2581 Build/AP3A.240617.008)

I think somewhere something in the code is skipping the MTLS check.
The app it self doesn't show any error. I only see this in the logs.

Expected Result

no security error logs

Actual Result

Security errors that no MTLS is used.

Screenshots or Videos

No response

Additional Context

No response

Build Version

2025.6.1 (20398)

What server are you connecting to?

Self-host

Self-host Server Version

2025.5.0

Environment Details

  • OnePlus 12 (Oxygen OS 15.0), Android 15 with july 2025 security update

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
Originally created by @MijnSpam on GitHub (Aug 9, 2025). ### Steps To Reproduce First of all using MTLS with cloudflare tunnel. I can create and delete items just fine. This generated no log rules as they pass successfully. However in my cloudflare logs I see a block on rule being activated on: (Method GET) /icons/ < ip of local pihole > /icon.png and /icons/ < ip of selfhosted instance > /icon.png As both do this on my DNS record and I see source IP to be sure it's my attempts I wonder if this is a app bug or not. As user agent the following is mentioned Dalvik/2.1.0 (Linux; U; Android 15; CPH2581 Build/AP3A.240617.008) I think somewhere something in the code is skipping the MTLS check. The app it self doesn't show any error. I only see this in the logs. ### Expected Result no security error logs ### Actual Result Security errors that no MTLS is used. ### Screenshots or Videos _No response_ ### Additional Context _No response_ ### Build Version 2025.6.1 (20398) ### What server are you connecting to? Self-host ### Self-host Server Version 2025.5.0 ### Environment Details - OnePlus 12 (Oxygen OS 15.0), Android 15 with july 2025 security update ### Issue Tracking Info - [x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
GiteaMirror added the app:authenticatorbug labels 2025-11-26 23:15:15 -06:00
GiteaMirror commented 2025-11-26 23:15:16 -06:00
Author
Owner
Copy Link

@bitwarden-bot commented on GitHub (Aug 9, 2025):

Thank you for your report! We've added this to our internal board for review.
ID: BWA-182

@bitwarden-bot commented on GitHub (Aug 9, 2025): Thank you for your report! We've added this to our internal board for review. ID: BWA-182
GiteaMirror commented 2025-11-26 23:15:16 -06:00
Author
Owner
Copy Link

@daniellbw commented on GitHub (Aug 11, 2025):

Hi there,

I am unable to reproduce this issue, it has been escalated for further investigation. If you have more information that can help us, please add it below.

Thanks!

@daniellbw commented on GitHub (Aug 11, 2025): Hi there, I am unable to reproduce this issue, it has been escalated for further investigation. If you have more information that can help us, please add it below. Thanks!
GiteaMirror commented 2025-11-26 23:15:17 -06:00
Author
Owner
Copy Link

@MijnSpam commented on GitHub (Aug 13, 2025):

I can run some additional test next Friday. I did receive an app update today so could test with that version.
If I need to setup certain logging let me know so I could include it.

@MijnSpam commented on GitHub (Aug 13, 2025): I can run some additional test next Friday. I did receive an app update today so could test with that version. If I need to setup certain logging let me know so I could include it.
GiteaMirror commented 2025-11-26 23:15:17 -06:00
Author
Owner
Copy Link

@neothematrix commented on GitHub (Aug 31, 2025):

came here to report this and found it has already been reported.
same configuration here, also using cloudflare enforcing mTLS and latest Android app (2025.8.0) on a Pixel 7.
everything works perfectly, except entry's icons are not shown in the app and cloudflare logs are showing calls to retrieve icons (i.e.: /icons/store.steampowered.com/icon.png) are blocked due to missing mTLS certificate.
all the rest of the application works perfectly

@neothematrix commented on GitHub (Aug 31, 2025): came here to report this and found it has already been reported. same configuration here, also using cloudflare enforcing mTLS and latest Android app (2025.8.0) on a Pixel 7. everything works perfectly, except entry's icons are not shown in the app and cloudflare logs are showing calls to retrieve icons (i.e.: /icons/store.steampowered.com/icon.png) are blocked due to missing mTLS certificate. all the rest of the application works perfectly
GiteaMirror commented 2025-11-26 23:15:17 -06:00
Author
Owner
Copy Link

@neothematrix commented on GitHub (Aug 31, 2025):

as additional test, I've added an exception rule on cloudflare to waive mTLS certificate restriction for /icons/* folder and icons are now appearing properly on Android app.
of course I'd like to remove the exception, so I'd be happy to provide any further detail that could help the resolution.
thanks!

@neothematrix commented on GitHub (Aug 31, 2025): as additional test, I've added an exception rule on cloudflare to waive mTLS certificate restriction for /icons/* folder and icons are now appearing properly on Android app. of course I'd like to remove the exception, so I'd be happy to provide any further detail that could help the resolution. thanks!
GiteaMirror commented 2025-11-26 23:15:17 -06:00
Author
Owner
Copy Link

@jkanbier commented on GitHub (Sep 21, 2025):

I'm really happy that MTLS is now supported on Android devices.
I too have the same problem the icon's are not loaded and I came to the same conclusion that the MTLS cert isn't used with the GET's for the images.

@jkanbier commented on GitHub (Sep 21, 2025): I'm really happy that MTLS is now supported on Android devices. I too have the same problem the icon's are not loaded and I came to the same conclusion that the MTLS cert isn't used with the GET's for the images.
GiteaMirror commented 2025-11-26 23:15:18 -06:00
Author
Owner
Copy Link

@pamperer562580892423 commented on GitHub (Sep 21, 2025):

Just for the record: this issue has the wrong tag ("app:authenticator"), as it's not about the authenticator app, but about the password manager app.

@pamperer562580892423 commented on GitHub (Sep 21, 2025): Just for the record: this issue has the **wrong tag** ("app:authenticator"), as it's not about the authenticator app, but about the password manager app.
GiteaMirror commented 2025-11-26 23:15:18 -06:00
Author
Owner
Copy Link

@MexHigh commented on GitHub (Oct 1, 2025):

Same issue here. Switched to using mTLS and saw that icons are gone. I have not seen any log entries in the flight recorder.

@MexHigh commented on GitHub (Oct 1, 2025): Same issue here. Switched to using mTLS and saw that icons are gone. I have not seen any log entries in the flight recorder.
GiteaMirror commented 2025-11-26 23:15:18 -06:00
Author
Owner
Copy Link

@SaintPatrck commented on GitHub (Nov 13, 2025):

Hi all!

I'm happy to inform you all that we have a potential fix (#6125) for this issue. Before pushing the it, we'd appreciate additional confirmation that the changes work for everyone's environment. If anyone is able and willing to test it out, builds with the changes can be found here: https://github.com/bitwarden/android/actions/runs/19336211187

@SaintPatrck commented on GitHub (Nov 13, 2025): Hi all! I'm happy to inform you all that we have a potential fix (#6125) for this issue. Before pushing the it, we'd appreciate additional confirmation that the changes work for everyone's environment. If anyone is able and willing to test it out, builds with the changes can be found here: https://github.com/bitwarden/android/actions/runs/19336211187
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
app:authenticator
app:password-manager
bug
bug-passkey
customer-support
duplicate
enhancement
good first issue
help wanted
needs-reply
needs-response
pull-request
Mirrored from GitHub Pull Request
 question
No Label app:authenticator bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/android#2311
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?