[GH-ISSUE #5905] [BWA-194] communication to localhost not permitted by network security policy #28242

New Issue

Closed

opened 2026-04-18 12:12:55 -05:00 by GiteaMirror · 3 comments

GiteaMirror commented 2026-04-18 12:12:55 -05:00

Owner

Copy Link

Originally created by @iwan-uschka on GitHub (Sep 18, 2025).
Original GitHub issue: https://github.com/bitwarden/android/issues/5905

Steps To Reproduce

1. Run https://github.com/bitwarden/server on a local machine at localhost:2890 (i am running https://github.com/dani-garcia/vaultwarden via Docker on macOS)
2. Connect Android Smartphone via USB to the local machine running the server.
3. Configure ADB reverse port forwarding on the local machine to enable Bitwarden app on Android accessing the locally running server (localhost:2890): adb reverse tcp:2890 tcp:2890
4. Log into account in Bitwarden Android app (select "self hosted" and use "http://localhost:2890" and correct credentials).

Expected Result

It did work before updating the app (don't know the previous version unfortunately) and it surely works in outdated v2024.10.0 (running on an old Android phone).

Actual Result

It fails in v2025.8.1.

Stacktrace:

java.net.UnknownServiceException: CLEARTEXT communication to localhost not permitted by network security policy
Ad.v.b(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:65)
Ad.v.a(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:679)
Ad.v.g(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:155)
Ad.m.d(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:10)
Ad.m.a(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:62)
Ad.b.intercept(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:24)
Bd.h.b(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:128)
Bd.b.intercept(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:608)
Bd.h.b(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:128)
Bd.a.intercept(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:541)
Bd.h.b(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:128)
Bd.a.intercept(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:199)
Bd.h.b(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:128)
Md.b.intercept(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:554)
Bd.h.b(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:128)
com.bitwarden.network.interceptor.BaseUrlInterceptor.intercept(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:43)
Bd.h.b(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:128)
com.bitwarden.network.interceptor.HeadersInterceptor.intercept(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:47)
Bd.h.b(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:128)
Ad.r.d(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:90)
Ad.o.run(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:48)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
java.lang.Thread.run(Thread.java:923)

Version: 2025.8.1 (20670)
Device: 📱 motorola Moto G (5) 🤖 11@30 📦 prod
CI: 🧱 commit: bitwarden/android/release/2025.8-rc33@b497156302a73fd2b14de16106dc218c30ec1702
💻 build source: bitwarden/android/actions/runs/17277676605/attempts/1

Screenshots or Videos

No response

Additional Context

No response

Build Version

2025.8.1

What server are you connecting to?

Self-host

Self-host Server Version

https://github.com/bitwarden/server/releases/tag/v2025.8.1

Environment Details

No response

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

Originally created by @iwan-uschka on GitHub (Sep 18, 2025). Original GitHub issue: https://github.com/bitwarden/android/issues/5905 ### Steps To Reproduce 1. Run https://github.com/bitwarden/server on a local machine at localhost:2890 (i am running https://github.com/dani-garcia/vaultwarden via Docker on macOS) 2. Connect Android Smartphone via USB to the local machine running the server. 3. Configure ADB reverse port forwarding on the local machine to enable Bitwarden app on Android accessing the locally running server (localhost:2890): `adb reverse tcp:2890 tcp:2890` 4. Log into account in Bitwarden Android app (select "self hosted" and use "http://localhost:2890" and correct credentials). ### Expected Result It did work before updating the app (don't know the previous version unfortunately) and it surely works in outdated v2024.10.0 (running on an old Android phone). ### Actual Result It fails in v2025.8.1. Stacktrace: ``` java.net.UnknownServiceException: CLEARTEXT communication to localhost not permitted by network security policy Ad.v.b(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:65) Ad.v.a(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:679) Ad.v.g(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:155) Ad.m.d(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:10) Ad.m.a(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:62) Ad.b.intercept(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:24) Bd.h.b(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:128) Bd.b.intercept(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:608) Bd.h.b(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:128) Bd.a.intercept(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:541) Bd.h.b(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:128) Bd.a.intercept(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:199) Bd.h.b(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:128) Md.b.intercept(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:554) Bd.h.b(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:128) com.bitwarden.network.interceptor.BaseUrlInterceptor.intercept(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:43) Bd.h.b(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:128) com.bitwarden.network.interceptor.HeadersInterceptor.intercept(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:47) Bd.h.b(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:128) Ad.r.d(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:90) Ad.o.run(r8-map-id-952a9e49ac6df5bb0f31f998a86395034d25aa88233ad3f49d0f2d5293031f08:48) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641) java.lang.Thread.run(Thread.java:923) ``` Version: 2025.8.1 (20670) Device: 📱 motorola Moto G (5) 🤖 11@30 📦 prod CI: 🧱 commit: bitwarden/android/release/2025.8-rc33@b497156302a73fd2b14de16106dc218c30ec1702 💻 build source: bitwarden/android/actions/runs/17277676605/attempts/1 ### Screenshots or Videos _No response_ ### Additional Context _No response_ ### Build Version 2025.8.1 ### What server are you connecting to? Self-host ### Self-host Server Version https://github.com/bitwarden/server/releases/tag/v2025.8.1 ### Environment Details _No response_ ### Issue Tracking Info - [ ] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

GiteaMirror added the app:authenticatorbug labels 2026-04-18 12:12:55 -05:00

GiteaMirror closed this issue 2026-04-18 12:12:56 -05:00

GiteaMirror commented 2026-04-18 12:12:58 -05:00

Author

Owner

Copy Link

@bitwarden-bot commented on GitHub (Sep 18, 2025):

Thank you for your report! We've added this to our internal board for review.
ID: BWA-194

<!-- gh-comment-id:3306064013 --> @bitwarden-bot commented on GitHub (Sep 18, 2025): Thank you for your report! We've added this to our internal board for review. ID: BWA-194

GiteaMirror commented 2026-04-18 12:13:00 -05:00

Author

Owner

Copy Link

@Adedamola-Aina commented on GitHub (Sep 18, 2025):

Hello @iwan-uschka

HTTPS now required on Android: The Android Password Manager app now requires connection to a server using HTTPS. This change will only affect users who are self-hosting a Bitwarden server without a SSL/TLS certificate. Learn more about certificates here.

<!-- gh-comment-id:3306384985 --> @Adedamola-Aina commented on GitHub (Sep 18, 2025): Hello @iwan-uschka HTTPS now required on Android: The Android Password Manager app now requires connection to a server using HTTPS. This change will only affect users who are self-hosting a Bitwarden server without a SSL/TLS certificate. Learn more about certificates [here](https://bitwarden.com/help/certificates/).

GiteaMirror commented 2026-04-18 12:13:01 -05:00

Author

Owner

Copy Link

@iwan-uschka commented on GitHub (Sep 18, 2025):

Thanks @Adedamola-Aina for the quick reply. It helped a lot!

If anyone stumbles upon this issue, here is what i did to make it work (no recommendation):

• brew install caddy (https://caddyserver.com/)
• caddy reverse-proxy --from localhost:2891 --to localhost:2890 => create simple reverse proxy with HTTPS (caddy handles TLS certificates)
• copy certificate Caddy Local Authority - 2025 ECC Root to the Android device
• connect Android device to local machine via USB
• adb reverse tcp:2890 tcp:2891
• run setup in Bitwarden Android app, select "self-hosted", add the server URL "https://localhost:2890" and credentials
• stop Caddy

Now every time i want to sync the vault i need to

• caddy reverse-proxy --from localhost:2891 --to localhost:2890
• connect Android device to local machine via USB
• adb reverse tcp:2890 tcp:2891
• click on sync in the Bitwarden Android app
• stop Caddy

If anyone knows a better way of syncing the vault from a local machine to an Android device, please let me know :)

<!-- gh-comment-id:3306747886 --> @iwan-uschka commented on GitHub (Sep 18, 2025): Thanks @Adedamola-Aina for the quick reply. It helped a lot! If anyone stumbles upon this issue, here is what i did to make it work (no recommendation): - `brew install caddy` (https://caddyserver.com/) - `caddy reverse-proxy --from localhost:2891 --to localhost:2890` => create simple reverse proxy with HTTPS (caddy handles TLS certificates) - copy certificate `Caddy Local Authority - 2025 ECC Root` to the Android device - connect Android device to local machine via USB - `adb reverse tcp:2890 tcp:2891` - run setup in Bitwarden Android app, select "self-hosted", add the server URL "https://localhost:2890" and credentials - stop Caddy Now every time i want to sync the vault i need to - `caddy reverse-proxy --from localhost:2891 --to localhost:2890` - connect Android device to local machine via USB - `adb reverse tcp:2890 tcp:2891` - click on sync in the Bitwarden Android app - stop Caddy If anyone knows a better way of syncing the vault from a local machine to an Android device, please let me know :)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

sdlc/sdk-update

new-item-types/PM-32810_bank-account-view

new-item-types/PM-32810_bank-account

beta-for-qa

BWA-253/not-displaying-totp-coded-with-empty-key

target-sdk-37

vvolkgang/renovate-remove-group

pm-34038/card-scanner-qa-fixes

PM-33982/build-device-screen

PM-30625/filter-out-empty-totp-vault-count

vvolkgang/update-jira-release-notes

new-item-types/PM-34123_new-item-menu

new-item-types/PM-32806_passport

new-item-types/PM-32808_drivers-license

BWA-99/show-next-totp

BWA-99/add-preview-next-totp-code-setting

renovate/glidecompose

chore/improve-android-ui-verification-skill

sync-min-sdk

release/2026.4-rc51

fix/security-sast-22741894-bvwj

related-origin-passkey-creation

release/2026.4-rc50

platform/android-breaking-change-detection

innovation-sprint-2026-send-folder

release/2026.3-rc49

PM-34193-vault-lockout

android-collections

llm/add-resolving-sdk-updates-skill

QA-1523/sanity-test-saucelabs

release/2026.3-rc48

PM-26577-app-links-support

PM-26896-autofill-fix

release/2026.2-rc47

pr-6572

release/2026.2-rc46

release/2026.1-rc45

PM-30644/added-logs-for-debug

PM-30644/quicktile-nav-not-showing-migration

minor-gradle-updates

release/2026.1-rc42

release/2026.1-rc44

release/2026.1-rc43

PM-28834/set-landscape-on-horizonos-devices

PM-28468/validate-and-navigate-to-vault-migration

PM-20026/force-ltr-passwords-and-codes

release/2025.12-rc41

cmcg/testCoverage

PM-29014/talkback-support-for-passwords

release/2025.12-rc40

BRE-1305/publish_test

accept-user-certs

autofill-permissions

release/2025.11-rc39

PM-22479/check-all-certificates-validate-asset-links

release/2025.10-rc38

agalles/android-latest

retro-agent

PM-27001/skip-account-selection-only-one-exists-cxp

release/2025.10-rc37

agalles/test-1118

release/2025.10-rc36

PM-20593-token-refresh

QA-1126b/adding-native-sanity-test

release/2025.9-rc35

pm-25933/sdk-update-password

release/2025.9-rc34

release/2025.8-rc33

agalles/20250821-release

debug-release-issues

pm-24249-allow-automated-prs-for-sdk-updates

release/2025.8-rc32

release/WORKFLOW-TEST-2025.8-rc28

agalles/20250807release

release/2025.07-rc25

release/hotfix-v2025.7.0-bwa

pm-23311/export-vault-policy-bypass

release/2025.07-rc24

authenticator-pm-sync-flags-issue

release/hotfix-v2025.6.0-bwpm

release/2025.06-rc21

agalles/automate-android-fastlane-patch

release/2025.05-rc20

release/2025.04-rc19

languages/basque

release/2025.03-rc19

update-readme

qrcode/feature

innovation/archive/pm-19153-archive-items

qrcode/2-ui-fields

qrcode/1-page

hold-on-biometric-prompt-alternative

release-notes-process

release/2025.02-rc16

bwa-monorepo

PM-8223/new-device-verification-ux-improvements

pm-18451/exempt-from-policies

test-bwa

release/2025.01-rc15

release/2025.01-rc14

release/2024.12-rc13

pm-16670/sync-leave-notice

821

PM-16695/backport-lean-more-new-device-verification

release/hotfix-v2024.11.7

release/2024.11-rc1

pm-11304/collection-add-item-button

PM-14241/disabling-logs-app-crash

poc/offline-editing

new-version-calc

pm-11649/expired-link-services

pm-6702/add-feature-flag

pm-6702/email-verification-feature

pm-9933/marketing-copy-update

pm-6702/registration-flows

update-templates

pm-6701/email-verification-selfhost-registration

v2026.4.0-bwa

v2026.4.0-bwpm

v2026.3.1-bwa

v2026.3.1-bwpm

v2026.3.0-bwpm

v2026.3.0-bwa

v2026.2.1-bwpm

v2026.2.1-bwa

v2026.2.0-bwpm

v2026.2.0-bwa

v2026.1.1-bwa

v2026.1.1-bwpm

temp-test

v2026.1.0-bwpm

v2026.1.0-bwa

v2025.12.1-bwa

v2025.12.1-bwpm

v2025.12.0-bwa

v2025.12.0-bwpm

v2025.11.1-bwpm

v2025.11.1-bwa

v2025.11.0-bwpm

v2025.11.0-bwa

v2025.10.1-bwa

v2025.10.1-bwpm

v2025.10.0-bwa

v2025.10.0-bwpm

v2025.9.1-bwa

v2025.9.1-bwpm

v2025.9.0-bwa

v2025.9.0-bwpm

v2025.8.1-bwa

v2025.8.1-bwpm

v2025.8.0-bwa

v2025.8.0-bwpm

v2025.7.2-bwa

v2025.7.2-bwpm

v2025.7.1-bwa

v2025.7.1-bwpm

v2025.7.0-bwa

v2025.7.0-bwpm

v2025.6.1-bwpm

v2025.6.0-bwa

v2025.6.0-bwpm

v2025.1.0-bwa

v2025.5.0-bwa

v2025.5.0-bwpm

v2025.5.999

2025.4.0

v2025.4.0

untagged-4731eaadac73f3dfbbb8

v2025.3.0

v2025.2.0

untagged-815a165c5d70ffe75bc7

v2025.1.2

v2025.1.1

v2025.1.0

v2024.12.0

untagged-5a76b6392a4c8998c63a

v2024.11.7

v2024.11.6

v2024.11.5

v2024.11.4

v2024.11.3

v2024.11.2

v2024.11.1

v2024.11.0

v2024.10.2

v2024.10.1

v2024.10.0

v2024.9.0

v2024.8.1

v2024.8.0

v2024.7.3

v2024.7.2

v2024.7.1

v2024.7.0

v2024.6.1

v2024.6.0

v2024.5.1

v2024.4.1

v2024.4.2

v2024.4.0

v2024.3.3

v2024.3.1

v2024.3.0

v2024.2.1

v2024.2.0

v2024.1.1

v2024.1.0

v2023.12.0

v2023.10.0

v2023.9.2

maui-single-project-android

v2023.9.1

v2023.9.0

v2023.8.0

v2023.7.0

v2023.5.0

v2023.4.0

v2023.3.2

v2023.3.1

v2023.3.0

v2023.2.0

v2023.1.0

v2022.11.0

v2022.10.0

v2022.9.1

v2022.9.0

v2022.8.0

v2022.6.2

v2022.6.1

v2022.6.0

v2022.05.0

v2.18.0

v2.17.0

v2.16.4

v2.16.3

v2.16.2

v2.16.1

v2.15.0

v2.14.2

v2.14.1

v2.14.0

v2.13.0

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.1

v2.9.0

v2.8.2

v2.8.1

v2.8.0

v2.7.2

v2.7.0

v2.6.1

v2.6.0

v2.5.6

v.2.5.5

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.1

v2.3.0

v2.2.8

v2.2.7

v2.2.6

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.0

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.22.1

v1.22.0

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.0

v1.16.0

v1.15.2

v1.15.1

v1.15.0

v1.14.4

v1.14.1

v1.14.0

v1.13.0

v1.12.2

v1.12.1

v1.12.0

v1.11.1

v1.11.0

v1.10.0

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.5

v1.6.1

v1.6.0

v1.5.1

v1.5.0

v1.4.4

v1.4.3

v1.4.0

v1.3.0

v1.2.1

v1.2.0

v1.1.0

v1.0.0

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels

app:authenticator

app:password-manager

bug

bug-passkey

customer-support

duplicate

enhancement

good first issue

help wanted

needs-reply

needs-response

pull-request

Mirrored from GitHub Pull Request

question

No Label app:authenticator bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/android#28242