github-starred/android
2
0
Fork 0
mirror of https://github.com/bitwarden/android.git synced 2026-03-09 03:33:36 -05:00
Code Issues 144 Packages Projects Releases 116 Wiki Activity

[PR #6126] [PM-27752] Add certificate signature verification to AuthenticatorBridge #6338

New Issue
Closed
opened 2025-11-27 00:22:29 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2025-11-27 00:22:29 -06:00
Owner
Copy Link

Original Pull Request: https://github.com/bitwarden/android/pull/6126

State: closed
Merged: Yes

🎟️ Tracking

Fixes PM-27752 (clones VULN-314)

📔 Objective

This PR implements cryptographic certificate signature verification in the AuthenticatorBridge library to prevent malicious applications from spoofing legitimate Password Manager package names and intercepting TOTP secrets.

Problem: The original implementation only validated package names via string comparison, which is insufficient security. A malicious app could register with a matching package name (e.g., com.x8bit.bitwarden) and intercept sensitive TOTP data during inter-app communication.

Solution:

  • Introduced PasswordManagerSignatureVerifier that validates APK signing certificates using SHA-256 fingerprints against a hardcoded whitelist
  • Rejects apps with multiple signers to prevent signature rotation attacks
  • Uses GET_SIGNING_CERTIFICATES (API 28+) for secure certificate retrieval
  • Implements fail-closed error handling on all validation paths
  • Separate certificate whitelists for debug/release build variants

Security Impact: This change establishes cryptographic proof of application identity, ensuring only genuine Bitwarden Password Manager apps can connect to the Authenticator Bridge and access TOTP secrets.

📸 Screenshots

Reminders before review

  • Contributor guidelines followed
  • All formatters and local linters executed and passed
  • Written new unit and / or integration tests where applicable
  • Protected functional changes with optionality (feature flags)
  • Used internationalization (i18n) for all UI strings
  • CI builds passed
  • Communicated to DevOps any deployment requirements
  • Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

  • 👍 (:+1:) or similar for great changes
  • 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
  • (:question:) for questions
  • 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
  • 🎨 (:art:) for suggestions / improvements
  • (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
  • 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
  • ⛏ (:pick:) for minor or nitpick changes
**Original Pull Request:** https://github.com/bitwarden/android/pull/6126 **State:** closed **Merged:** Yes --- ## 🎟️ Tracking Fixes PM-27752 (clones VULN-314) ## 📔 Objective This PR implements cryptographic certificate signature verification in the AuthenticatorBridge library to prevent malicious applications from spoofing legitimate Password Manager package names and intercepting TOTP secrets. **Problem:** The original implementation only validated package names via string comparison, which is insufficient security. A malicious app could register with a matching package name (e.g., `com.x8bit.bitwarden`) and intercept sensitive TOTP data during inter-app communication. **Solution:** - Introduced `PasswordManagerSignatureVerifier` that validates APK signing certificates using SHA-256 fingerprints against a hardcoded whitelist - Rejects apps with multiple signers to prevent signature rotation attacks - Uses `GET_SIGNING_CERTIFICATES` (API 28+) for secure certificate retrieval - Implements fail-closed error handling on all validation paths - Separate certificate whitelists for debug/release build variants **Security Impact:** This change establishes cryptographic proof of application identity, ensuring only genuine Bitwarden Password Manager apps can connect to the Authenticator Bridge and access TOTP secrets. ## 📸 Screenshots <!-- Required for any UI changes; delete if not applicable. Use fixed width images for better display. --> ## ⏰ Reminders before review - Contributor guidelines followed - All formatters and local linters executed and passed - Written new unit and / or integration tests where applicable - Protected functional changes with optionality (feature flags) - Used internationalization (i18n) for all UI strings - CI builds passed - Communicated to DevOps any deployment requirements - Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team ## 🦮 Reviewer guidelines <!-- Suggested interactions but feel free to use (or not) as you desire! --> - 👍 (`:+1:`) or similar for great changes - 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info - ❓ (`:question:`) for questions - 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion - 🎨 (`:art:`) for suggestions / improvements - ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention - 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt - ⛏ (`:pick:`) for minor or nitpick changes
GiteaMirror added the pull-request label 2025-11-27 00:22:29 -06:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
app:authenticator
app:password-manager
bug
bug-passkey
customer-support
duplicate
enhancement
good first issue
help wanted
needs-reply
needs-response
pull-request
Mirrored from GitHub Pull Request
 question
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/android#6338
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?