Cannot use/create passkeys with Mull

[lucasmz-dev]

Bitwarden Beta

• I'm using the new native Bitwarden Beta app and I'm aware that legacy .NET app bugs should be reported in bitwarden/mobile

Steps To Reproduce

1. Get Mull from F-Droid
2. Try creating a passkey with it on e.g. GitHub

Expected Result

Successful creation and registration of the passkey

Actual Result

Error about "not being a privileged browser" shows up.

Screenshots or Videos

No response

Additional Context

There are two versions of Mull, I haven't tested both; one is from F-Droid and built, verified/signed by F-Droid, and one comes from DivestOS' app repo.

This works fine in regular Firefox.

Build Version

2024.8.1

Environment Details

• Device: Moto G52 "rhode"
• System version: CalyxOS 5.11.1, Android 14

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[bitwarden-bot]

Thank you for your report! We've added this to our internal board for review.
ID: PM-12414

[singhh9596]

+1. It doesn't work even with the add-on

[lucasmz-dev]

using the add-on would also be inconvenient af this is meant to work with android, really

[singhh9596]

using the add-on would also be inconvenient af this is meant to work with android, really

Well, i tried with add on as well. It didn't work. Add-on is good for desktop but not for phones. Those pop-ups really spoils the browsing experience. Anyways. I guess it only works with chrome. None of the passkeys works on browsers other than chrome

[lucasmz-dev]

@singhh9596 Can I ask what your setup is? Are you using stock Android?
To me, Bitwarden passkeys work for Firefox and forks, but not any Chromium based browsers at all even after changing the Android Credential Management flag. Mull has the extra issue of not being "privileged" which doesn't let me create passkeys.

microG passkeys do not work for me (neither would I want to use them, they're not backed up IG) due to https://gitlab.com/CalyxOS/calyxos/-/issues/2115

Also more on this issue from the CalyxOS side: https://gitlab.com/CalyxOS/calyxos/-/issues/2621

[SkewedZeppelin]

There are two versions of Mull

they're identical

Fennec and Mull benefit from microG installed for improved functionality of this: https://gitlab.com/relan/fennecbuild/-/issues/34#note_1666876427

Chromium and Firefox and forks expect real Play Services

Cromite has no support at all however

[singhh9596]

@singhh9596 Can I ask what your setup is? Are you using stock Android? To me, Bitwarden passkeys work for Firefox and forks, but not any Chromium based browsers at all even after changing the Android Credential Management flag. Mull has the extra issue of not being "privileged" which doesn't let me create passkeys.

microG passkeys do not work for me (neither would I want to use them, they're not backed up IG) due to https://gitlab.com/CalyxOS/calyxos/-/issues/2115

Also more on this issue from the CalyxOS side: https://gitlab.com/CalyxOS/calyxos/-/issues/2621

I've 2 devices. One is running on oneUI and the other one is on stock android. And I'm using mull (github version). I was thinking of migrating my data to samsung pass. But I'll have to manage 2 password managers.

[lucasmz-dev]

they're identical

They aren't signed the same though right? I would expect this to potentially be an issue if Bitwarden has to approve browsers

[SkewedZeppelin]

@lucasmz-dev
fair, that is the only difference, otherwise they are the same codebase & variant

[SaintPatrck]

Thank you for reporting your issue. This is expected behavior. In order for Bitwarden to accept FIDO 2 requests from Mull (or any other browser) on behalf of other relying parties, it must be included in our list of known privileged applications.¹ This is in accordance with the Android Credential Manager integration guidelines regarding privileged applications.²

Footnotes

1. fido2_privileged_allow_list.json ↩

2. Credential Provider - Obtain an allowlist of privileged apps ↩

[SkewedZeppelin]

Since I already had issues with your CLA last time, here is the section if you want to add it:

    {
      "type": "android",
      "info": {
        "package_name": "us.spotco.fennec_dos",
        "signatures": [
          {
            "build": "release",
            "cert_fingerprint_sha256": "26:0E:0A:49:67:8C:78:B7:0C:02:D6:53:7A:DD:3B:6D:C0:A1:71:71:BB:DE:8C:E7:5F:D4:02:6A:8A:3E:18:D2"
          },
          {
            "build": "release",
            "cert_fingerprint_sha256": "FF:81:F5:BE:56:39:65:94:EE:E7:0F:EF:28:32:25:6E:15:21:41:22:E2:BA:9C:ED:D2:60:05:FF:D4:BC:AA:A8"
          }
        ]
      }
    },

the first key is from the official DivestOS.org version:

• https://divestos.org/apks/official/fdroid/repo/us.spotco.fennec_dos_21290200.apk

the second key is from the F-Droid.org built/signed version:

• https://f-droid.org/repo/us.spotco.fennec_dos_21290200.apk
• https://f-droid.org/repo/us.spotco.fennec_dos_21290200.apk.asc

if you need some qualifier for its inclusion:

• included here: https://github.com/bitwarden/mobile/blob/main/src/App/Platforms/Android/Autofill/AutofillHelpers.cs#L147
  • via bitwarden/mobile@ae763eb
• version history is here: https://divestos.org/misc/ffa-dates.txt
• listed here: https://privacytests.org/android
• download stats from F-Droid.org primary servers: https://divestos.org/images/fdroidstats/13215-us.spotco.fennec_dos.png

My Mulch was also supposed to be added a year ago: #2427 (comment)
Not sure what happened there, but here is that too:

    {
      "type": "android",
      "info": {
        "package_name": "us.spotco.mulch",
        "signatures": [
          {
            "build": "release",
            "cert_fingerprint_sha256": "26:0E:0A:49:67:8C:78:B7:0C:02:D6:53:7A:DD:3B:6D:C0:A1:71:71:BB:DE:8C:E7:5F:D4:02:6A:8A:3E:18:D2"
          }
        ]
      }
    },

version history for that is here: https://divestos.org/misc/ch-dates.txt

[SkewedZeppelin]

You might also consider adding Fennec F-Droid too of which I co-maintain, it is also already in the autofill list.

    {
      "type": "android",
      "info": {
        "package_name": "org.mozilla.fennec_fdroid",
        "signatures": [
          {
            "build": "release",
            "cert_fingerprint_sha256": "06:66:53:58:EF:D8:BA:05:BE:23:6A:47:A1:2C:B0:95:8D:7D:75:DD:93:9D:77:C2:B3:1F:53:98:53:7E:BD:C5"
          }
        ]
      }
    },

key is from the F-Droid.org built/signed version:

• https://f-droid.org/repo/org.mozilla.fennec_fdroid_1290200.apk

[lucasmz-dev]

Before just creating passkeys didn't work, now, it seems using them is also not working. I guess that was just a bug in the specification in the previous version of the Bitwarden beta native app.

Please do add these to the allowlist. Mull is a great browser, trusted by many. It is the chosen one for anyone using anything like Arkenfox on the desktop.

[lucasmz-dev]

@SaintPatrck Maybe it'd make sense to re-open this since there would still be the need for this to implemented in the code?

[lucasmz-dev]

Ah nevermind! I see #4022!
Nice to see! Thank you so much for prioritizing this. Y'all amazing!

[singhh9596]

Working fine on android 14 now