[BUG] critical upstream #355
Description
Critical — widget auth bypass :
The root cause is in three places working together. In widget/ui/Note.kt, when a user taps the widget it launches MainActivity with FLAG_ACTIVITY_CLEAR_TASK, which wipes the back stack and starts fresh. The noteId extra is passed along, and in NavHost.kt, AppNavHost sees noteId != -1 and routes directly to the Edit screen — skipping the lock screen entirely. The onResume lock check in MainActivity only fires when navigating within the app, not on a fresh cold start from a widget tap. On Android 16 / Pixel Fold this is particularly reproducible because the foldable's home screen configuration triggers a clean task launch path more aggressively.
Separately, getDefaultRoute() in NavHost.kt only checks passcode != null — if you're using fingerprint or pattern only, it falls through to NavRoutes.Home.route. And there's a typo in SettingsModel.kt line 22: defaultRoute == NavRoutes.Home.route uses == (comparison) instead of = (assignment), so when there's no lock set, defaultRoute stays null rather than being set to Home.
High — encryption weaknesses
The vault encryption in EncryptionHelper.kt uses a single SHA-256 hash of the password as the AES key with no salt and no iterations. This is trivially brute-forceable. Modern Android security guidelines require PBKDF2 with HMAC-SHA256 (minimum 10,000 iterations) or Argon2 via the Jetpack Security library. Additionally, the passcode and pattern are stored as plain strings in DataStore preferences — they should be hashed with bcrypt or stored as a salted SHA-256 at minimum, or ideally the key material should live in the Android Keystore.
Medium — missing Android security features
data_extraction_rules.xml and backup_rules.xml are both empty templates, meaning notes and passwords sync to Google Drive/D2D transfer unprotected. The Room database has no at-rest encryption (no SQLCipher). The widget renders note content on the home screen with no auth gate — encrypted vault notes would show their decrypted content if the widget was set before locking. NotesWidgetActivity is exported with no permission protecting it from other apps on-device.
Low — hardening
The release build config uses signingConfig = signingConfigs.getByName("debug") — a release APK should have its own signing key. The debug build has isDebuggable = true which is expected, but worth flagging. No network_security_config.xml is defined.