[PM-27736] Add FIDO privileged allowlist entry for vivo FIDO client (com.fido.client)

[zy6p]

🎟️ Tracking

Community contribution to improve passkey support on vivo devices.

com.fido.client is the preinstalled vivo FIDO / passkey client on recent OriginOS builds.
This PR adds it to the community FIDO privileged allowlist so that Bitwarden can be used as a passkey provider when the system FIDO UI is involved.

📔 Objective

On recent vivo devices (e.g., OriginOS on Android 14), passkey flows that are routed through the system FIDO UI (com.fido.client) fail with:

The calling app 'com.fido.client' is not on the privileged list and cannot request authentication on behalf of the other app.

The objective of this PR is to treat the vivo system FIDO client as a trusted FIDO caller, similar to IronFox Nightly in PR #6046, by adding an entry for com.fido.client (with its SHA-256 certificate fingerprint) to app/src/main/assets/fido2_privileged_community.json.

This allows Bitwarden to successfully complete passkey registration and authentication when com.fido.client mediates the request.

📸 Screenshots

Not applicable – no UI changes.
Verification was performed by:

• Setting Bitwarden as the default passkey provider on a vivo device with com.fido.client.
• Using https://passkeys.io and https://webauthn.io with QR / cross-device sign-in.
• Confirming that, after this change, passkey registration and authentication succeed via com.fido.client without the “not on the privileged list” error.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[CLAassistant]

All committers have signed the CLA.

[bitwarden-bot]

Thank you for your contribution! We've added this to our internal tracking system for review.
ID: PM-27736
Link: https://bitwarden.atlassian.net/browse/PM-27736

Details on our contribution process can be found here: https://contributing.bitwarden.com/contributing/pull-requests/community-pr-process.

[github-actions]

Checkmarx One – Scan Summary & Details – 07252912-3dc5-4b90-b77a-e6b815b9d92e

Great job! No new security vulnerabilities introduced in this pull request

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.82%. Comparing base (b1195b5) to head (f11c18c).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6114      +/-   ##
==========================================
- Coverage   84.84%   84.82%   -0.03%     
==========================================
  Files         733      735       +2     
  Lines       53014    53136     +122     
  Branches     7669     7669              
==========================================
+ Hits        44982    45072      +90     
- Misses       5344     5376      +32     
  Partials     2688     2688              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[SaintPatrck]

Hi @zy6p

I'm unable to verify the package signature from official sources, and unfortunately I don't have a Vivo phone available to validate, myself. Could you elaborate on how you retrieved the signature and include a video of it working after the change, and how it behaved prior to the change?

[zy6p]

1. How to get the signed video

lv_0_20251106221428.mp4

2. The video of its behavior before the change

lv_0_20251106220959.mp4

3. The video of the modified working

lv_0_20251106221139.mp4