[BWA-182] MTLS not used in icon retrieval logic.

[MijnSpam]

Steps To Reproduce

First of all using MTLS with cloudflare tunnel. I can create and delete items just fine.
This generated no log rules as they pass successfully.

However in my cloudflare logs I see a block on rule being activated on: (Method GET)
/icons/ < ip of local pihole > /icon.png
and /icons/ < ip of selfhosted instance > /icon.png
As both do this on my DNS record and I see source IP to be sure it's my attempts I wonder if this is a app bug or not.
As user agent the following is mentioned
Dalvik/2.1.0 (Linux; U; Android 15; CPH2581 Build/AP3A.240617.008)

I think somewhere something in the code is skipping the MTLS check.
The app it self doesn't show any error. I only see this in the logs.

Expected Result

no security error logs

Actual Result

Security errors that no MTLS is used.

Screenshots or Videos

No response

Additional Context

No response

Build Version

2025.6.1 (20398)

What server are you connecting to?

Self-host

Self-host Server Version

2025.5.0

Environment Details

• OnePlus 12 (Oxygen OS 15.0), Android 15 with july 2025 security update

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[bitwarden-bot]

Thank you for your report! We've added this to our internal board for review.
ID: BWA-182

[daniellbw]

Hi there,

I am unable to reproduce this issue, it has been escalated for further investigation. If you have more information that can help us, please add it below.

Thanks!

[MijnSpam]

I can run some additional test next Friday. I did receive an app update today so could test with that version.
If I need to setup certain logging let me know so I could include it.

[neothematrix]

came here to report this and found it has already been reported.
same configuration here, also using cloudflare enforcing mTLS and latest Android app (2025.8.0) on a Pixel 7.
everything works perfectly, except entry's icons are not shown in the app and cloudflare logs are showing calls to retrieve icons (i.e.: /icons/store.steampowered.com/icon.png) are blocked due to missing mTLS certificate.
all the rest of the application works perfectly

[neothematrix]

as additional test, I've added an exception rule on cloudflare to waive mTLS certificate restriction for /icons/* folder and icons are now appearing properly on Android app.
of course I'd like to remove the exception, so I'd be happy to provide any further detail that could help the resolution.
thanks!

[jkanbier]

I'm really happy that MTLS is now supported on Android devices.
I too have the same problem the icon's are not loaded and I came to the same conclusion that the MTLS cert isn't used with the GET's for the images.

[pamperer562580892423]

Just for the record: this issue has the wrong tag ("app:authenticator"), as it's not about the authenticator app, but about the password manager app.

[MexHigh]

Same issue here. Switched to using mTLS and saw that icons are gone. I have not seen any log entries in the flight recorder.

[SaintPatrck]

Hi all!

I'm happy to inform you all that we have a potential fix (#6125) for this issue. Before pushing the it, we'd appreciate additional confirmation that the changes work for everyone's environment. If anyone is able and willing to test it out, builds with the changes can be found here: https://github.com/bitwarden/android/actions/runs/19336211187