cbiere
commented
1 year ago 
This is easily reproducible with stronger than defaut database encryption settings because the longer it takes to unlock the database, the more time you have to hit the time window. I used ChaCha20, Argon2id, 8 rounds, 512 MB, parallelism 8.
robellegate
I started using KeePass2Android because it was recommended by the developer of KeePassDX. I've enabled the biometric quickunlock feature and noticed the following:
When I lock and close the database, accessing KeePass2Android will prompt for biometric authentication as expected. The password field is filled in with characters replaced by dots. However, there's also the eye symbol to make the original characters visible. Due to the biometric prompt it's not accessible right away but with good coordination and timing, I can tap the eye icon right after unlocking and actually see the database password for a fraction of a second. I'm certain it would show up on a video perfectly readable.
Now I understand that exploiting this probably makes little sense in almost all scenarios. Nonetheless, it makes me feel uneasy and I wonder if it's really necessary to put the password into the GUI and provide the eye icon. I mean if it's possible to make it visible like that, there could be corner cases that would gain the same result.
Would it be possible to ensure the entered password stays hidden internally?