The problem is, most if not all Android devices do not provide some secure-enclave like architecture where the crypto key to unlock is secured by hardware design, but rather simple software solutions where the master unlock key resides in memory. So if you happen to have any malware combined with a security exploit, they might access your vault without requiring a fingerprint.
I do not trust any android device with my vault for exactly that reason.
>The problem is, most if not all Android devices do not provide some secure-enclave like architecture where the crypto key to unlock is secured by hardware design, but rather simple software solutions where the master unlock key resides in memory
Why is this relevant? Even if you do have secure enclave, if you can do arbitrary memory reads a malicious app can simply wait until your database is unlocked and dump your database when it's unencrypted in memory. Moreover, if you have some sort of exploit that gives you operating system level access, you can simply impersonate the password manager app (eg. changing uids, or patching the executable in-memory) and get the secure enclave to do the decryption.
This is incorrect. There are multiple ways of running tasks in the background eg. https://www.raywenderlich.com/5817-background-modes-tutorial.... Moreover, if you have sandbox escape (probably a prerequisite for getting arbitrary memory reads) you don't have to wait because you can use the other methods I've mentioned in the second half of my prior comment.
It says that secure enclave is optional. Do you know of any vendor that ship hardware based secure enclave? AFAIK there are no major vendors that actually do this, so this is just operating system level protection, not hardware based.
