Google Password Manager Leaks Cleartext Passwords via Task Switcher

A cybersecurity student reported that Google Password Manager on Android (tested on Pixel 8, Android 16) displays cleartext passwords in the Task Switcher preview when minimized, despite an active biometric lock prompt. Google classified this as Won't Fix, stating it is intended behavior under their threat model, which assumes physical access to an unlocked device means full compromise. However, Germany’s Federal Office for Information Security (BSI) considers this a violation of its guidelines, which require protection against background snapshots in such scenarios. Proof-of-concept screenshots were provided to demonstrate the issue.