feat(applock): Add app lock with biometric/device credential authentication

[thoomi]

Summary

Adds an App Lock feature that allows users to protect access to Thunderbird using
biometric authentication (fingerprint, face) or device credentials (PIN/pattern/password).

This is a highly requested community feature:

• Mozilla Connect: Biometrics to open Thunderbird Android
• Fixes Biometrics to open the email app #7530

Changes

New modules

• feature/applock/api - Public contracts (AppLockCoordinator, AppLockGate, state types)
• feature/applock/impl - Implementation (coordinator, biometric auth, UI overlays, settings)

Architecture

• Follows API/impl module split
• Clean Architecture layers: domain (coordinator, authenticator), data (config store), UI (gate, overlays, settings)
• Koin dependency injection throughout
• MVI pattern for settings UI

Key design decisions

• Pull model: Activities call ensureUnlocked() rather than coordinator pushing UI
• Fail-closed security: If enabled but biometrics unavailable, app blocks access (doesn't silently unlock)
• Privacy overlays: Plain View overlay (not Compose) for synchronous rendering in task switcher
• Process death: No state persistence - always re-authenticates (security feature)
• Authentication-first enable: User must authenticate before enabling (prevents locking themselves out)

Integration

• Minimal app-common integration via ActivityLifecycleCallbacks
• Settings entry point added to General Settings > Security
• No changes to existing feature modules

Screenshots & Videos

Settings UI

General Settings	App Lock Disabled	App Lock Enabled

Auth Not Available	Timeout Options	Biometric Prompt (enable)

Unlock Flow

applock_happy_path_flow.mp4

Biometric prompt shown when opening the app

Videos

Enabling app lock (requires authentication first)

applock_settings_enable_flow.mp4

PIN fallback authentication

applock_settings_pin_fallback_flow.mp4

Unavailable: navigate to device settings to enroll

applock_unavailable_to_device_settings_flow.mp4

Full flow: unavailable → enroll biometrics → return to app

applock_unavailable_to_device_settings_biometric_back_to_app_flow.mp4

Testing

• ~2,000 lines of tests across 11 test files
• Comprehensive coordinator state machine tests (all transitions, edge cases)
• Gate overlay tests (visibility, authentication triggering)
• Settings ViewModel tests
• Integration callback tests
• All tests use fakes (no mocking libraries), AssertK assertions, Robolectric

Manual testing checklist

• Enable app lock in Settings > General > Security
• Verify biometric/credential prompt appears on app open
• Verify privacy overlay in task switcher
• Verify screen-off triggers re-lock
• Verify timeout setting works (immediate, 1min, 5min, etc.)
• Verify "unavailable" state when no biometrics enrolled
• Verify settings link to device biometric settings
• Test with device rotation during auth prompt

Review

This PR is structured as 5 focused commits that can be reviewed individually. If the overall diff is too large, I'm happy to split this into smaller, incremental PRs — let me know what works best. I just wanted to put it into a one big PR to see how a full implementation would look like.

I also see this PR as a spark for the discussion on the topic. Lets discuss if we want to integrate such a feature at all, since many valid concerns have been raised about it in the past. 😊

Future work

The following enhancements are planned as follow-ups:

• External intent exception: Returning from external intents (e.g., file picker for attachments, camera) currently re-triggers authentication. These should be exempted when the app initiated the intent.
• Notification content privacy: Option to hide sensitive notification content (sender, subject, preview) while the app is locked

Disclaimer

Large parts of the PR have been written and reviewed by Coding Agents. I am more like an Android and Kotlin novice but i am of course very eager to learn more about it :)

[wmontwe]

@thoomi Sorry for the delay. We’re currently quite busy, and since this isn’t on our immediate roadmap and involves AI-assisted written code, it requires a more thorough review—something we’re unfortunately not able to complete in a timely manner.