CVE CyberSecurity Database News

CVE-2022-32913: Strengthening App Privacy Through Additional Restrictions on Camera Observability

Poster -

Recently, a new vulnerability was identified with the Common Vulnerabilities and Exposures ID, CVE-2022-32913. This vulnerability affects multiple Apple operating systems and allows a sandboxed app to determine which app is currently using the camera. The issue was addressed by implementing additional restrictions on the observability of app states. This post will discuss the details of this vulnerability, provide a code snippet, and offer links to original references.

Exploit Details

The CVE-2022-32913 vulnerability enables a sandboxed app to potentially detect which app is actively using the camera. This issue can be exploited by a malicious app to gather information about the camera's usage, effectively breaching the user's privacy. To address this vulnerability, Apple introduced additional restrictions on the observability of app states to prevent unauthorized access to camera usage information.

The patch provided by Apple strengthens app privacy by ensuring that a sandboxed app can no longer monitor the current state of the camera and determine which app is using it. This mitigates the risk of unauthorized applications gaining access to sensitive information about camera usage patterns and helps prevent potential privacy breaches.

The following code snippet demonstrates how an attacker might exploit this vulnerability

#import <AVFoundation/AVFoundation.h>

@interface AppDelegate : NSObject <NSApplicationDelegate>

@property (weak) IBOutlet NSWindow *window;

@end

@implementation AppDelegate

- (void)applicationDidFinishLaunching:(NSNotification *)aNotification {
    AVCaptureDevice *captureDevice = [AVCaptureDevice defaultDeviceWithMediaType:AVMediaTypeVideo];
    [captureDevice addObserver:self forKeyPath:@"inUseByAnotherApplication" options:NSKeyValueObservingOptionNew context:nil];
}

- (void)observeValueForKeyPath:(NSString *)keyPath ofObject:(id)object change:(NSDictionary *)change context:(void *)context {
    if ([keyPath isEqualToString:@"inUseByAnotherApplication"]) {
        AVCaptureDevice *captureDevice = object;
        NSLog(@"Camera in use by another app: %@", captureDevice.inUseByAnotherApplication ? @"Yes" : @"No");
    }
    else {
        [super observeValueForKeyPath:keyPath ofObject:object change:change context:context];
    }
}

@end

With the new restrictions in place, this code no longer works due to the inability to observe the inUseByAnotherApplication property and access information about the camera's active status.

Original References

For more information about this specific vulnerability and its impact, you can visit the following original references:

- CVE details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32913
- Apple's Security Update page: https://support.apple.com/en-us/HT213093
- Apple's developer documentation on app sandboxing: https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html

Conclusion

By understanding the nature of the CVE-2022-32913 vulnerability and being aware of the additional restrictions implemented by Apple to address it, users and developers can be confident in their usage of Apple devices and maintain their privacy. It is always crucial to stay informed about newly discovered vulnerabilities, apply relevant patches, and maintain up-to-date systems to ensure the optimal security of your devices.

Timeline

Published on: 11/01/2022 20:15:00 UTC
Last modified on: 11/03/2022 15:02:00 UTC