CVE-2022-20448 - How Android NotificationManagerService Let Apps Break User Isolation

In late 2022, security researchers and Google discovered a deeply problematic bug in Android’s notification system—CVE-2022-20448. This vulnerability, embedded in the buzzBeepBlinkLocked method of the NotificationManagerService.java file, allowed local Android applications to access data from other Android users, bypassing privacy boundaries central to the Android security model. In this explainer, we’ll break down what went wrong, how it can be exploited, and what you should know to stay safe. This article gives a clear, exclusive step-by-step peek at the bug, suitable for anyone familiar with Android development or just curious about how these exploits work under the hood.

What Was the Bug?

The Android operating system is designed to keep each user’s data separate—even on the same device. This isolation means one user’s apps can’t snoop on another user’s data. But in Android 10, 11, 12, 12L, and 13, the system slipped.

The key vulnerable code lived in NotificationManagerService.java, inside the method called buzzBeepBlinkLocked. Due to a permissions bug, a crafty app could trigger actions meant only for another user or listen in on their notification events, all without needing the “extra” dangerous execution permissions usually required.

*No user interaction is required for someone to exploit this.*

The Code: Where Things Went Wrong

Here’s a simplified version of the kind of code that led to the problem, inspired by public reporting and narrowed down for clarity:

public void buzzBeepBlinkLocked(NotificationRecord record) {
    // Determine userId of the notification user
    int userId = record.getUser().getIdentifier();

    // Should check if the calling app actually has the permissions for this userId
    // Bad: This check is missing or flawed!
    
    performBuzz();
    performBeep();
    performBlink();
}

The Security Gap

Normally, a notification posted from a user profile (say, User A) should only affect User A’s session. The buzzBeepBlinkLocked method didn’t properly check if the app posting the notification really belonged to that user. Because of the missing user-permission check, any app could call it and affect (or listen to) another user profile.

Craft a malicious app: Install it under User B on a shared Android device.

2. Trigger notifications targeting User A: The app directly calls notification APIs, but references User A’s userId.
3. Escalate privileges: The app could send or intercept notifications, sounds, or patterns meant for another user (User A), breaking data boundaries. This might help the attacker learn about User A’s activity or even trigger actions in their session.
4. No special permissions required: All this can happen with default app privileges, no user interaction necessary.

Example Exploit Snippet (Pseudocode)

// Assume running as User B; target User A (userId 10, for example)
NotificationManager nm = (NotificationManager) context.getSystemService(Context.NOTIFICATION_SERVICE);

// Fake notification targeting User A
Notification n = new Notification.Builder(context)
    .setContentTitle("Hi from User B!")
    .setContentText("This is not supposed to be seen by User A.")
    .build();

// This should be forbidden—but due to CVE-2022-20448, it works
nm.notifyAsUser(null, 999, n, new UserHandle(10)); // 10 = User A userId

References & Official Disclosure

- Android Security Bulletin: https://source.android.com/security/bulletin/2022-11-01#qualcomm-components
- NIST NVD (CVE Info): https://nvd.nist.gov/vuln/detail/CVE-2022-20448
- Android Issue Tracker ID: A-237540408

What Was Fixed?

Android addressed this bug in their November 2022 patch cycle. The fix ensured that buzzBeepBlinkLocked and related flows *correctly verify that the caller is authorized* to perform actions for the specific user. Apps can’t get out of their user sandbox anymore.

Here is an example of a (simplified) fix

if (!callerHasPermissionFor(userId)) {
    throw new SecurityException("You cannot access notifications for another user");
}

Why Does It Matter?

- User Isolation Breach: Android’s multi-user model is relied on by families, schools, and businesses. Breaking that wall lets a malicious app on one profile leak or tamper with the privacy of others.
- Silent, Local Threat: No scary permission prompts. No click required. It “just works” with the wrong code.
- Affects Many Devices: Impacts Android 10, 11, 12, 12L, and 13—covering millions of active devices pre-patch.

What Should You Do?

- Check your device: Make sure your Android phone or tablet is updated with the November 2022 (or later) security patch.

Summary

CVE-2022-20448 shows how a small permissions bug in a system service can fracture Android’s powerful multi-user protections. Thanks to comprehensive research and quick patching, the issue was nipped in the bud—reminding us just how important regular security updates remain!

References

- Android Security Bulletin, Nov 2022
- CVE-2022-20448 @ NVD
- Android Issue A-237540408 (access may require login)

Timeline

Published on: 11/08/2022 22:15:00 UTC
Last modified on: 11/09/2022 13:49:00 UTC