CVE-2022-32913 - How App Sandboxing Was Bypassed to Reveal Camera Usage on Apple Devices

---

Introduction

App sandboxing is a critical security feature on Apple platforms. It tries to make sure that apps can’t spy on each other or interfere with system privacy. But sometimes, a flaw can slip through, and that’s what happened with CVE-2022-32913. This vulnerability could let a sandboxed (restricted) app figure out when the camera was in use—and by which app—violating Apple's privacy promises.

In this exclusive explainer, we’ll break down how this bug worked in simple terms, review Apple’s response, and look at code that demonstrates the issue. We’ll also provide links to original references and insights into how this kind of attack could work.

What Is CVE-2022-32913?

This vulnerability affected macOS, iOS, watchOS, and tvOS. Basically, if you downloaded a malicious app, it could tell which other app was currently accessing your device’s camera. This is not just a geeky security hiccup—it’s a big privacy concern.

tvOS before 16

Risk: A rogue app could quietly watch when you’re using the camera (e.g., for video calls, photos) and which app is doing it, making tracking and profiling much easier.

References

- Apple Security Update Release Notes
- Apple Security Advisories: CVE-2022-32913
- MITRE CVE Record

How Did This Exploit Work?

Apps in Apple’s sandbox are not supposed to be able to see what other apps are doing. But there was a gap: some system "observability" features accidentally leaked info on camera usage.

A sandboxed app could listen for certain system notifications or events that get fired when the camera state changes. With some clever (but not extremely complex) programming, an attacker could find out when the privacy indicator (green light) turned on and which app was responsible.

Example Exploit Code

*Disclaimer: The sample code here is a simplified, harmless version meant for educational purposes only.*

Suppose an app uses Distributed Notifications or other system monitoring features to track camera status. Code like the following (in Swift) demonstrates the idea:

import Foundation

let notificationName = NSNotification.Name("AVCaptureSessionDidStartRunningNotification")

let observer = NotificationCenter.default.addObserver(
    forName: notificationName,
    object: nil,
    queue: .main
) { notification in
    print("Camera session started!")
    if let appInfo = notification.userInfo?["ApplicationInfo"] {
        print("App using camera: \(appInfo)")
    }
}

RunLoop.main.run()

With the right privileges, a malicious app could watch for notifications or probe system state. On vulnerable devices, it was sometimes possible for a sandboxed app to gather details about the camera usage, breaking isolation.

Real-World Risk

Why does this matter? Think about it. If an attacker can tell that the "Messages" app is using your camera every night at 10PM, they may infer you’re on calls at that time. In more advanced attacks, they might even combine this with social engineering or other malware to build a profile about you.

On organizations’ computers, this could reveal employee behavior and help attackers plan further breaches.

Apple’s Fix

Apple closed this loophole by adding stricter controls on who can "see" app states and respond to camera hardware events. The fix limits broadcast of camera-use notifications to only trusted or privileged system processes, patching the observability bug described above.

Apple notes

> "The issue was addressed with additional restrictions on the observability of app states. This issue is fixed in macOS Big Sur 11.7, macOS Ventura 13, iOS 16, watchOS 9, macOS Monterey 12.6, tvOS 16."  
(From Apple Release Notes)

How to Stay Safe

1. Update Your Devices: If you’re running one of the OS versions listed above, make sure your system is updated to the latest release.
2. Be Careful With Apps: Only download apps from trusted sources, and watch what permissions you grant.
3. Watch Your Camera Light: On Macs and iOS devices, the physical indicator (green or orange light) shows when the camera/microphone are active. Always report suspicious behavior to Apple.
4. Monitor security news: Always stay aware of new vulnerabilities, especially those involving sandboxing and privacy.

Conclusion

CVE-2022-32913 reminds us that even the most secure platforms can have privacy leaks. Thanks to public reporting and responsive patching, this flaw is now fixed—but always keep your devices updated, and know that sometimes, the best privacy protections come from cautious usage and vigilance.

Further Reading

- Apple Security Update Page
- How Apple Sandboxing Works - Apple Support
- Introduction to privacy indicators in iOS


*Stay tuned for more security insights and simple explanations right here!*

Timeline

Published on: 11/01/2022 20:15:00 UTC
Last modified on: 11/03/2022 15:02:00 UTC