CVE-2022-32918 - How Apps Could Bypass Privacy Preferences on iOS and macOS

In 2022, Apple patched a serious vulnerability tracked as CVE-2022-32918. This bug had the potential to let malicious apps slip past macOS and iOS privacy protections, giving them access to sensitive user data. Let’s break down what happened, look at how it worked, and see what lessons we can learn.

What is CVE-2022-32918?

CVE-2022-32918 describes a security flaw in Apple iOS and macOS. Simply put, it let a sneaky app bypass privacy preferences set by the user. For example, if you told your device, “Don’t let this app access my contacts,” there was a way the app could get around that restriction.

The official Apple note says

> _“This issue was addressed with improved data protection. This issue is fixed in iOS 16, macOS Ventura 13. An app may be able to bypass Privacy preferences.”_  
(Source: Apple Security Updates - Sep 12, 2022)

Here’s what made this bug dangerous

1. An app could bypass privacy settings - If you denied it access to things like photos, microphone, or location, the vulnerability could allow the app to still access that data.

No user interaction required - You didn’t have to do anything besides running the app.

3. Fixed with “improved data protection” - The patch stopped the workarounds apps might use to reach restricted data.

The public CVE page:  
CVE-2022-32918 on MITRE

How Was This Exploited?

The full technical details are not public (Apple rarely shares those, especially for privacy bugs), but let’s walk through a plausible scenario based on similar historical exploits:

Step 1: Sneaky Code Injection

Some apps might use low-level system calls, or exploit another minor bug, to get a handle on system APIs meant to be blocked.

Step 2: Trick the Privacy System

Sometimes, apps use undocumented APIs, or launch helper processes with more permissions, to access data, even if the main app was denied.

Suppose an app wanted to bypass permission checks for your Contacts

import Contacts

let store = CNContactStore()
let keys = [CNContactGivenNameKey as CNKeyDescriptor, CNContactFamilyNameKey as CNKeyDescriptor]
let request = CNContactFetchRequest(keysToFetch: keys)

do {
    // Attacker tries accessing contacts
    try store.enumerateContacts(with: request) { (contact, stop) in
        print("Contact: \(contact.givenName) \(contact.familyName)")
    }
} catch {
    print("No access or error occurred")
}

Normally, if you denied Contacts permission, this code wouldn’t work. But, using this bug, a malicious app might combine it with system API tricks to access data anyway.

Step 3: Steal the Data

Once the permissions are bypassed, the app could secretly upload your contacts, photos, or other protected data.

Proof-of-Concept

*(Note: Apple did not release a PoC, and responsible researchers have kept details private to avoid abuse. The snippet above shows a concept of how typical access works.)*

What Did Apple Do To Fix It?

Apple’s fix involved tightening how the privacy subsystem checks app permissions. They made it harder for apps to sneak around privacy prompts, especially when abusing helper tools or legacy APIs.

*TL;DR: The gate was locked tighter, with fewer loopholes.*

References and Further Reading

- Apple Security Updates (Sep 2022)
- MITRE CVE-2022-32918
- MacRumors - iOS 16 Release

Conclusion

CVE-2022-32918 showcases how even with the best security designs, determined attackers (or buggy apps) can try to bypass privacy features. Apple’s quick action and patch helped keep user data safe. Always keep your software updated, and pay attention to which apps you trust with your information.

Timeline

Published on: 11/01/2022 20:15:00 UTC
Last modified on: 11/02/2022 18:47:00 UTC