**Classification:** Security Vulnerability / Privacy Bypass **Date:** December 29, 2025 **Researcher:** Independent Security Researcher **Affected Platform:** iOS 15.1+ (tested on iOS 15.1) **Affected Application:** Facebook (com.facebook.Facebook)
Executive Summary
A critical privacy bypass has been discovered in the Facebook iOS application that circumvents Apple's microphone usage indicator (orange dot). Facebook pre-activates a CallKit-based bypass mechanism at application launch, allowing potential microphone access without user-visible indication.
This bypass exploits iOS's trust model for CallKit-integrated VoIP applications, effectively defeating a core iOS privacy protection feature.
Vulnerability Details
Classification
- undefined
Technical Description
Facebook's iOS application contains a class `FBSystemAudioSessionManager` that manages audio sessions. This manager exposes a property `allowCallKitActiveAdjust` which controls whether iOS's standard microphone indicator behavior applies.
**Normal Expected Behavior:**
- undefined
**Observed Malicious Behavior:**
- undefined
Affected iOS Privacy Feature
The iOS microphone indicator (orange status bar dot) introduced in iOS 14 is designed to inform users whenever an application accesses the microphone. This bypass defeats that protection by exploiting CallKit's trusted status.
Proof of Concept
Environment
- undefined
Reproduction Steps
- undefined
// fb_check_state.js - Microphone Indicator Bypass Detection
if (ObjC.available) {
var FBMgr = ObjC.classes.FBSystemAudioSessionManager;
if (FBMgr) {
var instance = FBMgr.sharedInstance();
// Check bypass state
var allowAdjust = instance.allowCallKitActiveAdjust();
var isCallActive = instance.isCallKitActive();
var hasRTC = instance.hasRTCClient();
console.log('allowCallKitActiveAdjust: ' + allowAdjust);
console.log('isCallKitActive: ' + isCallActive);
console.log('hasRTCClient: ' + hasRTC);
if (!allowAdjust && !isCallActive) {
console.log('!!! BYPASS ACTIVE WITHOUT LEGITIMATE CALL !!!');
}
}
// Verify no audio recording active
var session = ObjC.classes.AVAudioSession.sharedInstance();
console.log('AVAudioSession category: ' + session.category());
console.log('AVAudioSession mode: ' + session.mode());
}Observed Output (Reproduced Consistently)
[FB] allowCallKitActiveAdjust: false
[FB] !!! BYPASS IS ACTIVE - allowCallKitActiveAdjust is FALSE !!!
[FB] isCallKitActive: false
[FB] hasRTCClient: false
[FB] AVAudioSession category: AVAudioSessionCategoryAmbient
[FB] AVAudioSession mode: AVAudioSessionModeDefaultEvidence Analysis
| Property | Expected Value | Observed Value | Implication |
|---|---|---|---|
| `allowCallKitActiveAdjust` | `true` | `false` | Bypass ACTIVE |
| `isCallKitActive` | N/A | `false` | No legitimate call |
| `hasRTCClient` | N/A | `false` | No VoIP client |
| `AVAudioSession.category` | N/A | `Ambient` | Not recording |
**Conclusion:** The bypass is activated preemptively without any legitimate audio/calling activity.
Technical Mechanism
How the Bypass Works
- undefined
CallKit Trust Model Abuse
iOS grants special privileges to CallKit-integrated apps because VoIP calls require persistent audio access. Apple trusts these apps to honestly report their call state. Facebook exploits this trust by:
- undefined
Impact Assessment
Privacy Impact
- undefined
Trust Model Impact
- undefined
Potential Abuse Scenarios
- undefined
Recommended Remediation
For Apple (iOS)
- undefined
For Facebook
- undefined
Disclosure Timeline
| Date | Action |
|---|---|
| December 29, 2025 | Vulnerability discovered and documented |
| [TBD] | Report submitted to Apple Security |
| [TBD] | Apple acknowledgment |
| [TBD] | Remediation timeline established |
| [TBD] | Public disclosure (coordinated) |
Supporting Materials
- undefined
Researcher Contact
[REDACTED - Add contact information for coordinated disclosure]
Legal Notice
This research was conducted on personally-owned devices for security research purposes. No unauthorized access to systems or data occurred. This disclosure is made in good faith to improve user privacy and security.
**Report Version:** 1.0 **Last Updated:** December 29, 2025