Ava-693 Users get alarm notifications on the Ava Aware iOS app even after signing out

Release Date

15 September 2022.

Overview

Users were receiving notifications on the Ava Aware iOS app even after signing out.

Affected Products

• Ava Aware:
• iOS app downloaded from the 2.10.0 beta channel on TestFlight until build 177

Unaffected products

• Ava Aware:
• All stable version of the iOS app downloaded from the App Store
• iOS app downloaded from the 2.10.0 beta channel on TestFlight after and including build 179
• All versions of the Android and web clients
• Ava cameras: all versions.
• Ava Cloud: all versions.

Resolution

This issue has been fixed in the Ava Aware iOS App 2.10.0 Beta channel build 179

It is recommended that all users on running an affected version of the app upgrade to the latest release as soon as possible. Releases are available to download through TestFlight or the App Store.

Vulnerability Information

• CVE: pending
• CVSSv3 score: 2.4 (Low)
• CVSSv3 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issue found internally by Ava Security.

Disclosure Timeline

• 07/09/2022 Issue found internally by Ava Security
• 07/09/2022 Root cause established
• 07/09/2022 Fix identified
• 15/09/2022 Patched the beta Ava Aware iOS app on Test Flight
• 15/09/2022 Vulnerability publicly disclosed