CVE-2025-11598 is a privacy exposure vulnerability classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) affecting the mObywatel iOS application, which is a digital identity app managed by Centralny Ośrodek Informatyki in Poland. The vulnerability arises because when the app is minimized on iOS devices, the App Switcher interface displays a snapshot of the app’s last active screen. If the user had sensitive personal information visible before minimizing, this data remains visible in the App Switcher even after the user logs out. This means an unauthorized person with physical access to the device can view personal data without needing to authenticate or unlock the app. The exposure depends on the last viewed screen, so the extent of data leakage varies. The vulnerability does not affect the app’s backend or data integrity but compromises confidentiality. It requires user interaction (minimizing the app) and physical access to the device but no privileged access or complex exploitation techniques. The issue was addressed and fixed in version 4.71.0 by presumably clearing or obscuring sensitive information before the app transitions to the background or by controlling the snapshot behavior. The CVSS 4.0 score is 1.0, reflecting low severity due to limited impact and exploitation complexity. There are no known active exploits or widespread attacks leveraging this vulnerability. The vulnerability is specific to iOS devices running vulnerable versions of mObywatel and does not affect other platforms or apps.

For European organizations, particularly those in Poland where mObywatel is widely used as a government-issued digital identity app, this vulnerability poses a privacy risk by exposing personal data to unauthorized individuals with physical access to a user’s iOS device. The impact is primarily on confidentiality, potentially revealing sensitive identity information that could be used for social engineering or identity theft. However, the vulnerability does not compromise data integrity or availability, nor does it allow remote exploitation. The risk is mitigated by the requirement of physical access and user interaction (minimizing the app). Nonetheless, organizations relying on mObywatel for identity verification or citizen services should be aware of this exposure risk and ensure users update to the fixed version. The vulnerability could undermine user trust in digital identity solutions if not addressed promptly. Other European countries using mObywatel or similar apps are less affected due to limited adoption.

1. Immediate update of the mObywatel iOS application to version 4.71.0 or later, which contains the fix for this vulnerability. 2. Educate users to fully close or lock the app before leaving their device unattended to prevent unauthorized viewing of sensitive information in the App Switcher. 3. Encourage use of device-level security features such as biometric locks and strong passcodes to reduce the risk of physical access by unauthorized actors. 4. For organizations, implement policies that restrict device sharing and enforce secure device handling practices. 5. Monitor for any unofficial or outdated app versions in use within the organization and mandate updates. 6. Advocate for app developers to implement secure backgrounding practices, such as obscuring or blanking sensitive screens when the app is minimized. 7. Consider additional mobile device management (MDM) controls to enforce app updates and secure app usage policies. 8. Conduct user awareness campaigns highlighting the risks of leaving sensitive apps visible in the App Switcher.