
Security researchers have identified six previously undocumented vulnerabilities in Apple AirDrop and Google/Samsung Quick Share after conducting the first comprehensive reverse engineering and security analysis of both proprietary proximity file-sharing protocols.
While the flaws range from denial-of-service bugs to authentication and encryption bypasses, the researchers say they demonstrate that wireless file-sharing services expose a broad attack surface that has received little academic scrutiny.
The research was conducted by Arash Ale Ebrahim and Nils Ole Tippenhauer of the CISPA Helmholtz Center for Information Security. To analyze the proprietary protocols, the researchers reverse-engineered Apple's AirDrop implementation, reconstructed its application-layer protocol stack, and developed a custom protocol-aware fuzzing framework called AIRFUZZ capable of testing complex serialized inputs before compression. The researchers also manually analyzed Samsung's Quick Share implementation on Android and Google's Quick Share client for Windows.

arxiv.org
Five billion devices at risk
Apple AirDrop and Google Quick Share collectively serve more than five billion active devices, making them among the world's most widely deployed proximity file-sharing technologies. AirDrop ships with macOS, iOS, and iPadOS, while Quick Share is Google's standard nearby sharing platform across Android and Windows, with Samsung integrating it deeply into Galaxy smartphones as the default wireless sharing solution. Because these services accept wireless connections from nearby devices without requiring prior pairing during initial discovery, they expose a significant pre-authentication attack surface.
The researchers reconstructed AirDrop's seven-layer protocol stack, including the previously undocumented DVZip adaptive compression format and more than 40 internal protocol commands.
Three vulnerabilities in AirDrop
The first flaw is a pre-authentication denial-of-service flaw caused by a Swift fatalError() call in AirDrop's HTTP path router. Sending a POST request to an unrecognized endpoint causes the privileged sharingd daemon to terminate immediately. Because the daemon also manages AirPlay, Handoff, Universal Clipboard, Continuity Camera, and other Continuity features, repeatedly triggering the crash can effectively disable multiple Apple services until the attack stops. The researchers confirmed the issue on macOS 15.7.3, macOS 26.3, iOS 18.x, and iOS 26.3.
The second issue resides in Foundation's XML property list parser, which performs recursive parsing without enforcing a nesting limit. A specially crafted XML property list containing hundreds of nested dictionary elements can exhaust the stack and crash applications that deserialize untrusted property lists. Because the vulnerable code exists within Foundation itself rather than in AirDrop alone, the researchers note that the flaw could affect applications across macOS, iOS, watchOS, tvOS, and visionOS that process attacker-controlled XML property lists.
The third AirDrop vulnerability affects Apple's Network.framework HTTP/1.1 parser. Crafted requests with malformed transfer encoding or conflicting Content-Length headers can trigger a NULL pointer dereference, leading to another denial-of-service condition. The researchers note that the flaw could affect other Apple applications that use the same networking framework under similar conditions.
Three Quick Share flaws
On Samsung devices, the researchers found that application-layer protocol messages could be processed before the mandatory UKEY2 authentication handshake completes, allowing unauthenticated interaction with portions of the protocol state machine. They also identified an encryption enforcement flaw in which three of seven post-handshake message types bypass mandatory SecureMessage protection and are processed in plaintext, enabling an on-path attacker to inject specific control messages into active sessions.
The sixth vulnerability affects Google Quick Share for Windows. The researchers discovered a heap use-after-free condition in endpoint management that occurs during connection collision handling. Under specific race conditions involving simultaneous connection and disconnection events, the client dereferences a freed object, triggering a crash that the researchers believe could be exploited to enable remote code execution.

arxiv.org
Vendor responses
Apple also acknowledged the three AirDrop vulnerabilities and stated that fixes are in progress. Samsung transferred its reports to Google after determining the affected Quick Share code originated from Google's Nearby Connections components. Google acknowledged the Windows use-after-free vulnerability and rewarded the researchers through its Vulnerability Reward Program, while the Android Quick Share findings remain under investigation.
The researchers recommend that Apple replace network-reachable fatalError() calls with graceful error handling, introduce recursion limits for XML property list parsing, and strengthen HTTP request validation. For Quick Share, they recommend rejecting all application-layer messages until authentication completes, enforcing encryption centrally rather than in individual protocol handlers, and redesigning endpoint lifetime management to eliminate race conditions.
The researchers have publicly released AIRFUZZ, protocol documentation, crash-reproduction scripts, and other research artifacts with the paper.







Leave a Reply