Protocol Prying: Systematic Vulnerability Research in the Apple AirDrop and Android Quick Share Proximity Transfer Protocols
Pith reviewed 2026-06-26 04:08 UTC · model grok-4.3
The pith
Reverse engineering uncovers six pre-authentication vulnerabilities in AirDrop and Quick Share protocols used on billions of devices.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
We reconstruct AirDrop's seven-layer state machine and DVZip adaptive compression from binary analysis, build AIRFUZZ to mutate pre-compression representations, and through this method plus hand-written protocol analysis identify six vulnerabilities: a Swift fatalError in the HTTP path router, unbounded XML plist recursion, a NULL dereference in the HTTP/1.1 parser, pre-authentication OfflineFrame dispatch and D2D encryption bypass in Samsung Quick Share, and a heap use-after-free in Google Quick Share for Windows.
What carries the argument
AIRFUZZ, a protocol-aware fuzzer that mutates pre-compression representations of the reconstructed seven-layer AirDrop state machine.
If this is right
- Three distinct pre-authentication paths in AirDrop can be triggered to cause denial of service on macOS and iOS.
- Samsung Quick Share accepts and dispatches certain frames before authentication and permits encryption bypass on three frame types.
- Google Quick Share for Windows contains a reachable heap use-after-free.
- All six issues were reported to the respective vendors and acknowledged.
- The protocols process untrusted serialized content inside privileged daemons without requiring prior pairing.
Where Pith is reading between the lines
- The same reverse-engineering-plus-fuzzing approach could be applied to other undocumented proximity or device-to-device protocols.
- Vendors of closed proximity stacks may need to expose more internal interfaces or test harnesses to enable independent security review.
- Zero-click attack surfaces in wireless file transfer deserve routine, protocol-aware testing rather than only generic network fuzzing.
- The existence of adaptive compression layers like DVZip adds complexity that can hide parsing bugs until the representation is mutated before compression.
Load-bearing premise
The reconstructed seven-layer state machine, DVZip compression, and identified frame types accurately match the production implementations on current devices.
What would settle it
Sending the exact mutated packets or frames described to current production devices and observing neither crashes nor successful bypasses would show the reported issues are not reachable.
Figures
read the original abstract
Apple AirDrop and Google/Samsung Quick Share are proximity file-transfer protocols used by over five billion devices, yet their application-layer security properties remain largely unstudied because both stacks are proprietary and undocumented. Both protocols are reachable from wireless proximity without any prior pairing and process complex serialized content (binary plists, CPIO archives, Protocol Buffers, UKEY2 handshakes) inside privileged daemons, making them attractive zero-click targets across multiple operating systems. We perform the first cross-platform reverse engineering and protocol-aware fuzzing study of both stacks. We reconstruct AirDrop's seven-layer state machine and DVZip adaptive compression from binary analysis, build AIRFUZZ, a protocol-aware fuzzer that mutates pre-compression representations, and complement it with targeted hand-written analyses of Samsung's Quick Share service and Google's Quick Share for Windows. We discover six vulnerabilities (V1-V6): three pre-authentication issues in macOS/iOS AirDrop (V1: Swift fatalError DoS in the HTTP path router; V2: unbounded XML plist recursion in Foundation; V3: NULL dereference in Network.framework's HTTP/1.1 parser), two protocol-layer flaws in Samsung Quick Share (V4: pre-authentication OfflineFrame dispatch; V5: D2D encryption bypass for three frame types), and a heap use-after-free in Google Quick Share for Windows (V6) for which Google awarded a bounty. We responsibly disclosed all findings, and Apple, Samsung, and Google have acknowledged the reports.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript reports the first systematic reverse-engineering and protocol-aware fuzzing study of the proprietary Apple AirDrop and Google/Samsung Quick Share proximity file-transfer protocols. It reconstructs AirDrop's seven-layer state machine and DVZip adaptive compression, introduces the AIRFUZZ fuzzer that mutates pre-compression representations, performs targeted analysis of Samsung and Google Quick Share implementations, and identifies six vulnerabilities (V1-V6): three pre-authentication issues in macOS/iOS AirDrop (Swift fatalError DoS, unbounded XML plist recursion, NULL dereference in HTTP/1.1 parser), two protocol-layer flaws in Samsung Quick Share (pre-auth OfflineFrame dispatch, D2D encryption bypass), and a heap use-after-free in Google Quick Share for Windows.
Significance. If the reported crashes and bypasses hold, the work is significant for the security of proximity protocols deployed on billions of devices. The empirical nature of the findings, combined with responsible disclosure, vendor acknowledgments from Apple, Samsung, and Google, and a bounty for V6, provides external validation that the reconstructed state machine and frame handling accurately reflect production behavior.
minor comments (2)
- [§3.2] §3.2: The AIRFUZZ mutation operators are described at a high level; adding one or two concrete examples of how a pre-compression plist or CPIO archive is mutated would improve reproducibility for readers attempting to extend the fuzzer.
- [Figure 2] Figure 2: The seven-layer state machine diagram would benefit from explicit labels on transitions that correspond to the frame types used in the V4 and V5 attacks.
Simulated Author's Rebuttal
We thank the referee for their positive evaluation of the manuscript, accurate summary of the contributions, and recommendation to accept. The work's significance is reinforced by the external validation through responsible disclosure and vendor acknowledgments.
Circularity Check
No significant circularity
full rationale
The paper's core claims consist of empirical discoveries obtained via binary reverse engineering, protocol reconstruction, and fuzzing against live device implementations. No equations, fitted parameters, predictions, or self-citations are used to derive the reported vulnerabilities or state machines; external vendor acknowledgments (including bounties) provide independent validation. This is a standard non-circular empirical security analysis.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption Reverse engineering of binary code and protocol-aware fuzzing can reliably surface exploitable vulnerabilities in closed-source proximity transfer stacks.
Reference graph
Works this paper leans on
-
[1]
Nearby threats: Reversing, analyzing, and attacking Google’s ’nearby connections’ on Android
Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen. Nearby threats: Reversing, analyzing, and attacking Google’s ’nearby connections’ on Android. InProceedings of the Network and Distributed System Security Symposium (NDSS), 2019
2019
-
[2]
Apple reports first quarter results
Apple Inc. Apple reports first quarter results. https: //www.apple.com/newsroom/2024/02/apple-rep orts-first-quarter-results/ , February 2024. In- cludes statement that the installed base of active devices surpassed 2.2 billion. Accessed: 2026-02-25
2024
-
[3]
An iOS zero-click radio proximity exploit odyssey
Ian Beer. An iOS zero-click radio proximity exploit odyssey. Google Project Zero Blog, December 2020. https://googleprojectzero.blogspot.com/202 0/12/an-ios-zero-click-radio-proximity.htm l. Accessed: 2026-05-13
2020
-
[4]
China says cracked Apple’s AirDrop to identify message sources
Bloomberg. China says cracked Apple’s AirDrop to identify message sources. https://www.bloomberg. com/news/articles/2024-01-09/china-says-c racked-apple-s-airdrop-to-identify-message -sources, January 2024. Accessed: 2026-02-25
2024
-
[5]
TinyInst: A lightweight dynamic instru- mentation library
Ivan Fratric. TinyInst: A lightweight dynamic instru- mentation library. https://github.com/googlepro jectzero/TinyInst, 2020
2020
-
[6]
Jackalope: A binary, coverage-guided fuzzer built on top of TinyInst
Ivan Fratric. Jackalope: A binary, coverage-guided fuzzer built on top of TinyInst. https://github.com /googleprojectzero/Jackalope, 2021
2021
-
[7]
The GASMAN approach: fuzzing core- audiod on macOS
Ivan Fratric. The GASMAN approach: fuzzing core- audiod on macOS. Google Project Zero blog, 2024. https://googleprojectzero.blogspot.com/
2024
-
[8]
There are over 3 billion active Android devices
Google. There are over 3 billion active Android devices. https://www.theverge.com/2021/5/18/2244081 3/android-devices-active-number-smartphon es-google-2021. Accessed: 2026-02-25, May 2021
2021
-
[9]
Use Quick Share on your Android device
Google. Use Quick Share on your Android device. https://support.google.com/android/answe r/9286773, 2024. Official documentation describing Quick Share discovery, transfer, and visibility settings. Accessed: 2026-02-26
-
[10]
Remote iPhone exploitation part 1: Pok- ing memory via iMessage and CVE-2019-8641
Samuel Groß. Remote iPhone exploitation part 1: Pok- ing memory via iMessage and CVE-2019-8641. Google Project Zero Blog, January 2020. https://projectz ero.google/2020/01/remote-iphone-exploitat ion-part-1.html. Accessed: 2026-02-25
2019
-
[11]
PrivateDrop: Practical privacy-preserving authentication for Apple AirDrop
Alexander Heinrich, Matthias Hollick, Thomas Schnei- der, Milan Stute, and Christian Weinert. PrivateDrop: Practical privacy-preserving authentication for Apple AirDrop. InProceedings of the 30th USENIX Security Symposium. USENIX Association, 2021
2021
-
[12]
ToothPicker: Apple picking in the iOS Bluetooth stack
Dennis Heinze, Jiska Classen, and Felix Rohrbach. ToothPicker: Apple picking in the iOS Bluetooth stack. InProceedings of the 14th USENIX Workshop on Offen- sive Technologies (WOOT), 2020
2020
-
[13]
Android quick share support for airdrop: A secure approach to cross-platform file sharing
Dave Kleidermacher. Android quick share support for airdrop: A secure approach to cross-platform file sharing. https://security.googleblog.com/2025/11/an droid-quick-share-support-for-airdrop-sec urity.html, November 2025
2025
-
[14]
fpicker: Frida-based fuzzing suite sup- porting various modes including AFL++ in-process fuzzing
Dennis Maier. fpicker: Frida-based fuzzing suite sup- porting various modes including AFL++ in-process fuzzing. https://github.com/ttdennis/fpicker , 2021
2021
-
[15]
Hand- off all your privacy – a review of Apple’s Bluetooth Low Energy continuity protocol.Proceedings on Privacy En- hancing Technologies, 2019(4):34–53, 2019
Jeremy Martin, Douglas Alpuche, Kristina Bodeman, Lamont Brown, Ellis Fenske, Lucas Foppe, Travis May- berry, Erik Rye, Brandon Sipes, and Sam Teplov. Hand- off all your privacy – a review of Apple’s Bluetooth Low Energy continuity protocol.Proceedings on Privacy En- hancing Technologies, 2019(4):34–53, 2019
2019
-
[16]
The fully remote attack surface of the iPhone
Natalie Silvanovich. The fully remote attack surface of the iPhone. Google Project Zero Blog (Black Hat USA 2019 talk announcement/material), 2019. https: //projectzero.google/2019/08/the-fully-rem ote-attack-surface-of.html . Accessed: 2026-02- 25
2019
-
[17]
OpenDrop: An open-source AirDrop implementation
Milan Stute and Alexander Heinrich. OpenDrop: An open-source AirDrop implementation. https://gith ub.com/seemoo-lab/opendrop, 2021. Secure Mobile Networking Lab (SEEMOO), TU Darmstadt. Accessed: 2026-02-25
2021
-
[18]
Disrupting continuity of Apple’s wire- less ecosystem security: New tracking, DoS, and MitM attacks on iOS and macOS through Bluetooth Low En- ergy, AWDL, and Wi-Fi
Milan Stute, Alexander Heinrich, Jannik Lorenz, and Matthias Hollick. Disrupting continuity of Apple’s wire- less ecosystem security: New tracking, DoS, and MitM attacks on iOS and macOS through Bluetooth Low En- ergy, AWDL, and Wi-Fi. InProceedings of the 30th USENIX Security Symposium. USENIX Association, 2021
2021
-
[19]
One billion apples’ secret sauce: Recipe for the Apple Wireless Direct Link ad hoc protocol
Milan Stute, David Kreitschmann, and Matthias Hollick. One billion apples’ secret sauce: Recipe for the Apple Wireless Direct Link ad hoc protocol. InProceedings of the 24th Annual International Conference on Mobile Computing and Networking (MobiCom). ACM, 2018
2018
-
[20]
A billion open interfaces for Eve and Mallory: MitM, DoS, and tracking attacks on iOS and macOS through Apple Wireless Direct Link
Milan Stute, Sashank Narain, Alex Mariotto, Alexander Heinrich, David Kreitschmann, Guevara Noubir, and Matthias Hollick. A billion open interfaces for Eve and Mallory: MitM, DoS, and tracking attacks on iOS and macOS through Apple Wireless Direct Link. In Proceedings of the 28th USENIX Security Symposium. USENIX Association, 2019
2019
-
[22]
QuickShell: Sharing is caring about an RCE attack chain on quick share
Or Yair and Shmuel Cohen. QuickShell: Sharing is caring about an RCE attack chain on quick share. SafeBreach Labs (research write-up and conference ma- terials), 2024. https://www.safebreach.com/blo g/rce-attack-chain-on-quick-share/ , Accessed: 2026-02-25
2024
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.