pith. sign in

arxiv: 2606.26967 · v1 · pith:WZIPFJYYnew · submitted 2026-06-25 · 💻 cs.CR

Protocol Prying: Systematic Vulnerability Research in the Apple AirDrop and Android Quick Share Proximity Transfer Protocols

Pith reviewed 2026-06-26 04:08 UTC · model grok-4.3

classification 💻 cs.CR
keywords AirDropQuick Shareproximity protocolsreverse engineeringprotocol fuzzingpre-authentication vulnerabilitieszero-click attacksbinary analysis
5
0 comments X

The pith

Reverse engineering uncovers six pre-authentication vulnerabilities in AirDrop and Quick Share protocols used on billions of devices.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper sets out to show that two widely deployed but proprietary proximity file-transfer protocols can be systematically analyzed despite being closed and undocumented. By reconstructing AirDrop's internal seven-layer state machine and DVZip compression, then applying a custom fuzzer plus targeted analysis, the authors locate three issues in Apple's macOS and iOS implementations, two protocol flaws in Samsung Quick Share, and one heap bug in Google's Windows client. A reader would care because these protocols accept complex serialized data over wireless links with no prior pairing and run inside privileged processes, creating zero-click surfaces. The work therefore supplies concrete evidence that such stacks merit dedicated security scrutiny even when source code is unavailable.

Core claim

We reconstruct AirDrop's seven-layer state machine and DVZip adaptive compression from binary analysis, build AIRFUZZ to mutate pre-compression representations, and through this method plus hand-written protocol analysis identify six vulnerabilities: a Swift fatalError in the HTTP path router, unbounded XML plist recursion, a NULL dereference in the HTTP/1.1 parser, pre-authentication OfflineFrame dispatch and D2D encryption bypass in Samsung Quick Share, and a heap use-after-free in Google Quick Share for Windows.

What carries the argument

AIRFUZZ, a protocol-aware fuzzer that mutates pre-compression representations of the reconstructed seven-layer AirDrop state machine.

If this is right

  • Three distinct pre-authentication paths in AirDrop can be triggered to cause denial of service on macOS and iOS.
  • Samsung Quick Share accepts and dispatches certain frames before authentication and permits encryption bypass on three frame types.
  • Google Quick Share for Windows contains a reachable heap use-after-free.
  • All six issues were reported to the respective vendors and acknowledged.
  • The protocols process untrusted serialized content inside privileged daemons without requiring prior pairing.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same reverse-engineering-plus-fuzzing approach could be applied to other undocumented proximity or device-to-device protocols.
  • Vendors of closed proximity stacks may need to expose more internal interfaces or test harnesses to enable independent security review.
  • Zero-click attack surfaces in wireless file transfer deserve routine, protocol-aware testing rather than only generic network fuzzing.
  • The existence of adaptive compression layers like DVZip adds complexity that can hide parsing bugs until the representation is mutated before compression.

Load-bearing premise

The reconstructed seven-layer state machine, DVZip compression, and identified frame types accurately match the production implementations on current devices.

What would settle it

Sending the exact mutated packets or frames described to current production devices and observing neither crashes nor successful bypasses would show the reported issues are not reachable.

Figures

Figures reproduced from arXiv: 2606.26967 by Arash Ale Ebrahim, Nils Ole Tippenhauer.

Figure 1
Figure 1. Figure 1: End-to-end AirDrop exchange. Discover and Ask [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: AIRFUZZ architecture. Mutations are applied to seed inputs before DVZip compression; Frida hooks bypass the user-acceptance prompt; coverage feedback guides mutation selection. This enables fully automated fuzzing without user interac￾tion. The daemon monitors the target process and automati￾cally reattaches after crashes with configurable recovery using launchctl bootout/bootstrap to reset launchd throttl… view at source ↗
Figure 3
Figure 3. Figure 3: Intended Quick Share connection flow. V4 sends [PITH_FULL_IMAGE:figures/full_fig_p009_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: V5 per-handler encryption enforcement. Four of [PITH_FULL_IMAGE:figures/full_fig_p010_4.png] view at source ↗
read the original abstract

Apple AirDrop and Google/Samsung Quick Share are proximity file-transfer protocols used by over five billion devices, yet their application-layer security properties remain largely unstudied because both stacks are proprietary and undocumented. Both protocols are reachable from wireless proximity without any prior pairing and process complex serialized content (binary plists, CPIO archives, Protocol Buffers, UKEY2 handshakes) inside privileged daemons, making them attractive zero-click targets across multiple operating systems. We perform the first cross-platform reverse engineering and protocol-aware fuzzing study of both stacks. We reconstruct AirDrop's seven-layer state machine and DVZip adaptive compression from binary analysis, build AIRFUZZ, a protocol-aware fuzzer that mutates pre-compression representations, and complement it with targeted hand-written analyses of Samsung's Quick Share service and Google's Quick Share for Windows. We discover six vulnerabilities (V1-V6): three pre-authentication issues in macOS/iOS AirDrop (V1: Swift fatalError DoS in the HTTP path router; V2: unbounded XML plist recursion in Foundation; V3: NULL dereference in Network.framework's HTTP/1.1 parser), two protocol-layer flaws in Samsung Quick Share (V4: pre-authentication OfflineFrame dispatch; V5: D2D encryption bypass for three frame types), and a heap use-after-free in Google Quick Share for Windows (V6) for which Google awarded a bounty. We responsibly disclosed all findings, and Apple, Samsung, and Google have acknowledged the reports.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

0 major / 2 minor

Summary. The manuscript reports the first systematic reverse-engineering and protocol-aware fuzzing study of the proprietary Apple AirDrop and Google/Samsung Quick Share proximity file-transfer protocols. It reconstructs AirDrop's seven-layer state machine and DVZip adaptive compression, introduces the AIRFUZZ fuzzer that mutates pre-compression representations, performs targeted analysis of Samsung and Google Quick Share implementations, and identifies six vulnerabilities (V1-V6): three pre-authentication issues in macOS/iOS AirDrop (Swift fatalError DoS, unbounded XML plist recursion, NULL dereference in HTTP/1.1 parser), two protocol-layer flaws in Samsung Quick Share (pre-auth OfflineFrame dispatch, D2D encryption bypass), and a heap use-after-free in Google Quick Share for Windows.

Significance. If the reported crashes and bypasses hold, the work is significant for the security of proximity protocols deployed on billions of devices. The empirical nature of the findings, combined with responsible disclosure, vendor acknowledgments from Apple, Samsung, and Google, and a bounty for V6, provides external validation that the reconstructed state machine and frame handling accurately reflect production behavior.

minor comments (2)
  1. [§3.2] §3.2: The AIRFUZZ mutation operators are described at a high level; adding one or two concrete examples of how a pre-compression plist or CPIO archive is mutated would improve reproducibility for readers attempting to extend the fuzzer.
  2. [Figure 2] Figure 2: The seven-layer state machine diagram would benefit from explicit labels on transitions that correspond to the frame types used in the V4 and V5 attacks.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for their positive evaluation of the manuscript, accurate summary of the contributions, and recommendation to accept. The work's significance is reinforced by the external validation through responsible disclosure and vendor acknowledgments.

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper's core claims consist of empirical discoveries obtained via binary reverse engineering, protocol reconstruction, and fuzzing against live device implementations. No equations, fitted parameters, predictions, or self-citations are used to derive the reported vulnerabilities or state machines; external vendor acknowledgments (including bounties) provide independent validation. This is a standard non-circular empirical security analysis.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claims rest on the assumption that binary analysis and fuzzing observations correctly identify security flaws in undocumented proprietary code; no free parameters or invented entities are introduced.

axioms (1)
  • domain assumption Reverse engineering of binary code and protocol-aware fuzzing can reliably surface exploitable vulnerabilities in closed-source proximity transfer stacks.
    Invoked throughout the methodology section when mapping observed crashes and bypasses to the reconstructed state machine.

pith-pipeline@v0.9.1-grok · 5814 in / 1287 out tokens · 44694 ms · 2026-06-26T04:08:21.210737+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

21 extracted references · 1 canonical work pages

  1. [1]

    Nearby threats: Reversing, analyzing, and attacking Google’s ’nearby connections’ on Android

    Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen. Nearby threats: Reversing, analyzing, and attacking Google’s ’nearby connections’ on Android. InProceedings of the Network and Distributed System Security Symposium (NDSS), 2019

  2. [2]

    Apple reports first quarter results

    Apple Inc. Apple reports first quarter results. https: //www.apple.com/newsroom/2024/02/apple-rep orts-first-quarter-results/ , February 2024. In- cludes statement that the installed base of active devices surpassed 2.2 billion. Accessed: 2026-02-25

  3. [3]

    An iOS zero-click radio proximity exploit odyssey

    Ian Beer. An iOS zero-click radio proximity exploit odyssey. Google Project Zero Blog, December 2020. https://googleprojectzero.blogspot.com/202 0/12/an-ios-zero-click-radio-proximity.htm l. Accessed: 2026-05-13

  4. [4]

    China says cracked Apple’s AirDrop to identify message sources

    Bloomberg. China says cracked Apple’s AirDrop to identify message sources. https://www.bloomberg. com/news/articles/2024-01-09/china-says-c racked-apple-s-airdrop-to-identify-message -sources, January 2024. Accessed: 2026-02-25

  5. [5]

    TinyInst: A lightweight dynamic instru- mentation library

    Ivan Fratric. TinyInst: A lightweight dynamic instru- mentation library. https://github.com/googlepro jectzero/TinyInst, 2020

  6. [6]

    Jackalope: A binary, coverage-guided fuzzer built on top of TinyInst

    Ivan Fratric. Jackalope: A binary, coverage-guided fuzzer built on top of TinyInst. https://github.com /googleprojectzero/Jackalope, 2021

  7. [7]

    The GASMAN approach: fuzzing core- audiod on macOS

    Ivan Fratric. The GASMAN approach: fuzzing core- audiod on macOS. Google Project Zero blog, 2024. https://googleprojectzero.blogspot.com/

  8. [8]

    There are over 3 billion active Android devices

    Google. There are over 3 billion active Android devices. https://www.theverge.com/2021/5/18/2244081 3/android-devices-active-number-smartphon es-google-2021. Accessed: 2026-02-25, May 2021

  9. [9]

    Use Quick Share on your Android device

    Google. Use Quick Share on your Android device. https://support.google.com/android/answe r/9286773, 2024. Official documentation describing Quick Share discovery, transfer, and visibility settings. Accessed: 2026-02-26

  10. [10]

    Remote iPhone exploitation part 1: Pok- ing memory via iMessage and CVE-2019-8641

    Samuel Groß. Remote iPhone exploitation part 1: Pok- ing memory via iMessage and CVE-2019-8641. Google Project Zero Blog, January 2020. https://projectz ero.google/2020/01/remote-iphone-exploitat ion-part-1.html. Accessed: 2026-02-25

  11. [11]

    PrivateDrop: Practical privacy-preserving authentication for Apple AirDrop

    Alexander Heinrich, Matthias Hollick, Thomas Schnei- der, Milan Stute, and Christian Weinert. PrivateDrop: Practical privacy-preserving authentication for Apple AirDrop. InProceedings of the 30th USENIX Security Symposium. USENIX Association, 2021

  12. [12]

    ToothPicker: Apple picking in the iOS Bluetooth stack

    Dennis Heinze, Jiska Classen, and Felix Rohrbach. ToothPicker: Apple picking in the iOS Bluetooth stack. InProceedings of the 14th USENIX Workshop on Offen- sive Technologies (WOOT), 2020

  13. [13]

    Android quick share support for airdrop: A secure approach to cross-platform file sharing

    Dave Kleidermacher. Android quick share support for airdrop: A secure approach to cross-platform file sharing. https://security.googleblog.com/2025/11/an droid-quick-share-support-for-airdrop-sec urity.html, November 2025

  14. [14]

    fpicker: Frida-based fuzzing suite sup- porting various modes including AFL++ in-process fuzzing

    Dennis Maier. fpicker: Frida-based fuzzing suite sup- porting various modes including AFL++ in-process fuzzing. https://github.com/ttdennis/fpicker , 2021

  15. [15]

    Hand- off all your privacy – a review of Apple’s Bluetooth Low Energy continuity protocol.Proceedings on Privacy En- hancing Technologies, 2019(4):34–53, 2019

    Jeremy Martin, Douglas Alpuche, Kristina Bodeman, Lamont Brown, Ellis Fenske, Lucas Foppe, Travis May- berry, Erik Rye, Brandon Sipes, and Sam Teplov. Hand- off all your privacy – a review of Apple’s Bluetooth Low Energy continuity protocol.Proceedings on Privacy En- hancing Technologies, 2019(4):34–53, 2019

  16. [16]

    The fully remote attack surface of the iPhone

    Natalie Silvanovich. The fully remote attack surface of the iPhone. Google Project Zero Blog (Black Hat USA 2019 talk announcement/material), 2019. https: //projectzero.google/2019/08/the-fully-rem ote-attack-surface-of.html . Accessed: 2026-02- 25

  17. [17]

    OpenDrop: An open-source AirDrop implementation

    Milan Stute and Alexander Heinrich. OpenDrop: An open-source AirDrop implementation. https://gith ub.com/seemoo-lab/opendrop, 2021. Secure Mobile Networking Lab (SEEMOO), TU Darmstadt. Accessed: 2026-02-25

  18. [18]

    Disrupting continuity of Apple’s wire- less ecosystem security: New tracking, DoS, and MitM attacks on iOS and macOS through Bluetooth Low En- ergy, AWDL, and Wi-Fi

    Milan Stute, Alexander Heinrich, Jannik Lorenz, and Matthias Hollick. Disrupting continuity of Apple’s wire- less ecosystem security: New tracking, DoS, and MitM attacks on iOS and macOS through Bluetooth Low En- ergy, AWDL, and Wi-Fi. InProceedings of the 30th USENIX Security Symposium. USENIX Association, 2021

  19. [19]

    One billion apples’ secret sauce: Recipe for the Apple Wireless Direct Link ad hoc protocol

    Milan Stute, David Kreitschmann, and Matthias Hollick. One billion apples’ secret sauce: Recipe for the Apple Wireless Direct Link ad hoc protocol. InProceedings of the 24th Annual International Conference on Mobile Computing and Networking (MobiCom). ACM, 2018

  20. [20]

    A billion open interfaces for Eve and Mallory: MitM, DoS, and tracking attacks on iOS and macOS through Apple Wireless Direct Link

    Milan Stute, Sashank Narain, Alex Mariotto, Alexander Heinrich, David Kreitschmann, Guevara Noubir, and Matthias Hollick. A billion open interfaces for Eve and Mallory: MitM, DoS, and tracking attacks on iOS and macOS through Apple Wireless Direct Link. In Proceedings of the 28th USENIX Security Symposium. USENIX Association, 2019

  21. [22]

    QuickShell: Sharing is caring about an RCE attack chain on quick share

    Or Yair and Shmuel Cohen. QuickShell: Sharing is caring about an RCE attack chain on quick share. SafeBreach Labs (research write-up and conference ma- terials), 2024. https://www.safebreach.com/blo g/rce-attack-chain-on-quick-share/ , Accessed: 2026-02-25