- The paper introduces AirFuzz, a novel protocol-aware fuzzing tool that uncovers six critical zero-click vulnerabilities in both AirDrop and Quick Share protocols.
- It leverages cross-layer reverse engineering, mutation-based input generation, and Frida instrumentation to bypass authentication and trigger daemon faults.
- Findings reveal systemic protocol design flaws across platforms, urging immediate mitigations and deeper research into securing wireless proximity transfer services.
Systematic Vulnerability Analysis of Proximity Transfer Protocols
Introduction
The widespread deployment of proprietary proximity file-transfer protocols, notably Apple’s AirDrop and Google/Samsung Quick Share, presents a significant yet underexplored attack surface in modern operating systems. This work provides a comprehensive, cross-platform security analysis of these two protocols, demonstrating the feasibility of cross-layer reverse engineering and protocol-aware fuzzing for zero-click attack surface discovery. The analysis spans protocol stack reconstitution, mutation-based input generation, and multi-platform vulnerability assessment. The findings have direct implications for modern wireless-accessible background services, with emphasis on application-layer logic, cryptographic enforcement, and concurrency management.
AirDrop Protocol Reverse Engineering
Through binary and dynamic analysis of sharingd and related frameworks on macOS and iOS, a seven-layer application protocol stack is reconstructed, with serialization complexity and attack surface expanding at each layer. Notable elements include custom compression (DVZip), CPIO archive handling, and the use of binary property lists for data interchange. DVZip’s adaptive chunking and fallback behaviors are characterized. The HTTP API surfaces multiple request types (Discover, Ask, Upload, etc.), and the state machine enforces sequenced, mutual-exclusion slots and user-mediate consent, gated via semaphore logic.
Authentication relies on self-signed TLS with no peer verification, followed by Apple ID certificate-based contact resolution. The protocol is designed to prevent zero-click transfer, but input validation is insufficiently robust—critical issues remain in path handling and recursive parsing.
Protocol-Aware Fuzzing (AirFuzz)
A novel fuzzing tool, AirFuzz, is developed to target the multi-encoding AirDrop stack. The fuzzer incorporates nine mutation strategies spanning HTTP, binary plist, DVZip, CPIO, DER, and low-level field operations. A key architectural improvement is the application of mutations to uncompressed, pre-encoded CPIO archives, maintaining checksum validity and improving path exploration.
User-acceptance gating is automated by Frida-based instrumentation that hooks consent-related predicates and notification handlers, enabling high-throughput, zero-interaction fuzzing. Coverage detection eschews Stalker-based in-process feedback (which is incompatible with macOS/iOS arm64e codesigning) for carefully placed Interceptor hooks, trading off granularity for stability.
Figure 1: AirFuzz architecture. Mutations are applied to seed inputs before DVZip compression; Frida hooks bypass the user-acceptance prompt; coverage feedback guides mutation selection.
Vulnerabilities in AirDrop
Three vulnerabilities are discovered:
- V1: A fatalError assertion in the HTTP path router allows unauthenticated request paths to trigger daemon termination via a one-packet denial-of-service. This is systemic to the Swift implementation and is not present in earlier, non-Swift code.
- V2: Unbounded XML plist recursion in Foundation permits stack exhaustion and user-space daemon crash with attacker-controlled recursion, applicable to all platforms utilizing Foundation.
- V3: Network.framework’s HTTP/1.1 parser allows NULL pointer dereference via malformed requests, causing targeted daemon or system process termination without the possibility of memory corruption or control flow hijacking.
All three vulnerabilities are pre-authentication and zero-click reachable on targets configured in permissive visibility modes.
Vulnerabilities in Android/Windows Quick Share
Manual and automated analysis of Samsung and Google Quick Share reveals three additional issues:
- V4: Samsung GMS dispatches several OfflineFrame types prior to the completion of cryptographic authentication (UKEY2 handshake). An unauthenticated attacker can directly interact with application-layer logic and manipulate protocol state.
- V5: Post-handshake, three OfflineFrame types (CONNECTION_RESPONSE, BANDWIDTH_UPGRADE, KEEP_ALIVE) are accepted in plaintext, bypassing the SecureMessage wrapper, while other types require encryption. This weak handler-level enforcement enables injection and manipulation of critical protocol messages by on-path adversaries.
Figure 2: V5 per-handler encryption enforcement. Four of seven post-handshake OfflineFrame types are correctly rejected when unencrypted; the three red types are dispatched and processed even when delivered as a raw, unwrapped protobuf, despite the active D2D session.
- V6: Quick Share for Windows endpoint channel management introduces a use-after-free primitive in the EncryptionRunner collision handler. By inducing simultaneous endpoint connections with duplicate identifiers, the attacker triggers race conditions culminating in vtable dereference on a freed object, suggesting an exploitable remote code execution path in memory management–unsafe environments (CFG is disabled).
Both protocols expose substantial pre-authentication, zero-click surfaces through always-on wireless listeners. Despite structural differences (deeply layered custom encoding in AirDrop vs. protobuf-based message framing in Quick Share), logical flaws occur at homologous boundaries: assertion-based path dispatching, parser recursion, partial authentication enforcement, lax encryption envelope application, and thread-unsafe endpoint management.
The vulnerabilities uncovered exemplify the discrepancy between legacy system design patterns and current network-exposed daemon requirements. Fatal assertion logic, insufficient isolation between protocol layers, handler-level security decisions, and improper reference management in multi-threaded state machines collectively contribute to a diverse vulnerability landscape.
The practical reach is broad: AirDrop and Quick Share collectively serve over five billion devices; the wireless proximity attack model enables adversaries to target large populations in dense environments. Furthermore, the Quick Share implementation findings suggest architectural code reuse across multiple Android OEMs may propagate weaknesses more broadly. The release of protocol documentation and fuzzing tools supports open evaluation and improvement.
Recommendations and Future Work
Mitigation strategies include replacing fatal assertions with error returns, enforcing bounded recursion and message sizes, centralizing authentication and encryption checks in dispatchers, and adopting safe endpoint object management (e.g., reference counting or epoch-based reclamation).
Future research should generalize state machine and concurrency verification for always-on mobile daemons, extend analysis to OEM-customized variants, and explore the application of formal methods tools (e.g., ProVerif/Tamarin) to protocol correctness.
Conclusion
This analysis demonstrates the systemic vulnerability of proprietary, wireless-reachable proximity transfer protocols at the application layer, exposing zero-click pre-authentication code paths across major platforms. The reverse engineering of undocumented layers, protocol-aware fuzzing innovations, and identification of six high-impact vulnerabilities yield direct targets for remediation and a roadmap for securing wireless-accessible background infrastructure. All vulnerabilities identified were subject to responsible disclosure, and core tool artifacts are publicly available. The methodologies advanced by this work serve as a blueprint for future systematic analysis of similar always-on, high-value attack surfaces.