Papers
Topics
Authors
Recent
Search
2000 character limit reached

Protocol Prying: Systematic Vulnerability Research in the Apple AirDrop and Android Quick Share Proximity Transfer Protocols

Published 25 Jun 2026 in cs.CR | (2606.26967v1)

Abstract: Apple AirDrop and Google/Samsung Quick Share are proximity file-transfer protocols used by over five billion devices, yet their application-layer security properties remain largely unstudied because both stacks are proprietary and undocumented. Both protocols are reachable from wireless proximity without any prior pairing and process complex serialized content (binary plists, CPIO archives, Protocol Buffers, UKEY2 handshakes) inside privileged daemons, making them attractive zero-click targets across multiple operating systems. We perform the first cross-platform reverse engineering and protocol-aware fuzzing study of both stacks. We reconstruct AirDrop's seven-layer state machine and DVZip adaptive compression from binary analysis, build AIRFUZZ, a protocol-aware fuzzer that mutates pre-compression representations, and complement it with targeted hand-written analyses of Samsung's Quick Share service and Google's Quick Share for Windows. We discover six vulnerabilities (V1-V6): three pre-authentication issues in macOS/iOS AirDrop (V1: Swift fatalError DoS in the HTTP path router; V2: unbounded XML plist recursion in Foundation; V3: NULL dereference in Network.framework's HTTP/1.1 parser), two protocol-layer flaws in Samsung Quick Share (V4: pre-authentication OfflineFrame dispatch; V5: D2D encryption bypass for three frame types), and a heap use-after-free in Google Quick Share for Windows (V6) for which Google awarded a bounty. We responsibly disclosed all findings, and Apple, Samsung, and Google have acknowledged the reports.

Summary

  • The paper introduces AirFuzz, a novel protocol-aware fuzzing tool that uncovers six critical zero-click vulnerabilities in both AirDrop and Quick Share protocols.
  • It leverages cross-layer reverse engineering, mutation-based input generation, and Frida instrumentation to bypass authentication and trigger daemon faults.
  • Findings reveal systemic protocol design flaws across platforms, urging immediate mitigations and deeper research into securing wireless proximity transfer services.

Systematic Vulnerability Analysis of Proximity Transfer Protocols

Introduction

The widespread deployment of proprietary proximity file-transfer protocols, notably Apple’s AirDrop and Google/Samsung Quick Share, presents a significant yet underexplored attack surface in modern operating systems. This work provides a comprehensive, cross-platform security analysis of these two protocols, demonstrating the feasibility of cross-layer reverse engineering and protocol-aware fuzzing for zero-click attack surface discovery. The analysis spans protocol stack reconstitution, mutation-based input generation, and multi-platform vulnerability assessment. The findings have direct implications for modern wireless-accessible background services, with emphasis on application-layer logic, cryptographic enforcement, and concurrency management.

AirDrop Protocol Reverse Engineering

Through binary and dynamic analysis of sharingd and related frameworks on macOS and iOS, a seven-layer application protocol stack is reconstructed, with serialization complexity and attack surface expanding at each layer. Notable elements include custom compression (DVZip), CPIO archive handling, and the use of binary property lists for data interchange. DVZip’s adaptive chunking and fallback behaviors are characterized. The HTTP API surfaces multiple request types (Discover, Ask, Upload, etc.), and the state machine enforces sequenced, mutual-exclusion slots and user-mediate consent, gated via semaphore logic.

Authentication relies on self-signed TLS with no peer verification, followed by Apple ID certificate-based contact resolution. The protocol is designed to prevent zero-click transfer, but input validation is insufficiently robust—critical issues remain in path handling and recursive parsing.

Protocol-Aware Fuzzing (AirFuzz)

A novel fuzzing tool, AirFuzz, is developed to target the multi-encoding AirDrop stack. The fuzzer incorporates nine mutation strategies spanning HTTP, binary plist, DVZip, CPIO, DER, and low-level field operations. A key architectural improvement is the application of mutations to uncompressed, pre-encoded CPIO archives, maintaining checksum validity and improving path exploration.

User-acceptance gating is automated by Frida-based instrumentation that hooks consent-related predicates and notification handlers, enabling high-throughput, zero-interaction fuzzing. Coverage detection eschews Stalker-based in-process feedback (which is incompatible with macOS/iOS arm64e codesigning) for carefully placed Interceptor hooks, trading off granularity for stability. Figure 1

Figure 1: AirFuzz architecture. Mutations are applied to seed inputs before DVZip compression; Frida hooks bypass the user-acceptance prompt; coverage feedback guides mutation selection.

Vulnerabilities in AirDrop

Three vulnerabilities are discovered:

  • V1: A fatalError assertion in the HTTP path router allows unauthenticated request paths to trigger daemon termination via a one-packet denial-of-service. This is systemic to the Swift implementation and is not present in earlier, non-Swift code.
  • V2: Unbounded XML plist recursion in Foundation permits stack exhaustion and user-space daemon crash with attacker-controlled recursion, applicable to all platforms utilizing Foundation.
  • V3: Network.framework’s HTTP/1.1 parser allows NULL pointer dereference via malformed requests, causing targeted daemon or system process termination without the possibility of memory corruption or control flow hijacking.

All three vulnerabilities are pre-authentication and zero-click reachable on targets configured in permissive visibility modes.

Vulnerabilities in Android/Windows Quick Share

Manual and automated analysis of Samsung and Google Quick Share reveals three additional issues:

  • V4: Samsung GMS dispatches several OfflineFrame types prior to the completion of cryptographic authentication (UKEY2 handshake). An unauthenticated attacker can directly interact with application-layer logic and manipulate protocol state.
  • V5: Post-handshake, three OfflineFrame types (CONNECTION_RESPONSE, BANDWIDTH_UPGRADE, KEEP_ALIVE) are accepted in plaintext, bypassing the SecureMessage wrapper, while other types require encryption. This weak handler-level enforcement enables injection and manipulation of critical protocol messages by on-path adversaries. Figure 2

    Figure 2: V5 per-handler encryption enforcement. Four of seven post-handshake OfflineFrame types are correctly rejected when unencrypted; the three red types are dispatched and processed even when delivered as a raw, unwrapped protobuf, despite the active D2D session.

  • V6: Quick Share for Windows endpoint channel management introduces a use-after-free primitive in the EncryptionRunner collision handler. By inducing simultaneous endpoint connections with duplicate identifiers, the attacker triggers race conditions culminating in vtable dereference on a freed object, suggesting an exploitable remote code execution path in memory management–unsafe environments (CFG is disabled).

Both protocols expose substantial pre-authentication, zero-click surfaces through always-on wireless listeners. Despite structural differences (deeply layered custom encoding in AirDrop vs. protobuf-based message framing in Quick Share), logical flaws occur at homologous boundaries: assertion-based path dispatching, parser recursion, partial authentication enforcement, lax encryption envelope application, and thread-unsafe endpoint management.

The vulnerabilities uncovered exemplify the discrepancy between legacy system design patterns and current network-exposed daemon requirements. Fatal assertion logic, insufficient isolation between protocol layers, handler-level security decisions, and improper reference management in multi-threaded state machines collectively contribute to a diverse vulnerability landscape.

The practical reach is broad: AirDrop and Quick Share collectively serve over five billion devices; the wireless proximity attack model enables adversaries to target large populations in dense environments. Furthermore, the Quick Share implementation findings suggest architectural code reuse across multiple Android OEMs may propagate weaknesses more broadly. The release of protocol documentation and fuzzing tools supports open evaluation and improvement.

Recommendations and Future Work

Mitigation strategies include replacing fatal assertions with error returns, enforcing bounded recursion and message sizes, centralizing authentication and encryption checks in dispatchers, and adopting safe endpoint object management (e.g., reference counting or epoch-based reclamation).

Future research should generalize state machine and concurrency verification for always-on mobile daemons, extend analysis to OEM-customized variants, and explore the application of formal methods tools (e.g., ProVerif/Tamarin) to protocol correctness.

Conclusion

This analysis demonstrates the systemic vulnerability of proprietary, wireless-reachable proximity transfer protocols at the application layer, exposing zero-click pre-authentication code paths across major platforms. The reverse engineering of undocumented layers, protocol-aware fuzzing innovations, and identification of six high-impact vulnerabilities yield direct targets for remediation and a roadmap for securing wireless-accessible background infrastructure. All vulnerabilities identified were subject to responsible disclosure, and core tool artifacts are publicly available. The methodologies advanced by this work serve as a blueprint for future systematic analysis of similar always-on, high-value attack surfaces.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 2 tweets with 2 likes about this paper.