Skip to content
HN On Hacker News ↗

Protocol Prying: Systematic Vulnerability Research in the Apple AirDrop and Android Quick Share Proximity Transfer Protocols

▲ 15 points 1 comments by logickkk1 6h ago HN discussion ↗

Pangram verdict · v3.3

We believe that this document is fully human-written

4 %

AI likelihood · overall

Human
100% human-written 0% AI-generated
SEGMENTS · HUMAN 2 of 2
SEGMENTS · AI 0 of 2
WORD COUNT 254
PEAK AI % 4% · §2
Analyzed
Jul 4
backend: pangram/v3.3
Segments scanned
2 windows
avg 127 words each
Distribution
100 / 0%
human / AI fraction
Verdict
Human
Pangram v3.3

Article text · 254 words · 2 segments analyzed

Human AI-generated
§1 Human · 4%

View PDF HTML (experimental) Abstract:Apple AirDrop and Google/Samsung Quick Share are proximity file-transfer protocols used by over five billion devices, yet their application-layer security properties remain largely unstudied because both stacks are proprietary and undocumented. Both protocols are reachable from wireless proximity without any prior pairing and process complex serialized content (binary plists, CPIO archives, Protocol Buffers, UKEY2 handshakes) inside privileged daemons, making them attractive zero-click targets across multiple operating systems. We perform the first cross-platform reverse engineering and protocol-aware fuzzing study of both stacks. We reconstruct AirDrop's seven-layer state machine and DVZip adaptive compression from binary analysis, build AIRFUZZ, a protocol-aware fuzzer that mutates pre-compression representations, and complement it with targeted hand-written analyses of Samsung's Quick Share service and Google's Quick Share for Windows. We discover six vulnerabilities (V1-V6): three pre-authentication issues in macOS/iOS AirDrop (V1: Swift fatalError DoS in the HTTP path router; V2: unbounded XML plist recursion in Foundation; V3: NULL dereference in this http URL's HTTP/1.1 parser), two protocol-layer flaws in Samsung Quick Share (V4: pre-authentication OfflineFrame dispatch; V5: D2D encryption bypass for three frame types), and a heap use-after-free in Google Quick Share for Windows (V6) for which Google awarded a bounty. We responsibly disclosed all findings, and Apple, Samsung, and Google have acknowledged the reports.

Comments: 15 pages, 4 figures

Subjects: Cryptography and Security (cs.CR) Cite as: arXiv:2606.26967 [cs.CR]   (or arXiv:2606.26967v1 [cs.

§2 Human · 4%

CR] for this version)   https://doi.org/10.48550/arXiv.2606.26967 arXiv-issued DOI via DataCite Submission history From: Arash Ale Ebrahim [view email] [v1] Thu, 25 Jun 2026 12:40:13 UTC (2,523 KB)