Six AirDrop and Quick Share Proximity File-Transfer Vulnerabilities (Apple, Google, Samsung) — 'Protocol Prying' Research — Threadlinqs Intelligence
Threat ID: TL-2026-1197 · Severity: MEDIUM · Status: ACTIVE · Category: VULNERABILITY
CISPA Helmholtz researchers Arash Ale Ebrahim and Nils Ole Tippenhauer reverse-engineered Apple AirDrop and Google/Samsung Quick Share, publishing 'Protocol Prying' (arXiv:2606.26967) and disclosing
In late June 2026, researchers at the CISPA Helmholtz Center for Information Security published 'Protocol Prying: Systematic Vulnerability Research in the Apple AirDrop and Android Quick Share Proximity Transfer Protocols' (arXiv:2606.26967), the first systematic cross-platform reverse-engineering and protocol-aware fuzzing study of both proprietary proximity file-transfer stacks. The team reconstructed AirDrop's seven-layer protocol stack (AWDL/BLE link, IPv6 link-local network, self-signed TLS 1.2/1.3 security layer with no client auth, HTTP/1.1 transport, binary plist encoding, DVZip/gzip adaptive compression, and CPIO newc/BOM archive), and reverse-engineered the previously undocumented DVZip adaptive chunked compression format. They built AIRFUZZ, a nine-layer protocol-aware fuzzer (HTTP, binary plist, DVZip, CPIO, DER, havoc, memcorrupt, and field-level mutation strategies) with a key innovation of mutating raw CPIO archives prior to DVZip compression, raising server-side acceptance of malformed inputs from under 1% to over 90%.
Six vulnerabilities (V1-V6) resulted. Three affect AirDrop, all reachable pre-authentication over wireless proximity (10-30 meters) against a device set to 'Everyone for 10 Minutes' visibility, with no pairing, contact exchange, or shared network required: V1 is a Swift fatalError() in the Sharing.framework HTTP path-routing switch statement, triggered by any request to an unrecognized path, which aborts the sharingd daemon and simultaneously disables AirDrop, AirPlay, Handoff, Universal Clipboard, and Continuity Camera; looped requests produce a persistent denial of service. V2 is unbounded recursive descent in Foundation's XMLPlistScanner.scanDict(), where an XML property list of roughly 200 nested <dict> elements (about 6KB, ~2,960 bytes of stack per nesting level) exhausts the thread stack and causes a SIGBUS crash; because Foundation is shared infrastructure, any Apple app that deserializes untrusted XML plists is affected across macOS, iOS, watchOS, tvOS, and visionOS. V3 is a NULL-pointer dereference in Network.framework's nw_protocol_http1_connect(), triggered by malformed HTTP/1.1 requests with negative or duplicate Content-Length/Transfer-Encoding chunk headers, producing a SIGSEGV in an unmapped zero page.
Three affect Quick Share. V4 is a pre-authentication state-machine bypass in the Samsung GMS PcpManager dispatcher: OfflineFrame messages (KEEP_ALIVE, BANDWIDTH_UPGRADE, CONNECTION_RESPONSE) are dispatched immediately after ConnectionRequest Step 1, before the UKEY2 Diffie-Hellman key exchange completes, allowing an unauthenticated attacker to manipulate protocol state before secrets are established. V5 is an encryption-check bypass in the Samsung device-to-device (D2D) EndpointChannelManager dispatcher: three of seven post-handshake frame types (CONNECTION_RESPONSE, BANDWIDTH_UPGRADE, KEEP_ALIVE) are still processed when sent as plaintext instead of wrapped in the mandatory SecureMessage encryption envelope, letting an on-path Wi-Fi attacker on the same LAN maintain sessions and inject state without ever completing the cryptographic handshake. V6 is a use-after-free race condition in Google Quick Share for Windows (client v1.0.2472.1) endpoint management: when two connections collide on the same endpoint identifier and nonce within an approximately 11-second registration/teardown window, the collision handler tears down the endpoint object while a concurrent thread's OnEncryptionFailed callback in encryption_runner.cc still holds a stale pointer; the resulting comparison dereferences freed memory, causing an ACCESS_VIOLATION with potential exploitability toward remote code execution (vtable hijack) given no Control Flow Guard on the affected path. A source-code comment at the vulnerable site reads 'We had a bug here, caused by a race with EncryptionRunner,' indicating a prior, related fix at the same location.
Disclosure status as of report date: Apple has shipped a fix for one A
Weaknesses (CWE)
CWE-248, CWE-674, CWE-476, CWE-306, CWE-319, CWE-416, CWE-362
Target sectors: all sectors consumer enterprise apple and android samsung device users, government administration, finance, health, technology, education
Target regions: Global
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 20 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
VULNERABILITY, MEDIUM, threat intelligence, cybersecurity, T1595, T1592, T1587, T1190, T1203, T1211, T1557, T1046, T1210, T1499