Researchers Disclose AirDrop and Quick Share Flaws Affecting Five Billion Devices

Two researchers mapped the proximity-sharing protocols behind AirDrop and Quick Share and found six flaws spanning five billion Apple and Android devices, with vendor fixes only partly shipped.

Share
Flat white line-art of two phones with proximity-share arcs and a shield, on a Mulberry background — AirDrop and Quick Share flaws across five billion devices.

Key Takeaways

  • Researchers Arash Ale Ebrahim and Nils Ole Tippenhauer of Germany's CISPA Helmholtz Center for Information Security disclosed on June 30, 2026 the results of a systematic study of the proximity-sharing protocols behind Apple AirDrop and Android Quick Share, reporting six vulnerabilities that span an ecosystem of more than five billion active Apple and Android devices.
  • The findings include three pre-authentication denial-of-service flaws that can crash AirDrop on current macOS and iOS builds, two protocol-state and encryption bypasses in Samsung's Quick Share implementation, and one heap use-after-free in Google's Quick Share for Windows that the researchers describe as potentially exploitable beyond a crash; the disclosed issues primarily disrupt availability rather than expose user data.
  • Fixes are only partly shipped: Apple has patched one of the three AirDrop bugs and assigned it a CVE that is not yet public, Google paid a bounty and landed a code fix for the Windows flaw with its CVE pending, and the two Samsung bugs handed upstream remain under investigation, leaving organizations managing mixed Apple and Android fleets to track an incomplete cross-vendor patch picture.

Two researchers mapped the proximity-sharing protocols behind AirDrop and Quick Share and found six flaws spanning five billion Apple and Android devices, with vendor fixes only partly shipped.

SAARBRÜCKEN, GERMANY — Researchers on June 30, 2026 published the first side-by-side analysis of the wireless protocols behind Apple's AirDrop and Android's Quick Share, disclosing six vulnerabilities in the proximity file-sharing services that ship on an ecosystem of more than five billion active Apple and Android devices. The work, carried out by Arash Ale Ebrahim and Nils Ole Tippenhauer of Germany's CISPA Helmholtz Center for Information Security, reportedly found three denial-of-service flaws that crash AirDrop, two protocol bypasses in Samsung's Quick Share implementation, and one memory-corruption bug in Google's Quick Share for Windows. Vendor fixes are under way but only partly shipped.

The disclosure is a research-driven cross-platform story rather than a breach: the reported flaws primarily knock the sharing services offline or sidestep internal checks rather than expose user files, and the attacks are local, requiring an adversary to be within wireless range of a target. But the scope is unusual. Proximity sharing is built into the default software stack of nearly every modern iPhone, Mac, and Android phone, which puts the findings squarely in front of any team responsible for a mixed device fleet and its mobile security posture.

At a Glance
FieldDetails
ProtocolsApple AirDrop; Android / Samsung Quick Share; Google Quick Share for Windows
VendorsApple, Google, Samsung
CVEsNot yet public — one AirDrop CVE assigned by Apple; Windows CVE pending
ImpactPre-auth crashes (DoS); Samsung session / encryption bypass; one potentially exploitable Windows use-after-free
Affected scaleProtocols span 5 billion+ active Apple and Android devices; tested bugs hit specific implementations and versions
Patch statusPartial — one AirDrop bug fixed; Windows fix landed; two Samsung bugs under investigation
DisclosedJune 30, 2026 — CISPA Helmholtz Center for Information Security

What the Research Disclosed

The study, titled "Protocol Prying: Systematic Vulnerability Research in the Apple AirDrop and Android Quick Share Proximity Transfer Protocols," is the first to examine both stacks side by side. According to the researchers, AirDrop and Quick Share rely on a similar two-stage design: a short-range radio such as Bluetooth Low Energy handles device discovery and wake-up, and a Wi-Fi-based link carries the actual transfer. On the Apple side, that link is Apple Wireless Direct Link, a proprietary ad-hoc Wi-Fi protocol. The team reverse-engineered how these services negotiate and exchange data, then probed the resulting protocol surface for parsing and state-machine errors.

On AirDrop, the researchers reported three pre-authentication denial-of-service issues. One reportedly causes the "sharingd" service to shut down when it receives an unexpected web request; a second involves deeply nested XML property-list files that can exhaust stack space in Foundation, Apple's core software framework; and a third uses malformed request headers to crash Apple's system HTTP parser in Network.framework. The team said it reproduced the crashes on macOS 15.7.4, macOS 26.3, and current iOS 18 and iOS 26.3 builds, while an older iOS 16 build was not affected. Notably, the AirDrop issues are reachable when a device is in the most permissive "Everyone for 10 Minutes" mode, in which the sharing service's interface is exposed without authentication.

On the Quick Share side, the researchers reported two protocol-layer flaws in Samsung's implementation and one memory-corruption bug in Google's Quick Share for Windows. The Samsung issues reportedly let an attacker drive the connection forward before authentication completes — the implementation dispatches application frames ahead of the standard key exchange — and bypass device-to-device encryption for certain frame types. The Windows flaw is a heap use-after-free that the researchers describe as potentially exploitable beyond a simple crash; Google awarded a bug-bounty payout for that report. Across all six findings, the dominant effect is disruption of the sharing service rather than disclosure of user data.

Defender Posture for Organizations Managing Apple and Android Device Fleets

For most organizations, the practical reading of this disclosure is not panic but inventory. Proximity sharing is a default feature, and the relevant question for a security team is where it is enabled, in what mode, and on which managed devices. Because the AirDrop crashes are reachable specifically in the "Everyone for 10 Minutes" visibility mode, the most direct mitigation available today is a policy one: ensure that managed Apple devices default to "Contacts Only" or "Receiving Off," rather than the open mode, except where a workflow genuinely requires it.

The attacks described are local. An adversary has to be within wireless range — reported as roughly 10 to 30 meters — or on the same local network, without prior pairing, an existing contact relationship, or a shared Wi-Fi password. That narrows the realistic threat to shared physical spaces: open offices, conference venues, transit, and similar settings where many devices sit within radio range of a stranger. For teams maintaining a mobile-device program, that framing helps prioritize: the exposure is highest for staff who keep sharing wide open in crowded environments, and lowest for devices configured conservatively by policy.

It is also worth being precise about impact when communicating internally. The disclosed flaws are predominantly denial-of-service — they knock the sharing feature offline or force a crash — and the researchers say the issues primarily disrupt availability rather than expose stored files. The exception worth tracking is the Windows use-after-free, which the team flags as potentially exploitable beyond a crash. A measured defender message is that this is a posture-and-patching item for device fleets, not an active data-theft event, while leaving room to revise that read if a vendor advisory or follow-on research escalates any single flaw.

Patch Verification Across the Published Vendor Advisories

The patch picture is genuinely incomplete, and that is the part defenders most need to track. By the researchers' account, Apple has fixed one of the three reported AirDrop vulnerabilities in a software update and assigned it a CVE identifier, but the corresponding security advisory and CVE had not been published publicly at disclosure time. The other two AirDrop issues reportedly remained in coordinated disclosure. That means a security team cannot yet map this work cleanly to a specific Apple advisory or build number for all three flaws.

On the Android and Windows side, the status differs by component. Google paid a bug-bounty reward for the Quick Share for Windows use-after-free and, according to the researchers, has landed a code fix, with its CVE still pending publication. The two Samsung Quick Share protocol flaws were handed upstream to Google and reportedly remain under investigation, meaning no confirmed fix for those two issues at the time of disclosure. The result is a cross-vendor patch matrix in which one item is fixed-and-CVE-assigned-but-undocumented, one is fixed-pending-CVE, and two are still open.

The defender takeaway is to treat this as a watch item rather than a single patch action. Until the Apple advisory and the Google CVE are published, the durable steps are the configuration controls already noted — managing AirDrop visibility mode and keeping managed devices current on OS updates — plus monitoring vendor security release notes for the identifiers as they appear. Teams that maintain a software inventory should be ready to map the CVEs to specific iOS, macOS, Windows, and Android or One UI builds once each vendor documents them, rather than assuming current patch levels already cover all six findings.

Open Questions

Several points remain genuinely unsettled, and the catch-up framing here is to act on what is confirmed without overstating the rest. The CVE identifiers are the clearest gap: at disclosure, the single Apple-assigned AirDrop CVE was not public, the Google Windows CVE was pending, and the two Samsung issues had no assigned identifiers or confirmed fixes. Anyone tracking this for a patch program should treat the specific CVE numbers and the exact patched build numbers as not-yet-confirmed and wait for the vendor advisories rather than inferring them.

A second open question is escalation potential. The researchers characterize most of the findings as denial-of-service and the protocol bypasses as availability-and-state issues, but they flag the Windows Quick Share use-after-free as potentially exploitable beyond a crash. Whether that bug — or the Samsung pre-authentication frame handling — is ever demonstrated as something more than a disruption is unconfirmed, and the prudent reading is to monitor for follow-on analysis rather than to assume a worst case now.

What is confirmed is enough to act on: a systematic, peer-style research disclosure covering six flaws across AirDrop and Quick Share, affecting protocols that ship on more than five billion Apple and Android devices, with local-proximity attack requirements, a primarily disruptive impact, and a partial cross-vendor fix status. The sensible posture is to manage proximity-sharing configuration on managed fleets now, keep devices on current OS builds, and track the Apple, Google, and Samsung advisories as the identifiers and patched versions are published.


Sources

TypeSource
PrimaryAle Ebrahim & Tippenhauer (CISPA) — Protocol Prying (arXiv preprint)
ReportingThe Hacker News
ReportingHelp Net Security
Reporting9to5Mac
RelatedThe CyberSignal — USBliter8: Apple A12/A13 BootROM Research
RelatedThe CyberSignal — Morpheus Android Spyware