Researchers Disclose AirDrop and Quick Share Flaws Affecting Five Billion Devices
Two researchers mapped the proximity-sharing protocols behind AirDrop and Quick Share and found six flaws spanning five billion Apple and Android devices, with vendor fixes only partly shipped.
Key Takeaways
|
Two researchers mapped the proximity-sharing protocols behind AirDrop and Quick Share and found six flaws spanning five billion Apple and Android devices, with vendor fixes only partly shipped.
SAARBRÜCKEN, GERMANY — Researchers on June 30, 2026 published the first side-by-side analysis of the wireless protocols behind Apple's AirDrop and Android's Quick Share, disclosing six vulnerabilities in the proximity file-sharing services that ship on an ecosystem of more than five billion active Apple and Android devices. The work, carried out by Arash Ale Ebrahim and Nils Ole Tippenhauer of Germany's CISPA Helmholtz Center for Information Security, reportedly found three denial-of-service flaws that crash AirDrop, two protocol bypasses in Samsung's Quick Share implementation, and one memory-corruption bug in Google's Quick Share for Windows. Vendor fixes are under way but only partly shipped.
The disclosure is a research-driven cross-platform story rather than a breach: the reported flaws primarily knock the sharing services offline or sidestep internal checks rather than expose user files, and the attacks are local, requiring an adversary to be within wireless range of a target. But the scope is unusual. Proximity sharing is built into the default software stack of nearly every modern iPhone, Mac, and Android phone, which puts the findings squarely in front of any team responsible for a mixed device fleet and its mobile security posture.
| At a Glance | |
|---|---|
| Field | Details |
| Protocols | Apple AirDrop; Android / Samsung Quick Share; Google Quick Share for Windows |
| Vendors | Apple, Google, Samsung |
| CVEs | Not yet public — one AirDrop CVE assigned by Apple; Windows CVE pending |
| Impact | Pre-auth crashes (DoS); Samsung session / encryption bypass; one potentially exploitable Windows use-after-free |
| Affected scale | Protocols span 5 billion+ active Apple and Android devices; tested bugs hit specific implementations and versions |
| Patch status | Partial — one AirDrop bug fixed; Windows fix landed; two Samsung bugs under investigation |
| Disclosed | June 30, 2026 — CISPA Helmholtz Center for Information Security |
What the Research Disclosed
The study, titled "Protocol Prying: Systematic Vulnerability Research in the Apple AirDrop and Android Quick Share Proximity Transfer Protocols," is the first to examine both stacks side by side. According to the researchers, AirDrop and Quick Share rely on a similar two-stage design: a short-range radio such as Bluetooth Low Energy handles device discovery and wake-up, and a Wi-Fi-based link carries the actual transfer. On the Apple side, that link is Apple Wireless Direct Link, a proprietary ad-hoc Wi-Fi protocol. The team reverse-engineered how these services negotiate and exchange data, then probed the resulting protocol surface for parsing and state-machine errors.
On AirDrop, the researchers reported three pre-authentication denial-of-service issues. One reportedly causes the "sharingd" service to shut down when it receives an unexpected web request; a second involves deeply nested XML property-list files that can exhaust stack space in Foundation, Apple's core software framework; and a third uses malformed request headers to crash Apple's system HTTP parser in Network.framework. The team said it reproduced the crashes on macOS 15.7.4, macOS 26.3, and current iOS 18 and iOS 26.3 builds, while an older iOS 16 build was not affected. Notably, the AirDrop issues are reachable when a device is in the most permissive "Everyone for 10 Minutes" mode, in which the sharing service's interface is exposed without authentication.
On the Quick Share side, the researchers reported two protocol-layer flaws in Samsung's implementation and one memory-corruption bug in Google's Quick Share for Windows. The Samsung issues reportedly let an attacker drive the connection forward before authentication completes — the implementation dispatches application frames ahead of the standard key exchange — and bypass device-to-device encryption for certain frame types. The Windows flaw is a heap use-after-free that the researchers describe as potentially exploitable beyond a simple crash; Google awarded a bug-bounty payout for that report. Across all six findings, the dominant effect is disruption of the sharing service rather than disclosure of user data.
Defender Posture for Organizations Managing Apple and Android Device Fleets
For most organizations, the practical reading of this disclosure is not panic but inventory. Proximity sharing is a default feature, and the relevant question for a security team is where it is enabled, in what mode, and on which managed devices. Because the AirDrop crashes are reachable specifically in the "Everyone for 10 Minutes" visibility mode, the most direct mitigation available today is a policy one: ensure that managed Apple devices default to "Contacts Only" or "Receiving Off," rather than the open mode, except where a workflow genuinely requires it.
The attacks described are local. An adversary has to be within wireless range — reported as roughly 10 to 30 meters — or on the same local network, without prior pairing, an existing contact relationship, or a shared Wi-Fi password. That narrows the realistic threat to shared physical spaces: open offices, conference venues, transit, and similar settings where many devices sit within radio range of a stranger. For teams maintaining a mobile-device program, that framing helps prioritize: the exposure is highest for staff who keep sharing wide open in crowded environments, and lowest for devices configured conservatively by policy.
It is also worth being precise about impact when communicating internally. The disclosed flaws are predominantly denial-of-service — they knock the sharing feature offline or force a crash — and the researchers say the issues primarily disrupt availability rather than expose stored files. The exception worth tracking is the Windows use-after-free, which the team flags as potentially exploitable beyond a crash. A measured defender message is that this is a posture-and-patching item for device fleets, not an active data-theft event, while leaving room to revise that read if a vendor advisory or follow-on research escalates any single flaw.
Patch Verification Across the Published Vendor Advisories
The patch picture is genuinely incomplete, and that is the part defenders most need to track. By the researchers' account, Apple has fixed one of the three reported AirDrop vulnerabilities in a software update and assigned it a CVE identifier, but the corresponding security advisory and CVE had not been published publicly at disclosure time. The other two AirDrop issues reportedly remained in coordinated disclosure. That means a security team cannot yet map this work cleanly to a specific Apple advisory or build number for all three flaws.
On the Android and Windows side, the status differs by component. Google paid a bug-bounty reward for the Quick Share for Windows use-after-free and, according to the researchers, has landed a code fix, with its CVE still pending publication. The two Samsung Quick Share protocol flaws were handed upstream to Google and reportedly remain under investigation, meaning no confirmed fix for those two issues at the time of disclosure. The result is a cross-vendor patch matrix in which one item is fixed-and-CVE-assigned-but-undocumented, one is fixed-pending-CVE, and two are still open.
The defender takeaway is to treat this as a watch item rather than a single patch action. Until the Apple advisory and the Google CVE are published, the durable steps are the configuration controls already noted — managing AirDrop visibility mode and keeping managed devices current on OS updates — plus monitoring vendor security release notes for the identifiers as they appear. Teams that maintain a software inventory should be ready to map the CVEs to specific iOS, macOS, Windows, and Android or One UI builds once each vendor documents them, rather than assuming current patch levels already cover all six findings.
Open Questions
Several points remain genuinely unsettled, and the catch-up framing here is to act on what is confirmed without overstating the rest. The CVE identifiers are the clearest gap: at disclosure, the single Apple-assigned AirDrop CVE was not public, the Google Windows CVE was pending, and the two Samsung issues had no assigned identifiers or confirmed fixes. Anyone tracking this for a patch program should treat the specific CVE numbers and the exact patched build numbers as not-yet-confirmed and wait for the vendor advisories rather than inferring them.
A second open question is escalation potential. The researchers characterize most of the findings as denial-of-service and the protocol bypasses as availability-and-state issues, but they flag the Windows Quick Share use-after-free as potentially exploitable beyond a crash. Whether that bug — or the Samsung pre-authentication frame handling — is ever demonstrated as something more than a disruption is unconfirmed, and the prudent reading is to monitor for follow-on analysis rather than to assume a worst case now.
What is confirmed is enough to act on: a systematic, peer-style research disclosure covering six flaws across AirDrop and Quick Share, affecting protocols that ship on more than five billion Apple and Android devices, with local-proximity attack requirements, a primarily disruptive impact, and a partial cross-vendor fix status. The sensible posture is to manage proximity-sharing configuration on managed fleets now, keep devices on current OS builds, and track the Apple, Google, and Samsung advisories as the identifiers and patched versions are published.
Sources
| Type | Source |
|---|---|
| Primary | Ale Ebrahim & Tippenhauer (CISPA) — Protocol Prying (arXiv preprint) |
| Reporting | The Hacker News |
| Reporting | Help Net Security |
| Reporting | 9to5Mac |
| Related | The CyberSignal — USBliter8: Apple A12/A13 BootROM Research |
| Related | The CyberSignal — Morpheus Android Spyware |