Researchers at the CISPA Helmholtz Center for Information Security have uncovered six vulnerabilities in the AirDrop and Quick Share file-sharing protocols. Some of the flaws could allow nearby attackers to crash the services, interfere with file transfers, while one vulnerability could potentially lead to remote code execution.
Billions of devices are potentially affected. According to Apple, the sharingd service that powers AirDrop runs on more than 2.2 billion active devices. Meanwhile, Google says Quick Share is available on more than 3 billion Android devices, serving as the default file-sharing solution on Samsung smartphones and across the broader Android ecosystem.
To assess the security of these technologies, the researchers reverse-engineered both protocols from scratch and developed their own testing tools. Their analysis uncovered three vulnerabilities in AirDrop and three more in Quick Share.
The AirDrop flaws consist of three denial-of-service (DoS) vulnerabilities capable of crashing the service. In Quick Share, the researchers identified two flaws that allow manipulation of the connection establishment process, along with a use-after-free vulnerability in the Windows version. According to the researchers, the latter could potentially be exploited to achieve remote code execution.
An attacker must be within approximately 10 to 30 meters of the target device to exploit the flaws. However, in crowded environments, a single attacker could theoretically interact with hundreds of nearby devices at once. Exploiting the AirDrop vulnerabilities also requires the target device to be set to the “Everyone for 10 Minutes” discovery mode.
All of the discovered vulnerabilities were responsibly disclosed to Apple, Google, and Samsung. The companies have acknowledged the findings and are working on security updates.
However, the researchers argue that the issue extends beyond these individual bugs. In their view, proximity-based file-sharing protocols expose a broad range of security risks rather than suffering from a single dominant vulnerability.
“Both protocols expose pre-authentication attack surfaces from wireless proximity and exhibit insufficient input validation at the application layer,” the researchers said.
As part of their analysis, the team reconstructed AirDrop’s entire seven-layer architecture without access to Apple’s source code. The protocol stack includes Bluetooth Low Energy for device discovery, Apple Wireless Direct Link (AWDL), TLS encryption, HTTP transport, encoding, compression, and file packaging.
The researchers also developed their own protocol-aware fuzzer called AirFuzz, consisting of roughly 12,000 lines of code. The tool automatically mutates valid requests and tests the protocol for crashes and unexpected behavior.
Using AirFuzz, the team discovered two zero-click pre-authentication vulnerabilities and one additional vulnerability that can be triggered after an AirDrop request is accepted.
The first flaw allows a single HTTP POST request to immediately crash the sharingd service, which is responsible not only for AirDrop but also for AirPlay, Handoff, Universal Clipboard, and Continuity Camera on macOS and iOS.
The second vulnerability is triggered by specially crafted XML property lists that cause a stack overflow during parsing.
Researchers warn that this flaw affects more than just sharingd. Because it also impacts Foundation.framework, any Apple application that deserializes untrusted XML property lists could potentially be vulnerable. The issue affects macOS, iOS, watchOS, tvOS, and visionOS.
The third AirDrop bug involves malformed HTTP requests containing duplicate or conflicting headers. Apple’s HTTP/1.1 parser fails to reject these requests, enters an inconsistent state, and attempts to access a nonexistent object, resulting in a segmentation fault. According to the researchers, similar bugs can sometimes be developed into code execution exploits.
The team also reverse-engineered Quick Share on a Samsung Galaxy S23 Ultra running Android 16, as well as the Windows implementation.
Their analysis showed that Quick Share processes certain commands before authentication is complete, allowing an attacker to keep unwanted Quick Share sessions active.
In addition, an attacker positioned on the same Wi-Fi network can inject unencrypted control frames into an active Quick Share transfer, effectively bypassing part of the protocol’s encryption protections.
The Windows version of Quick Share was also found to contain a use-after-free vulnerability caused by a race condition. The researchers believe it could potentially be turned into a full remote code execution exploit, and the discovery earned them a bug bounty reward.
The researchers acknowledge that their work did not cover every aspect of AirDrop and Quick Share, meaning additional vulnerabilities could still be discovered in the future.
Ultimately, they conclude that proximity-based file-sharing protocols represent a broader class of structural security weaknesses. Regardless of the implementation, the same patterns continue to emerge, including insufficient authentication, weak input validation, and concurrency issues in network endpoint management.