Security researchers at the CISPA Helmholtz Center for Information Security have found six vulnerabilities across Apple AirDrop and Google/Samsung Quick Share, putting a spotlight on a quiet but important part of everyday device security: the file-sharing services that wake up when another phone or laptop is nearby.
The flaws do not mean that every iPhone or Android phone can be remotely taken over from across the internet. The attack model is local. A nearby attacker needs to be within wireless range, typically about 10 to 30 meters, and the victim device has to expose the relevant sharing surface, such as AirDrop set to receive from everyone or Quick Share visible to nearby devices. In that window, however, the research shows that file-sharing protocols can process complex unauthenticated traffic before the user has accepted a transfer.
That is why the findings are still worth attention. AirDrop and Quick Share are designed to feel frictionless in airports, classrooms, offices, conferences, transit hubs, and living rooms. Those are also exactly the places where a stranger with a laptop can be close enough to prod exposed devices without pairing, logging in, or convincing the target to tap a prompt.
What the researchers found
The CISPA paper, posted to arXiv on June 25, examines the application-layer security of Apple AirDrop and Android Quick Share. The researchers, Arash Ale Ebrahim and Nils Ole Tippenhauer, reverse engineered AirDrop’s protocol stack, built a protocol-aware fuzzer called AirFuzz, and manually analyzed Samsung’s Quick Share service and Google’s Quick Share for Windows.
On AirDrop, they found three pre-authentication issues affecting macOS and iOS. One is a denial-of-service flaw in the HTTP path router inside Apple’s sharing stack. Another involves unbounded XML property-list recursion in Foundation. A third is a null-pointer dereference in Network.framework’s HTTP/1.1 parsing. In practical terms, the paper describes ways a nearby attacker could crash AirDrop-related services on devices exposed to everyone, including before the victim sees a file-transfer request.
The Apple side matters beyond AirDrop itself because the relevant privileged daemon, sharingd, also supports other Continuity features. The paper notes that a crash can temporarily disrupt services such as AirPlay, Handoff, Universal Clipboard, Continuity Camera, NameDrop, and SharePlay, depending on the affected system behavior. That is not the same as data theft, but it is a reminder that a background convenience service can become a broader reliability target.
On Quick Share, the researchers found three additional issues. Two are in Samsung’s Android Quick Share path: a pre-authentication OfflineFrame processing bypass that can allow protocol interaction before the UKEY2 handshake finishes, and a device-to-device encryption bypass in which three of seven post-handshake frame types are processed without the expected SecureMessage encryption wrapper. The third is a heap use-after-free in Google Quick Share for Windows related to an endpoint collision race condition. The paper describes the Windows issue as potentially leading to remote code execution and says Google awarded a bounty for it.
Why this is not just a phone setting problem
Nearby sharing works because devices agree to listen before they know who is asking. Bluetooth Low Energy is commonly used for discovery, while Wi-Fi Direct, AWDL, temporary Wi-Fi connections, or related paths handle higher-throughput transfer. That setup creates an unusually exposed moment: the device has to parse structured messages from a nearby stranger before a familiar trust relationship exists.
AirDrop and Quick Share are different systems, but the research points to a shared design pressure. Both stacks need to handle rich file-transfer metadata, device discovery, session setup, and user consent quickly enough that the feature feels instant. The CISPA findings show how dangerous it can be when complex parsers, state machines, authentication handshakes, and encryption checks are distributed across many layers instead of being enforced at a single hard boundary before any sensitive processing happens.
The Android side is especially interesting because Quick Share is no longer a niche utility. It is Google’s cross-platform sharing feature for Android, ChromeOS, and Windows, and Samsung has deeply integrated it into Galaxy devices. The research focused on Samsung Android and Google Quick Share for Windows, so it does not prove that every Android manufacturer has the same vulnerable paths. It does show why Quick Share’s shared protocol and OEM-specific implementations deserve closer review as cross-platform file sharing expands.
The Windows finding also fits a longer pattern. SafeBreach researchers previously disclosed Quick Share for Windows attack chains, and the new CISPA paper cites that work while describing a fresh endpoint-management race condition. Desktop companion apps can look harmless because they exist to receive files, but they often run continuously, maintain network listeners, and bridge phones to PCs that may hold more valuable documents and credentials than the phone itself.
Patch status is still mixed
The researchers say they responsibly disclosed all six vulnerabilities to Apple, Samsung, and Google. In the paper’s disclosure section, Apple is listed as having acknowledged the three AirDrop issues, with fixes in progress and no CVE identifiers assigned at the time of writing. Samsung transferred the two Quick Share Android cases to Google after determining that the affected paths came from Google’s Nearby/Quick Share components shipped to Samsung. Google acknowledged the Windows Quick Share use-after-free, awarded a bounty, and was still investigating the Android Quick Share issues described as V4 and V5.
Public reporting since the disclosure suggests fixes have begun but are not uniform across every issue and platform. Tom’s Guide reported that Apple had patched one of the three AirDrop bugs and that Google had addressed the Windows Quick Share client, while additional fixes remained in progress. Help Net Security and The Hacker News also framed the issue around local crash, bypass, and Windows client risk rather than confirmed mass exploitation.
That partial status is important for readers. Updating phones, Macs, Windows PCs, and Quick Share clients is necessary, but settings still matter because some exposure depends on whether a device is discoverable to strangers nearby. A fully patched device is the goal; a less discoverable device has a smaller attack surface while vendors finish and distribute fixes.
What to change on your devices
For iPhone, iPad, and Mac users, the simplest protection is to avoid leaving AirDrop open to everyone. Apple’s current iPhone and iPad setting limits everyone-mode to 10 minutes, but the research notes that the exposed window still exists during those 10 minutes, and macOS behavior is not identical. Keep AirDrop set to Contacts Only or Receiving Off unless you are actively expecting a transfer from someone nearby.
For Android users, review Quick Share visibility. Keep sharing limited to your own devices or contacts where possible, and do not leave the device broadly visible in public places. Galaxy owners should watch for Google Play services, system, and Samsung software updates because the affected Android path may arrive through system components rather than a single obvious app update.
For Windows users with Google’s Quick Share installed, update the Quick Share app and avoid running outdated builds on laptops that travel through conferences, offices, schools, or airports. If you rarely use Quick Share on Windows, disabling it or removing the app is a reasonable way to reduce exposed listener surface.
Organizations should treat proximity sharing as part of endpoint policy, not just a user preference. Managed device baselines can restrict AirDrop and Quick Share settings, especially on executive laptops, developer machines, healthcare devices, school fleets, and systems used in high-density public environments. Security teams should also include nearby-sharing services in incident triage when users report repeated sharing failures, Continuity crashes, or unexpected Quick Share behavior after being in a crowded location.
The practical lesson is not that AirDrop and Quick Share are unsafe to use. It is that convenient local discovery creates a real attack surface, and that surface grows whenever file-sharing systems become more interoperable across phones, tablets, Macs, Android devices, and Windows PCs. Nearby sharing should be temporary, patched, and intentionally visible only when someone actually needs it.