AirDrop Vulnerabilities Expose Apple’s Nearby Sharing Risk AirDrop vulnerabilities found by CISPA researchers can crash nearby sharing services on iPhone and Mac, with Apple still working on fixes.

A blue app icon with a rounded square shape, featuring a circular design resembling the AirDrop radar signal, with a central white dot and radiating arcs. The background is light gray.
Image Credit: AppleMagazine

AirDrop vulnerabilities discovered by security researchers show how risky nearby file-sharing systems can become when they listen for devices before users approve anything. The new research, titled “Protocol Prying,” found three pre-authentication vulnerabilities in Apple’s AirDrop implementation affecting iPhone and Mac, along with related flaws in Android’s Quick Share ecosystem.

The research was conducted by Arash Ale Ebrahim and Nils Ole Tippenhauer at the CISPA Helmholtz Center for Information Security. Their work examined AirDrop and Google/Samsung Quick Share, two proximity file-transfer systems used across more than five billion devices. Both services are designed for convenience: a user can send files to a nearby phone or computer without a cable, account exchange, or shared Wi-Fi network.

That convenience creates a large security surface. The researchers found that a nearby attacker with a laptop and Wi-Fi hardware could interact with early protocol stages from roughly 10 to 30 meters away. No pairing, shared network, or contact relationship is required. On Apple devices set to receive from “Everyone,” AirDrop responds before any user prompt appears.

The current AirDrop flaws are not described as data-theft bugs. The main practical impact is denial of service: an attacker can crash Apple’s sharing daemon and temporarily disable AirDrop and related Continuity features while the attack continues. Apple has fixed one reported AirDrop issue, but the remaining Apple reports are still under coordinated disclosure and do not yet have public CVE assignments.

AirDrop Vulnerabilities Target Apple’s Sharing Daemon

AirDrop vulnerabilities in the CISPA research focus on sharingd, the background daemon that supports AirDrop on iOS and macOS. That daemon is also tied to other Apple features, including AirPlay, Handoff, Universal Clipboard, and Continuity Camera. When sharingd crashes, those services can be affected together.

That is why the flaws matter even if they do not steal files. A nearby attacker could make important Apple continuity features stop working temporarily. In testing described by Help Net Security, legitimate connection attempts failed while the attack was running and succeeded again after it stopped.

The three Apple findings are technical but their effects are easier to understand. One issue involved a Swift fatalError in the HTTP path router. A request to an unexpected path could abort the whole process. Another involved unbounded XML property list recursion in Foundation, where deeply nested data could exhaust the thread stack. A third involved a null pointer dereference in Network.framework’s HTTP/1.1 parser.

In plain language, AirDrop and related services were processing attacker-controlled input early enough that malformed data could crash the service. That is the core security concern with proximity protocols. They must be open enough to discover nearby devices quickly, but closed enough to avoid letting strangers trigger fragile code paths.

The researchers built AIRFUZZ, a protocol-aware fuzzer designed for AirDrop. Instead of only throwing random data at the service, it reconstructed parts of AirDrop’s state machine and tested more realistic protocol behavior. That helped reach code paths that ordinary fuzzing may miss.

A settings pop-up for Mac AirDrop appears on a blue gradient background. “Contacts Only” is selected, with “Everyone” as another option. The AirDrop toggle is switched on, and an Apple logo sits in the bottom right corner.
Image Credit: AppleMagazine

Apple Has Started Fixing, but Not Finished

Apple has acknowledged the reports, according to the researchers. One AirDrop bug has been fixed in a software update and assigned a CVE identifier, but the public advisory has not yet been released. The other Apple reports remain under coordinated disclosure.

That means users should not assume the entire issue is resolved. It also means details may remain limited until Apple publishes advisories and completes fixes. Coordinated disclosure usually gives vendors time to patch before full technical details are tied to public identifiers.

For everyday users, the risk appears limited but real. These AirDrop flaws are proximity-based. An attacker must be nearby. The reported Apple impact is service disruption, not confirmed file theft or device takeover. Still, an attack that disables AirDrop, Handoff, Universal Clipboard, Continuity Camera, or AirPlay could be disruptive in offices, conferences, schools, airports, public transit, and other crowded environments.

The safest immediate step is to avoid leaving AirDrop open to everyone unless needed. Apple already provides a time-limited “Everyone for 10 Minutes” option, which reduces the chance that AirDrop remains broadly discoverable by accident.

To check AirDrop receiving settings on iPhone:

Settings > General > AirDrop

To check AirDrop receiving settings on Mac:

Control Center > AirDrop

Users can choose Receiving Off, Contacts Only, or Everyone for 10 Minutes. Contacts Only is the better default for most people. Everyone for 10 Minutes should be used only when sharing with someone outside Contacts, then allowed to expire.

Quick Share Shows This Is Not Only Apple’s Problem

The research also found three vulnerabilities in Quick Share across Samsung and Google implementations. Two were protocol-layer flaws in Samsung Quick Share. One allowed pre-authentication frame processing before the UKEY2 handshake was complete. Another allowed certain post-handshake frame types to be processed without the required encryption wrapper.

The third Quick Share issue affected Google’s Quick Share for Windows and involved a heap use-after-free bug. Google awarded a bounty for the finding, and a code fix has landed, though a public CVE assignment was still pending when Help Net Security reported the disclosure status.

This Android and Windows comparison is important because it shows the issue is architectural, not only an Apple mistake. Nearby sharing features require devices to be discoverable and responsive before the user fully trusts the other party. They parse complex data formats from unfamiliar devices. They run inside privileged services. They must balance speed, ease, authentication, encryption, and user prompts.

That combination is difficult to secure. Apple, Google, and Samsung use different implementations, yet the researchers found similar classes of problems: fragile parsing, pre-authentication exposure, inconsistent security checks, and state-machine complexity.

The lesson is not that users should stop using AirDrop or Quick Share. It is that proximity sharing should be treated like a real network-facing surface, not a harmless convenience feature.

Why Pre-Authentication Code Is Sensitive

Pre-authentication code is risky because it runs before a device has fully verified who is talking to it. AirDrop and Quick Share need some early communication so devices can appear nearby and start a transfer flow. But every parser, router, frame handler, archive reader, or HTTP component reachable at that stage becomes a potential target.

The researchers described AirDrop and Quick Share as processing complex serialized content, including binary property lists, CPIO archives, Protocol Buffers, and handshake data. Those formats are powerful, but they also give fuzzers and attackers many ways to test edge cases.

A safe design tries to minimize what is reachable before authentication. It also centralizes security checks so individual handlers cannot forget to validate a state, encryption requirement, or session boundary. The CISPA research argues that future proximity protocols should enforce authentication and encryption at a dispatcher or framework boundary, reduce privileged pre-authentication code, and use protocol-aware fuzzing as part of standard development.

Those recommendations matter because traditional app security testing may not catch these flaws. A nearby-sharing protocol is not just a file parser. It is a stateful conversation between devices, with discovery, identity, negotiation, preview, acceptance, transfer, and cleanup. Bugs can appear in the transitions between those stages.

AirDrop vulnerabilities - An iPhone displays the Control Center with options like Airplane Mode, Wi-Fi, Bluetooth, Cellular Data, Personal Hotspot, VPN, and Apple AirDrop against a blurred gradient background featuring an Apple logo in the corner.
Image Credit: AppleMagazine

Apple’s Broader Continuity Risk

AirDrop is part of a larger Apple continuity experience. Users rely on AirDrop for quick file transfers, Handoff for moving work between devices, Universal Clipboard for copying across Mac and iPhone, Continuity Camera for using iPhone as a Mac camera, and AirPlay for wireless media. These features help Apple devices feel connected.

That integration is also why a crash in sharingd can affect multiple features. Apple’s system design gives users a smooth experience, but shared infrastructure can create shared failure points. A denial-of-service bug in one part of the stack may interrupt more than the feature a user expected.

For Apple, the fix is not only patching three bugs. It is hardening the architecture around nearby discovery and transfer. AirDrop has been one of Apple’s most beloved convenience features, and Google’s 2025 move to make Quick Share interoperate with AirDrop on Pixel devices made proximity sharing even more visible. As cross-platform sharing grows, the security expectations get higher.

Users increasingly expect file sharing to work instantly across phones and computers. Attackers see the same convenience as reachable code.

What Users Should Do Now

The most important advice is to keep iPhone, iPad, and Mac updated. Apple has already been accelerating security updates because AI-assisted vulnerability analysis can shorten the time attackers need to study patches and build tools. Even when an AirDrop advisory is not public yet, staying current is the best defense against fixes Apple has already shipped.

To update iPhone or iPad:

Settings > General > Software Update

To update Mac:

Apple menu > System Settings > General > Software Update

Users should also limit AirDrop discoverability. Contacts Only is safer than Everyone for 10 Minutes, and Receiving Off is appropriate when AirDrop is not needed. In crowded places, reducing discoverability lowers unnecessary exposure to strangers nearby.

For higher-risk users, such as journalists, executives, political workers, activists, government employees, and people traveling through sensitive environments, leaving AirDrop off by default is a reasonable precaution. AirDrop can be turned back on when needed.

This does not mean AirDrop is unsafe for normal use. It means the default should match the situation. AirDrop is useful at home, in an office, or with trusted contacts. It is less necessary to leave it reachable in a public venue full of unknown devices.

A Reminder That Convenience Has a Security Cost

The AirDrop vulnerabilities are not the kind of flaw that should make ordinary users panic. The reported Apple bugs do not appear to expose files, and Apple is already working through fixes. The attack requires proximity, and service crashes stop when the attack stops.

Still, the research is a warning. AirDrop, Quick Share, and similar systems feel local and friendly, but they are wireless protocols that process data from strangers nearby. They deserve the same engineering scrutiny as other exposed services.

Apple’s advantage is that it can patch iOS, iPadOS, and macOS at scale. Its challenge is making proximity features safer without making them slow, confusing, or unreliable. AirDrop works because it is almost effortless. Security improvements must preserve that ease while reducing what unknown devices can reach before a user approves a transfer.

The best version of AirDrop remains fast, private, and simple. The CISPA research shows why it also needs to be more defensively designed at the protocol level.

Jack
About the Author

Jack is a journalist at AppleMagazine, covering technology, digital culture, and the fast changing relationship between people and platforms. With a background in digital media, his work focuses on how emerging technologies shape everyday life, from AI and streaming to social media and consumer tech.