Apple’s AirDrop technology could leak users’ phone numbers and email addresses, according to researchers who say they first notified Apple of the vulnerability in 2019. AirDrop is Apple’s own wireless technology used to share files such as photos and video wireless via iOS, iPadOS and macOS devices and was introduced in 2011. It uses Wi-Fi and Bluetooth to establish wireless connections and file sharing. However, the cross-authentication mechanism used by AirDrop can be misused to steal a user’s phone number and email address.
Researchers from the German Technical University in Darmstadt have found a vulnerability that could affect any of them Apple users who share files using AirDrop. The researchers found that the problem existed in the use of hash functions that exchange phone numbers and email addresses during the discovery process.
Although this is quite disturbing, consumers are only affected in certain circumstances. On the one hand, anyone who has set their own settings for receiving “Everyone” is at risk. But also, even if your settings are set to Off. Or Only for contacts, if you have an open sharing sheet with AirDrop (where your device is looking for other devices to connect to), are at risk, according to the researchers.
Apple uses the new hash features SHA-256 to encrypt the phone number and email address of the user who has access to AirDrop. Although hashes cannot be converted to plain text by a beginner, the researchers found that an attacker who has a device with Wi-Fi enabled and is physically close can initiate a process to decrypt the encryption.
The research team, consisting of five experts from the University’s Secure Mobile Network Laboratory (SEEMOO) and the Cryptography and Privacy Group (ENCRYPTO), described in detail the vulnerability in paper.
According to the details provided in the article, there are two specific ways to use the disadvantages. In one case, an attacker could access user data when he was nearby and open a sharing list or share menu. iPhone,, iPad, or Mac. In the latter case, however, the attacker may open a sharing sheet or share menu for their devices and then search for a nearby device to perform a handshake for authentication with a responsive receiver.
The second case is valid only if the user has set the discovery of their AirDrop devices to Everybody. This is not as widespread as the first case where someone trying to share a file through an Apple device could be attacked.
In addition to detailing the shortcomings, the researchers developed a solution called “PrivateDrop,” which uses cryptographic protocols to cross a private set to handle sharing between two users without exchanging vulnerable hash values.
The researchers also said in a statement that they privately informed Apple about the shortcoming of AirDrop in May 2019, although the company did not acknowledge the problem and responded.
AirDrop exists as a preloaded service on more than 1.5 billion Apple devices that are said to be vulnerable due to a flaw discovered by researchers. Apple did not comment on whether it corrected the problem during the submission of the story.
This is not the first time that AirDrop has been found to have a security issue. The service in August 2019 was I noticed I had a problem which can allow hackers to access phone status information, battery information, Wi-Fi status, buffer availability, and operating system version. At the time, it was shown that AirDrop was sending partial hashes to the phone number SHA256, Apple IDand email addresses. The company also did not respond to this finding.
However, until the problems are officially fixed, Apple users can avoid being caught by an attacker via AirDrop simply by excluding it when not using the function.