Paper 2021/481

PrivateDrop: Practical Privacy-Preserving Authentication for Apple AirDrop

Alexander Heinrich, Matthias Hollick, Thomas Schneider, Milan Stute, and Christian Weinert

Abstract

Apple's offline file-sharing service AirDrop is integrated into more than 1.5 billion end-user devices worldwide. We discovered two design flaws in the underlying protocol that allow attackers to learn the phone numbers and email addresses of both sender and receiver devices. As a remediation, we study the applicability of private set intersection (PSI) to mutual authentication, which is similar to contact discovery in mobile messengers. We propose a novel optimized PSI-based protocol called PrivateDrop that addresses the specific challenges of offline resource-constrained operation and integrates seamlessly into the current AirDrop protocol stack. Using our native PrivateDrop implementation for iOS and macOS, we experimentally demonstrate that PrivateDrop preserves AirDrop's exemplary user experience with an authentication delay well below one second. We responsibly disclosed our findings to Apple and open-sourced our PrivateDrop implementation.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Minor revision. USENIX Security 2021
Keywords
Mobile Contact DiscoveryPrivate Set IntersectionHash ReversalImplementationAppleAirDropiOSmacOS
Contact author(s)
aheinrich @ seemoo tu-darmstadt de
mhollick @ seemoo tu-darmstadt de
schneider @ encrypto cs tu-darmstadt de
mstute @ seemoo tu-darmstadt de
weinert @ encrypto cs tu-darmstadt de
History
2021-04-15: received
Short URL
https://ia.cr/2021/481
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2021/481,
      author = {Alexander Heinrich and Matthias Hollick and Thomas Schneider and Milan Stute and Christian Weinert},
      title = {{PrivateDrop}: Practical Privacy-Preserving Authentication for Apple {AirDrop}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2021/481},
      year = {2021},
      url = {https://eprint.iacr.org/2021/481}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.