One Billion Apples' Secret Sauce: Recipe for the Apple Wireless Direct Link Ad hoc Protocol

TL;DR

This paper analyzes Apple's proprietary AWDL protocol, revealing its operation, synchronization, and security aspects, which are crucial for understanding its widespread use in popular applications like AirDrop and AirPlay on over a billion devices.

Contribution

It provides the first detailed analysis of AWDL's operation, synchronization, and security, along with an open-source Wireshark dissector for future research.

Findings

AWDL uses Availability Windows for communication coordination

Synchronization accuracy is sufficient for application needs

Preliminary security assessment identifies potential vulnerabilities

Abstract

Apple Wireless Direct Link (AWDL) is a proprietary and undocumented IEEE 802.11-based ad hoc protocol. Apple first introduced AWDL around 2014 and has since integrated it into its entire product line, including iPhone and Mac. While we have found that AWDL drives popular applications such as AirPlay and AirDrop on more than one billion end-user devices, neither the protocol itself nor potential security and Wi-Fi coexistence issues have been studied. In this paper, we present the operation of the protocol as the result of binary and runtime analysis. In short, each AWDL node announces a sequence of Availability Windows (AWs) indicating its readiness to communicate with other AWDL nodes. An elected master node synchronizes these sequences. Outside the AWs, nodes can tune their Wi-Fi radio to a different channel to communicate with an access point, or could turn it off to save energy. Based on our analysis, we conduct experiments to study the master election process, synchronization accuracy, channel hopping dynamics, and achievable throughput. We conduct a preliminary security assessment and publish an open source Wireshark dissector for AWDL to nourish future work.