Comments by: Boris Cipot, Senior Security Engineer, at Synopsys Software Integrity Group
The concept of the security triangle helps us to understand the relationship between security, functionality and usability in software. The inter-dependency between these three attributes in software is a balancing act required to ensure a well-structured application.
In AirDrop’s case, usability was brought to the highest level of focus. In doing so, it seems that users’ personally identifiable information was leaked to support this usability. Some might argue that the leaked information is still hashed and hard to crack; however, with today’s abundance of processing power and the lack of high entropy in the phone number that is part of the hashed information, even brute force methods can crack such hashes in no time.
What is perhaps even more concerning is that this has been a known issue for 2 years and no efforts (none that have been publicly disclosed, at least) have been made to boost the security around this feature. The leaked information including phone numbers and email addresses, used to identify devices to which users connect, can also be used to tie the owner to services or other points of interest they may want to keep private.