TL;DR
- Two independent security firms say the DJI Go 4 app includes multiple suspicious features.
- At the very least, the app violates some of Google’s Play Store policies.
- DJI issued a lengthy statement in which it refutes many of the claims.
Update: July 27, 2020 at 5:30 PM ET: We have more to say! Our resident drone guru Jonathan Feist weighed in on the DJI-security story over on our sister website, Drone Rush. Be sure to read the full article for more information at dronerush.com.
Spoiler alert: Things aren’t as bad as they sound.
Original article: July 24, 2020 at 1 PM ET: One of the most popular drone apps on the Google Play Store includes some worrying backend features, according to two independent reports caught by Ars Technica. After reverse-engineering the DJI Go 4 app, security firms Synacktiv and Grimm found that the software at best violates Google’s Play Store policies, and at worst, could have been used to spy on the company’s users. DJI is one of the world’s largest and most successful commercial drone manufacturers. Based on publicly available Play Store metrics, the DJI Go 4 app has at least 1 million installs and as many as 5 million.
One of the more suspicious aspects of the app is that it can install any application on the user’s device through either a self-update feature or a dedicated installer provided by China’s Weibo social media giant. Both could download code from outside of the Play Store, an aspect of their design that directly violates Google’s policies.
Additionally, a previous version of the app included a component that collected and sent various sensitive data to MobTech, an SDK developer based in mainland China. Some of the information the feature had access to was the phone’s IMEI, SIM serial number, SD card information, Bluetooth addresses, and more. DJI removed that functionality with the most recent release of the DJI Go 4 app.
Also read: The best drones you can buy
Lastly, the researchers allege the app can automatically restart any time you swipe up to close it, allowing it to continue running in the background and make network requests.
A spokesperson for DJI told Ars Technica what the researchers found were “hypothetical vulnerabilities” while providing no evidence that they were ever exploited.
“The app update function described in these reports serves the very important safety goal of mitigating the use of hacked apps that seek to override our geofencing or altitude limitation features,” a spokesperson for the company said. Geofencing is a software feature authorities like the Federal Aviation Administration (FAA) mandate to prevent people from flying their drones into restricted airspace. DJI subsequently published a more extensive statement in which it attempts to address many of the concerns brought up by the reports. We urge you to read that full statement before getting too concerned.
Most notably, the company claims its app doesn’t restart without input from users. “We have not been able to replicate this behavior in our tests so far,” DJI said. It also stated it recently removed the MobTech and Bugly components the app previously featured after an earlier report found issues with those SDKs.
Google, for its part, said it’s looking into the reports.
The issue here is multifaceted. One major problem is software companies frequently don’t do a thorough enough job of vetting the SDKs they leverage to develop their apps. For instance, Facebook recently filed a federal lawsuit against a company that developed an SDK that potentially compromised the data of 9.5 million users. The open nature of Android and Google’s frequent automation of most vetting procedures means apps that skirt the company’s Play Store policies can easily slip through the cracks.
If you own a DJI drone and worry about your privacy, your best course of action is to uninstall the DJI Go 4 app until Google completes its investigation. If Google finds anything alarming, we will be sure to update this article with the details you need to know.