Our friends at Android Authority recently reported on the results of some research done on the DJI GO 4 app. The results may seem alarming at first, but we urge you to keep a level head until you get all the facts.
One of the most popular drone apps on the Google Play Store includes some worrying backend features, according to two independent reports caught by Ars Technica. After reverse-engineering the DJI Go 4 app, security firms Synacktiv and Grimm found that the software at best violates Google’s Play Store policies, and at worst, could have been used to spy on the company’s users. DJI is one of the world’s largest and most successful commercial drone manufacturers. Based on publicly available Play Store metrics, the DJI Go 4 app has at least 1 million installs and as many as 5 million.
One of the more suspicious aspects of the app is that it can install any application on the user’s device through either a self-update feature or a dedicated installer provided by China’s Weibo social media giant. Both could download code from outside of the Play Store, an aspect of their design that directly violates Google’s policies.
Additionally, a previous version of the app included a component that collected and sent various sensitive data to MobTech, an SDK developer based in mainland China. Some of the information the feature had access to was the phone’s IMEI, SIM serial number, SD card information, Bluetooth addresses, and more. DJI removed that functionality with the most recent release of the DJI Go 4 app.
A spokesperson for DJI told Ars Technica what the researchers found were “hypothetical vulnerabilities” while providing no evidence that they were ever exploited.
“The app update function described in these reports serves the very important safety goal of mitigating the use of hacked apps that seek to override our geofencing or altitude limitation features,” a spokesperson for the company said. Geofencing is a software feature authorities like the Federal Aviation Administration (FAA) mandate to prevent people from flying their drones into restricted airspace. DJI subsequently published a more extensive statement in which it attempts to address many of the concerns brought up by the reports. We urge you to read that full statement before getting too concerned.
Most notably, the company claims its app doesn’t restart without input from users. “We have not been able to replicate this behavior in our tests so far,” DJI said. It also stated it recently removed the MobTech and Bugly components the app previously featured after an earlier report found issues with those SDKs.
Google, for its part, said it’s looking into the reports.
In defense of DJI
Hey guys, Jonathan here, your friendly neighborhood Drone Rush editor. We all know there are two sides to every story, and this is one of those stories. While we have not taken a deep dive into the code of DJI’s app ourselves, we have some insights that might help ease your fears. I’m here to tell you that things are not as bad as they sound.
- This is a continuation of a political attack on DJI.
- Are these vulnerabilities, or features?
- DJI is from China, but so are a lot of the apps and games you’re already using.
First and foremost, we admit that DJI is based out of Shenzhen, China. As such, they are legally required to make their servers available to the government upon request. This is true of all Chinese brands. We’re not saying you should trust the Chinese government with your personal data, but if you are going to boycott DJI, you might consider boycotting all Chinese brands, not just DJI.
Due to the construct of the Play Store, and other limitations imposed from the Chinese government, DJI found a way to ensure that your drone operates at maximum efficiency and within the laws. One of the “holes” in the DJI GO 4 app is the ability to download data that has not been pre-approved by the app store. These downloads are firmware updates for your drone, and maps. Did you know that your DJI drone includes GPS-driven geo-fencing technology to help prevent you from flying in places that are against the law to fly?
DJI also points out that they do a validation self-check on the app before you fly. With flight safety in mind, and considering the laws of each country around the globe, DJI ensures you are not using a hacked version of their app. You can download third-party apps to fly your DJI drone, but if something goes wrong, DJI is making sure it’s not because of them.
Something you may not have been told yet, when you go fly your drone, don’t use your daily driver phone. In the United States, if you break the laws of the sky, the FAA and/or law enforcement can confiscate your drone and the bits you are using to fly it. Protect your daily driver, and your personal data, by using a secondary device to fly your drone. If it is true that the DJI GO 4 app can snag your data from the device, you’ll be limiting that exposure as well.
Did you know that the U.S. Government commissioned and approved a set of DJI drones for official use? The Government Edition DJI drones are equipped with data and connection encryption to keep your operations private. For the Government Edition drones, and for your consumer DJI drone at home, you can also disable your data connections for the duration of your flight operation. You’ll still need GPS turned on for your flight, but you can safely download all of your flight data before reconnecting the smartphone to the internet, at least preventing any of your flight data from ending up on DJI’s servers.
Learn more about privacy with DJI drones:
Finally, we are seeing a disturbing (yet, very common) political trend that we think you should be aware of: well, that’s kind of it actually, this is not the first political attack we’ve seen on DJI. Back in May, a slightly ridiculous patent case threatened to take most DJI drones off of store shelves in the United States. That’s not resolved yet, but the patent holder, Autel Robotics, is laying claim to a patent that covers drones that “the rotor blades can be easily detached for transportation” and “the legs can also be conveniently folded for storage.” No, we did not write those as generic statements for this article, the USPTO actually awarded a patent for a ‘rectangle with rounded corners‘ again. Grrr.
Anyhow, Autel Robotics tries very hard to look like they are a home-grown U.S. company, out to protect the country from the evil Chinese invaders, but Autel Robotics is actually a Chinese brand. Did they forget to mention that they started in Shenzhen, China, and have been battling DJI for years now? Autel Robotics issued a fun quote about an older case in China that they were fighting: “We only filed the lawsuit because DJI is threatening the company’s survival.”
Read more: Chinese netizens upset about legal battle between local drone companies
(Fun fact, that’s me in the background of their image, from the DJI Mavic 2 drones launch event.)
We are not saying you should outright trust DJI, but please consider that they are one of thousands of apps that have servers in China, and their goal has always been to become the top drone manufacturer on the planet. They’ve achieved top spot, but even the best make mistakes now and then. The scientists at Isla Nublar figured out how to grow live dinosaurs, and the engineers at DJI figured out how to make their app do what they need it to do so that you can fly safely and legally.