Connect with us

Hi, what are you looking for?



Chinese Drone Giant DJI Responds to Disclosure of Android App Security Issues

Chinese drone giant Da Jiang Innovations (DJI) on Thursday responded to the disclosure of security issues discovered by researchers in one of its Android applications.

Chinese drone giant Da Jiang Innovations (DJI) on Thursday responded to the disclosure of security issues discovered by researchers in one of its Android applications.

France-based cybersecurity company Synacktiv recently conducted an analysis of the DJI GO 4 application for Android. The app allows users to control and manage their DJI drones, and it’s mainly designed for recreational products.

DJI, similar to Huawei and several other major Chinese tech companies, has come under scrutiny over the past few years, with some U.S. government officials and agencies being concerned that it may be assisting the Chinese government’s spying efforts.

DJI has always denied these accusations and it has pointed to analysis conducted by the U.S. Department of Homeland Security and Booz Allen Hamilton, which shows that there is no evidence the company’s government and professional drones send user data to DJI, China or other third parties.

Synacktiv’s analysis, which has been validated by US-based cybersecurity company GRIMM, found several security holes. Researchers said the DJI GO 4 Android app uses anti-debugging mechanisms, obfuscation, dynamic encryption and packing, pointing out that they are similar to the anti-analysis techniques often leveraged by malware.

Vulnerabilities found in DJI drone app for Android

They also noticed that the application includes a mechanism that allows the vendor to install an update or new software without the user’s permission and without going through the Google Play store, from where the app has been downloaded more than a million times. By bypassing Google Play, the vendor can push any type of code to users’ devices, without the need to go through Google’s checks. This has led to researchers comparing the update system to malware command and control servers.

“Given the wide permissions required by DJI GO 4 (access contacts, microphone, camera, location, storage, change network connectivity, etc.), the DJI or Weibo Chinese servers have almost full control over the user’s phone. This way of updating an Android App or pushing a new app completely circumvents Google feature module delivery or in-app updates. Google is not able then to do any verification on updates and modifications pushed by DJI,” Synacktiv said.

Advertisement. Scroll to continue reading.

Researchers also found that the DJI application uses an SDK associated with the MobTech data intelligence platform. This component allegedly collects the device’s IMEI, IMSI and SIM card serial number, among others.

“This data is not relevant or necessary for drone flights and goes beyond DJI privacy policy. For example, IMSI is used by cellular network operators. These sensitive, unique, persistent data identifiers can be used by intelligence agencies or malicious people to later track individuals or eavesdrop communications,” Synacktiv wrote in a blog post.

The company also says the DJI GO 4 app continues running in the background and making network requests even when the user closes it.

Interestingly, the obfuscation and the hidden app update mechanism are not present in the iOS version of the application, the researchers said.

DJI has responded to these claims, classifying them as “typical software concerns” and “hypothetical vulnerabilities,” highlighting that there was no evidence of exploitation. The company also noted that it runs a bug bounty program with rewards of up to $30,000 and it has advised researchers to use it to report their findings.

The vendor claims that it wants to be able to force updates to prevent users from installing hacked versions, which should “help ensure that our comprehensive airspace safety measures are applied consistently.”

“When our systems detect that a DJI app is not the official version – for example, if it has been modified to remove critical flight safety features like geofencing or altitude restrictions – we notify the user and require them to download the most recent official version of the app from our website. In future versions, users will also be able to download the official version from Google Play if it is available in their country. If users do not consent to doing so, their unauthorized (hacked) version of the app will be disabled for safety reasons,” DJI explained.

The drone maker also highlighted that products designed for government agencies use a dedicated app and updates are only done offline.

The company has confirmed that the MobTech component and Tencent’s Bugly telemetry module have been found to contain “security flaws” by other researchers, which is why they were previously removed from its apps.

As for the use of SDKs, the drone maker says customers who use its products for recreational purposes may want to share videos and photos on social media, which is done using the native SDKs provided by social media companies. It pointed out that these SDKs are only used when media sharing features are utilized, and security issues found in these components should be reported to their respective vendor.

DJI said it was unable to validate the claim that the app continues to run in the background after being closed by the user.

Related: DJI Drone Vulnerability Exposed Customer Data, Flight Logs, Photos and Videos

Related: Design Flaws Expose Drones to Hacker Attacks

Related: DHS Says Drone Maker DJI Helping China Spy on U.S.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.