Chinese drone giant Da Jiang Innovations (DJI) on Thursday responded to the disclosure of security issues discovered by researchers in one of its Android applications.
France-based cybersecurity company Synacktiv recently conducted an analysis of the DJI GO 4 application for Android. The app allows users to control and manage their DJI drones, and it’s mainly designed for recreational products.
DJI, similar to Huawei and several other major Chinese tech companies, has come under scrutiny over the past few years, with some U.S. government officials and agencies being concerned that it may be assisting the Chinese government’s spying efforts.
DJI has always denied these accusations and it has pointed to analysis conducted by the U.S. Department of Homeland Security and Booz Allen Hamilton, which shows that there is no evidence the company’s government and professional drones send user data to DJI, China or other third parties.
Synacktiv’s analysis, which has been validated by US-based cybersecurity company GRIMM, found several security holes. Researchers said the DJI GO 4 Android app uses anti-debugging mechanisms, obfuscation, dynamic encryption and packing, pointing out that they are similar to the anti-analysis techniques often leveraged by malware.
They also noticed that the application includes a mechanism that allows the vendor to install an update or new software without the user’s permission and without going through the Google Play store, from where the app has been downloaded more than a million times. By bypassing Google Play, the vendor can push any type of code to users’ devices, without the need to go through Google’s checks. This has led to researchers comparing the update system to malware command and control servers.
“Given the wide permissions required by DJI GO 4 (access contacts, microphone, camera, location, storage, change network connectivity, etc.), the DJI or Weibo Chinese servers have almost full control over the user’s phone. This way of updating an Android App or pushing a new app completely circumvents Google feature module delivery or in-app updates. Google is not able then to do any verification on updates and modifications pushed by DJI,” Synacktiv said.
Researchers also found that the DJI application uses an SDK associated with the MobTech data intelligence platform. This component allegedly collects the device’s IMEI, IMSI and SIM card serial number, among others.
“This data is not relevant or necessary for drone flights and goes beyond DJI privacy policy. For example, IMSI is used by cellular network operators. These sensitive, unique, persistent data identifiers can be used by intelligence agencies or malicious people to later track individuals or eavesdrop communications,” Synacktiv wrote in a blog post.
The company also says the DJI GO 4 app continues running in the background and making network requests even when the user closes it.
Interestingly, the obfuscation and the hidden app update mechanism are not present in the iOS version of the application, the researchers said.
DJI has responded to these claims, classifying them as “typical software concerns” and “hypothetical vulnerabilities,” highlighting that there was no evidence of exploitation. The company also noted that it runs a bug bounty program with rewards of up to $30,000 and it has advised researchers to use it to report their findings.
The vendor claims that it wants to be able to force updates to prevent users from installing hacked versions, which should “help ensure that our comprehensive airspace safety measures are applied consistently.”
“When our systems detect that a DJI app is not the official version – for example, if it has been modified to remove critical flight safety features like geofencing or altitude restrictions – we notify the user and require them to download the most recent official version of the app from our website. In future versions, users will also be able to download the official version from Google Play if it is available in their country. If users do not consent to doing so, their unauthorized (hacked) version of the app will be disabled for safety reasons,” DJI explained.
The drone maker also highlighted that products designed for government agencies use a dedicated app and updates are only done offline.
The company has confirmed that the MobTech component and Tencent’s Bugly telemetry module have been found to contain “security flaws” by other researchers, which is why they were previously removed from its apps.
As for the use of SDKs, the drone maker says customers who use its products for recreational purposes may want to share videos and photos on social media, which is done using the native SDKs provided by social media companies. It pointed out that these SDKs are only used when media sharing features are utilized, and security issues found in these components should be reported to their respective vendor.
DJI said it was unable to validate the claim that the app continues to run in the background after being closed by the user.
Related: DJI Drone Vulnerability Exposed Customer Data, Flight Logs, Photos and Videos