Leading commercial drone maker DJI is hitting back against researcher allegations that its Android mobile application is riddled with privacy holes. One includes that the app continues to run in the background even after it’s been closed and collects sensitive data from users without consent.
The privacy issues were discovered in the DJI GO 4 application, which is the complementary app used to control DJI drones. It has over 1 million Google Play downloads (the iOS version of the app does not have the same issues, researchers say). Researchers with Synacktiv found several concerning privacy issues,, which were then independently confirmed by researchers with GRIMM.
“The DJI GO 4 application contains several suspicious features as well as a number of anti-analysis techniques, not found in other applications using the same SDKs,” according to researchers with GRIMM, in a Thursday post. “Overall, these features are worrisome and may allow DJI or Weibo to access the user’s private information or target them for further exploitation.”
In a statement about the vulnerabilities, DJI vehemently denied any “unexpected data transmission” from its apps. The drone-maker also said it hasn’t been able to replicate some of the reported privacy issues in testing and that other vulnerabilities reported are “typical software concerns.”
“We have always prioritized the security of our apps and the privacy of our customers,” said DJI, in a statement published Friday to its website. “Recent reports do not contradict other third-party audits that found no unexpected data transmission from our apps designed for government and professional customers… These researchers found typical software concerns, with no evidence they have ever been exploited.”
Synacktiv researchers found that the DJI GO 4 application on the Android platform does not close when the user closes the app with a swipe right. Instead, they found that a service called Telemetry provided by MapBox will restart the application in the background, where it continues to run and make network requests. Researchers say, to effectively close the application, users must instead terminate the service and close the application in the Android Settings.
DJI for its part argued that it has not been able to replicate this behavior in testing so far: “DJI GO 4 is not able to restart itself without input from the user, and we are investigating why these researchers claim it did so,” it said.
Researchers also allege that the application contains a “self-update” feature that orders the user’s phone to install a forced update or install a new software on the app. This “self-update” feature goes against the policies of the official Google Play app marketplace – but researchers also say that attacker could potentially compromise the “self-update” server and trick a victim into applying malicious application updates.
“This mechanism is very similar to command and control servers encountered with malwares,” said researchers. “Given the wide permissions required by DJI GO 4 (access contacts, microphone, camera, location, storage, change network connectivity, etc.), the DJI or Weibo Chinese servers have almost full control over the user’s phone. This way of updating an Android App or pushing a new app completely circumvents Google feature module delivery or in-app updates.”
The application contains the ability to download and install arbitrary applications (with user approval) via a software development kit (SDK) provided by Chinese social media platform Weibo, they said. During this process, the Weibo SDK also collects the user’s private information and transmits it to Weibo, allege researchers.
DJI argued that the feature is a “technique” for dealing with unauthorized modifications to DJI control apps, and is designed to help ensure that airspace safety measures are applied consistently. It added that the data collected by the Weibo SDK allows recreational customers to share their photos and videos with friends and family on social media, and the SDK is only used when users “proactively turn it on.”
“When our systems detect that a DJI app is not the official version – for example, if it has been modified to remove critical flight safety features like geofencing or altitude restrictions – we notify the user and require them to download the most recent official version of the app from our website,” DJI said. “In future versions, users will also be able to download the official version from Google Play if it is available in their country. If users do not consent to doing so, their unauthorized (hacked) version of the app will be disabled for safety reasons.”
Researchers also say that two features within the app collect invasive information of app users, including the IMSI and IMEI serial numbers of the phone, the MAC address of the Wi-Fi interface, the serial number of the SIM card and more. The two alleged data-sucking components are the MobTech component embedded in “recent versions” of DJI Android GO 4 application and an SDK called Bugly, which is a crash reporting module in previous versions of the app (specifically version 4.1.22; the most current version is version 4.3.37).
“This data is not relevant or necessary for drone flights and go beyond DJI privacy policy,” researchers said.
DJI for its part said that the MobTech and Bugly components identified by researchers were previously removed from DJI flight control apps after earlier researchers identified potential security flaws in them.
“Again, there is no evidence they were ever exploited, and they were not used in DJI’s flight control systems for government and professional customers,” said DJI.
DJI also encouraged researchers to utilize its bug bounty program, which was previously launched in 2017, to “responsibly disclose security concerns about our products.” Previously, the drone maker faced security issues when it patched a cross-site scripting bug impacting its forums that could have allowed a hacker to hijack user accounts and gain access to sensitive online data, ranging from flight images, bank card data, flight records and even real time camera images.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar.