Popular Chinese Drone Android App Suffers Major Security Issues, Investigation Finds

The Android application used by the Da Jiang Innovations (DJI) to control their drones has a potential vulnerability that would give the company access to details about the users, security researchers have discovered.

DJI is one of the biggest, if not the biggest, commercial drone manufacturers in the world. Because it’s based in China, the company has to adhere to Chinese laws, which means that it would have to comply with any requests from the government.

DJI users have apps for Android and iOS devices, but only the Android version seems to be affected. The security researchers from Synacktiv and GRIMM analyzed the app used to control the drones and found security issues that the company could easily use to gather users’ data.

The analysis of the DJI GO 4 app for Android revealed that the security issues are not there by mistake. In fact, the application uses anti-analysis techniques, usually employed by malware, to obfuscate the code and functions.

The biggest issue identified was that the app responds to a command and control (C&C) server, and the company can force-push updates and new software without going through Google Play. Google can’t verify the updates or other packages sent this way.

The second security concern has to do with the application’s data but has no bearing on drone usage or functionality.

“The MobTech component embedded in recent versions of DJI Android GO 4 application collects personal data such as IMSI, IMEI, the serial number of the SIM card, etc,” said the security researchers. “This data is not relevant or necessary for drone flights and go beyond DJI privacy policy 8. For example, IMSI is used by cellular network operators. These sensitive, unique, persistent data identifiers can be used by intelligence agencies or malicious people to later track individuals or eavesdrop communications.”

Finishing up the security trifecta is the fact that DJI GO 4 app doesn’t actually close on Android. It remains in the background and continues to make network requests. The iOS counterpart is not obfuscated and doesn’t exhibit the same behavior.

According to a New York Times report, the company already said it has been using the update system to stay ahead of people using modified software that allowed them to bypass geofencing and other restrictions.

Add Comment

Your email address will not be published. Required fields are marked *