This Drone App Has Been Collecting Sensitive User Data and Violates Google Play Policies, Reverse-engineering Experts Discovered

The DJI Go 4 application for Android which allows you to control drones, includes some worrying backend features, revealed Ars Technica. The app has recently been collecting sensitive user information and can download as well as execute the code of the developers’ choice. Two independent reports have been published questioning the privacy and trustworthiness of an app that has over 1 million downloads on Google Play Store.

The application has been used to control and collect near real-time clips and flight data from drones made by DJI, a China-based company which is one of the world’s largest maker of commercial drones. The publicly available Google Play Store metrics suggest that the DJI Go 4 app has at least 1 million downloads, however, because of the way Google discloses numbers, the true figure could as high as nearly five million. The application has a rating of 3.5 stars out of 5 from over 52,000 people.

A security firm Synacktiv reverse-engineered the app two weeks ago, and on Thursday, a fellow firm Grimm also published results from its independent analysis of the app. At a minimum, both firms discovered that the application violates Google Play policies, and it collects a wide array of sensitive data from users and sent it to servers in China. The worst case is that developers could have used the app to spy on users.

According to the reports, the app can install any application on your device via a self-update feature or a dedicated installer provided by China’s social platform Weibo. These features can download code outside of Google Play which violates Google’s policies.

In addition to that, the reports also found that an old version of the app included a component that collected phone data including IMSI, IMEI, SIM serial number, kernel version, and more, and sent this data to MobTech, a China-based SDK developer. The functionality was removed in the most recent release.

Lastly, the app can automatically restart whenever you close it which helps the app to continue running in the background. The recent reports come three years after the United States Army banned the use of DJI drones. DJI spokesman told media outlets that researchers discovered ‘hypothetical vulnerabilities,’ and they provided no evidence that the vulnerabilities were ever exploited. DJI officials wrote in a statement that the app update function described in the reports serves the crucial safety goal of mitigating the use of hijacked applications that seek to override the company’s geofencing or altitude limitation functions.

Google’s spokesman stated that the company is looking into these reports, while researchers stated that the iOS version of DJI Go 4 has no obfuscation or update functions.

For now, privacy-save users can simply uninstall/remove the DJI Go 4 app from their smartphones until Google reaches to any conclusion on its research.

Read next: Apple is launching hacker-friendly iPhones and handing them over to security researchers to look for breaches and vulnerabilities
Previous Post Next Post