User Tools

Site Tools


faq:dataleakage

DJI Data Leakage

This page will contain examples of where information “leaks” in ways that is unexpected to DJI consumers. Note also another page that will contain information on the terms of service that are accepted as part of using the DJI ecosystem.

Hot Patching - Back-door found in DJI GO

One of the big no-go areas in an app development is the capability for an app to modify its code after deployment. If an app is able to modify itself, it will be able to bypass the rules that govern acceptance into an App Store. For example, Apple has recently warned developers that hot patch capabilities are grounds for apps getting banned. The Google policy says that an app“may not modify, replace, or update itself using any method other than Google Play’s update mechanism”.

Android Tinker

Security Researchers have uncovered the use of "tinker" within the DJI GO application. “Tinker is a hot-fix solution library for Android, it supports dex, library and resources update without reinstalling apk.” Again, the Google policy states: “Likewise, an app may not download executable code (e.g. dex, JAR, .so files) from a source other than Google Play

IOS JSPatch

Before IOS users start to feel confident about their choice, the news on IOS is not much better. IOS APK's have been found to contain JSPatch as an alternative to Tinker. According to fireeye research on the topic, the use of this technique can “expose a similar attack vector that allows patching scripts to alter the app behavior at runtime, without the constraints imposed by the App Store’s vetting process.” The research also states, “malicious behavior can be temporary, dynamic, stealthy, and evasive. Such an attack, when in place, will pose a big risk to all stakeholders involved.

As stated above, using hot patching frameworks that doing so violates its rules.

The Response

DJI representatives initially claimed that hot patching “has never been used in production”. DJI acknowledge this functionality is not permitted, and they would not use this in a public setting.

Regardless of the denial by DJI, you don't put a back door in your code for no good reason.

DJI have subsequently advised that the issue: The is being addressed. We have never used it as a company. It should be removed with the next revision.

These findings do paint a sinister story. The capability to dynamically change the software on your device to do anything you likeis like opening up Aladdin's cave. Apps could be dynamically modified to allow access to anything that the DJI go app has permission to access. That would include all access to all vision, all telemetry, and all flight logs. At its worst, this could include a command to “bring down” a drone being used for military purposes. This is the whole pandora's box, and explains why the US Army have ordered the removal of all DJI software from Army devices.

DJI Forum - Disclosure of DJI sales history

Imagine you are an Amazon customer… and you purchased all sorts of things over an extended period. Imagine you then posted something in an amazon support forum… and when your forum post is published, anyone reading it could see your amazon purchase history. Would that be a concern?

Not according to DJI. Any user who posts in the DJI forum will have their past sales history disclosed against their forum posts. There is an icon for each product owned, that is displayed against the user profile in each post. Disclosing sales records is to be blunt a serious concern, and not permitted under the terms of the DJI privacy policy.

Dji Forum - Disclosure of Kilometers flown

A user posting on the DJI forum has the distance flown with their linked DJI profile displayed against every forum post. The DJI privacy policy for the DJI GO app does not permit this disclosure. Flight logs being uploaded to the “cloud” are done so with the intent being PRIVATE data synchronisation to allow multiple devices to have the same data.

Any information that you voluntarily choose to upload to a publicly accessible site or venue using DJI Products and Services (including sharing information on SkyPixel, DJI+ Discover App or on DJI’s online community forum, the “DJI Forum”), or that you elect to make public, will be available to anyone who has access to that content, including other users.

This policy is the closest one that relates to this provided data. The sharing of kilometres traveled from sync'd flight logs breaches DJI's privacy policy

Skypixel - Public upload of private content

  • A user who shares content to say a private Facebook page also has their content uploaded to skypixel. There is no way to turn this off if you press the share to Facebook logo in DJI go. DJI Forum Report and this DJI Forum Report

Unusual findings

More research is in progress on of the item(s) below

Network Chatter

faq/dataleakage.txt · Last modified: 2017/08/27 03:39 by czokie