This page will contain examples of where information “leaks” in ways that is unexpected to DJI consumers. Note also another page that will contain information on the terms of service that are accepted as part of using the DJI ecosystem.
One of the big no-go areas in an app development is the capability for an app to modify its code after deployment. If an app is able to modify itself, it will be able to bypass the rules that govern acceptance into an App Store. For example, Apple has recently warned developers that hot patch capabilities are grounds for apps getting banned. The Google policy says that an app“may not modify, replace, or update itself using any method other than Google Play’s update mechanism”.
Security Researchers have uncovered the use of "tinker" within the DJI GO application. “Tinker is a hot-fix solution library for Android, it supports dex, library and resources update without reinstalling apk.” Again, the Google policy states: “Likewise, an app may not download executable code (e.g. dex, JAR, .so files) from a source other than Google Play”
Before IOS users start to feel confident about their choice, the news on IOS is not much better. IOS APK's have been found to contain JSPatch as an alternative to Tinker. According to fireeye research on the topic, the use of this technique can “expose a similar attack vector that allows patching scripts to alter the app behavior at runtime, without the constraints imposed by the App Store’s vetting process.” The research also states, “malicious behavior can be temporary, dynamic, stealthy, and evasive. Such an attack, when in place, will pose a big risk to all stakeholders involved.”
As stated above, using hot patching frameworks that doing so violates its rules.
DJI representatives initially claimed that hot patching “has never been used in production”. DJI acknowledge this functionality is not permitted, and they would not use this in a public setting.
Regardless of the denial by DJI, you don't put a back door in your code for no good reason.
DJI have subsequently advised that the issue: “The is being addressed. We have never used it as a company. It should be removed with the next revision.”
These findings do paint a sinister story. The capability to dynamically change the software on your device to do anything you likeis like opening up Aladdin's cave. Apps could be dynamically modified to allow access to anything that the DJI go app has permission to access. That would include all access to all vision, all telemetry, and all flight logs. At its worst, this could include a command to “bring down” a drone being used for military purposes. This is the whole pandora's box, and explains why the US Army have ordered the removal of all DJI software from Army devices.
Imagine you are an Amazon customer… and you purchased all sorts of things over an extended period. Imagine you then posted something in an amazon support forum… and when your forum post is published, anyone reading it could see your amazon purchase history. Would that be a concern?
Any information that you voluntarily choose to upload to a publicly accessible site or venue using DJI Products and Services (including sharing information on SkyPixel, DJI+ Discover App or on DJI’s online community forum, the “DJI Forum”), or that you elect to make public, will be available to anyone who has access to that content, including other users.
More research is in progress on of the item(s) below