User Tools

Site Tools


faq:dataleakage

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
faq:dataleakage [2017/08/09 01:12]
czokie [Hot Patching]
faq:dataleakage [2017/08/27 03:39] (current)
czokie ↷ Links adapted because of a move operation
Line 1: Line 1:
 ====== DJI Data Leakage ====== ====== DJI Data Leakage ======
  
-This page will contain examples of where information "leaks" in ways that is unexpected to DJI consumers. Note also another page that will contain information on the [[tos|terms of service]] that are accepted as part of using the DJI ecosystem.+This page will contain examples of where information "leaks" in ways that is unexpected to DJI consumers. Note also another page that will contain information on the [[.tos:start|terms of service]] that are accepted as part of using the DJI ecosystem.
  
-===== Kilometers flown ===== 
-A user posting on the DJI forum has the distance flown with their linked DJI profile displayed against every forum post. The DJI privacy policy for the DJI GO app does not permit this disclosure. Flight logs being uploaded to the "cloud" are done so with the intent being PRIVATE data synchronisation to allow multiple devices to have the same data. 
  
-//Any information that you voluntarily choose to upload to a publicly accessible site or venue using DJI Products and Services (including sharing information on SkyPixel, DJI+ Discover App or on DJI’s online community forum, the “DJI Forum”), or that you elect to make public, will be available to anyone who has access to that content, including other users.//+===== Hot Patching - Back-door found in DJI GO ===== 
 +One of the big no-go areas in an app development is the capability for an app to modify its code after deployment. If an app is able to modify itselfit will be able to bypass the rules that govern acceptance into an App Store. For example, Apple has recently [[https://www.theregister.co.uk/2017/03/09/apple_burns_bridge_for_hot_patching/|warned developers]] that hot patch capabilities are grounds for apps getting banned. The [[https://play.google.com/intl/ALL_fr/about/developer-content-policy-print/|Google policy]] says that an app"//may not modifyreplace, or update itself using any method other than Google Play’s update mechanism//".
  
-This policy is the closest one that relates to this provided data. The sharing of kilometres traveled from sync'd flight logs breaches DJI's [[http://djistatic.com/agreement/dji-go-4-pp.html|privacy policy]]+==== Android Tinker ====
  
-===== Disclosure of DJI sales history ===== +Security Researchers have [[https://www.rcgroups.com/forums/showthread.php?2911378-DJI-Dashboard-Modding-tips-tricks-and-results-OFFICIAL-THREAD/page172|uncovered the use of "tinker"]] within the DJI GO application"[[https://github.com/Tencent/tinker|Tinker is a hot-fix solution library for Android, it supports dex, library and resources update without reinstalling apk]]." Again, the [[https://play.google.com/intl/ALL_fr/about/developer-content-policy-print/|Google policy]] states: "//Likewise, an app may not download executable code (e.g. dex, JAR, .so files) from source other than Google Play//"
-Imagine you are an Amazon customer... and you purchased all sorts of things over an extended periodImagine you then posted something in an amazon support forum... and when your forum post is publishedanyone reading it could see your amazon purchase historyWould that be concern?+
  
-Not according to DJI. Any user who posts in the DJI forum will have their past sales history disclosed against their forum posts. There is an icon for each product owned, that is displayed against the user profile in each post. Disclosing sales records is to be blunt a serious concern, and not permitted under the terms of the DJI privacy policy.+==== IOS JSPatch ====
  
-===== Skypixel ===== +Before IOS users start to feel confident about their choice, the news on IOS is not much better. IOS APK's have been found to contain JSPatch as an alternative to TinkerAccording to [[https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html|fireeye research]] on the topic, the use of this technique can "//expose a similar attack vector that allows patching scripts to alter the app behavior at runtimewithout the constraints imposed by the App Store’s vetting process.//" The research also states"//malicious behavior can be temporary, dynamic, stealthy, and evasiveSuch an attack, when in place, will pose a big risk to all stakeholders involved.//"
-  * A user who shares content to say a private Facebook page also has their content uploaded to skypixelThere is no way to turn this off. [[http://forum.dji.com/thread-98200-1-1.html|DJI Forum Report]] and this  [[https://forum.dji.com/thread-106560-1-1.html|DJI Forum Report]] +
-===== Hot Patching ===== +
-One of the big no-go areas in an app store is the capability for an app to modify its code after deployment. If an app is able to modify itselfit will be able to bypass the rules that govern acceptance into an App Store. For exampleApple has recently [[https://www.theregister.co.uk/2017/03/09/apple_burns_bridge_for_hot_patching/|warned developers]] that hot patch capabilities are grounds for apps getting banned. +
  
-Security Researchers have [[https://www.rcgroups.com/forums/showthread.php?2911378-DJI-Dashboard-Modding-tips-tricks-and-results-OFFICIAL-THREAD/page172|uncovered the use of "tinker"]] within the DJI GO application. "[[https://github.com/Tencent/tinker|Tinker is a hot-fix solution library for Android, it supports dex, library and resources update without reinstalling apk]]."+As stated above, [[https://www.theregister.co.uk/2017/03/09/apple_burns_bridge_for_hot_patching/|using hot patching frameworks that doing so violates its rules.]] 
 +==== The Response ====
  
-DJI representatives initially claimed "//this has never been used in production//". However, the researchers have identified [[https://www.rcgroups.com/forums/showpost.php?p=38060463|executable code that has timestamps]] that are alligned to .dex files used by tinker, which appears to contradict DJI's denial. But this is conjecture, and could be a total co-incidence. DJI acknowledge this functionality is not permitted by [[https://www.rcgroups.com/forums/showpost.php?p=38060360|google terms, they would not use this in a public setting]]+DJI representatives initially claimed that hot patching "//has never been used in production//". DJI acknowledge this functionality is not permitted, and [[https://www.rcgroups.com/forums/showpost.php?p=38060360|they would not use this in a public setting]].
  
 Regardless of the denial by DJI, you don't put a back door in your code for no good reason. Regardless of the denial by DJI, you don't put a back door in your code for no good reason.
  
-DJI have subsequently advised: //"[[https://www.rcgroups.com/forums/showpost.php?p=38061281|The Tinker issue is being addressed. We have never used it as a company. It should be removed with the next revision]].//"+DJI have subsequently advised that the issue: //"[[https://www.rcgroups.com/forums/showpost.php?p=38061281|The is being addressed. We have never used it as a company. It should be removed with the next revision]].//"
  
 These findings do paint a sinister story. The capability to dynamically change the software on your device to do anything you likeis like opening up Aladdin's cave. Apps could be dynamically modified to allow access to anything that the DJI go app has permission to access. That would include all access to all vision, all telemetry, and all flight logs. At its worst, this could include a command to "bring down" a drone being used for military purposes. This is the whole pandora's box, and explains why the US Army have ordered the removal of all DJI software from Army devices. These findings do paint a sinister story. The capability to dynamically change the software on your device to do anything you likeis like opening up Aladdin's cave. Apps could be dynamically modified to allow access to anything that the DJI go app has permission to access. That would include all access to all vision, all telemetry, and all flight logs. At its worst, this could include a command to "bring down" a drone being used for military purposes. This is the whole pandora's box, and explains why the US Army have ordered the removal of all DJI software from Army devices.
 +
 +===== DJI Forum - Disclosure of DJI sales history =====
 +Imagine you are an Amazon customer... and you purchased all sorts of things over an extended period. Imagine you then posted something in an amazon support forum... and when your forum post is published, anyone reading it could see your amazon purchase history. Would that be a concern?
 +
 +Not according to DJI. Any user who posts in the DJI forum will have their past sales history disclosed against their forum posts. There is an icon for each product owned, that is displayed against the user profile in each post. Disclosing sales records is to be blunt a serious concern, and not permitted under the terms of the DJI privacy policy.
 +
 +===== Dji Forum - Disclosure of Kilometers flown =====
 +A user posting on the DJI forum has the distance flown with their linked DJI profile displayed against every forum post. The DJI privacy policy for the DJI GO app does not permit this disclosure. Flight logs being uploaded to the "cloud" are done so with the intent being PRIVATE data synchronisation to allow multiple devices to have the same data.
 +
 +//Any information that you voluntarily choose to upload to a publicly accessible site or venue using DJI Products and Services (including sharing information on SkyPixel, DJI+ Discover App or on DJI’s online community forum, the “DJI Forum”), or that you elect to make public, will be available to anyone who has access to that content, including other users.//
 +
 +This policy is the closest one that relates to this provided data. The sharing of kilometres traveled from sync'd flight logs breaches DJI's [[http://djistatic.com/agreement/dji-go-4-pp.html|privacy policy]]
 +
 +===== Skypixel - Public upload of private content =====
 +  * A user who shares content to say a private Facebook page also has their content uploaded to skypixel. There is no way to turn this off if you press the share to Facebook logo in DJI go. [[http://forum.dji.com/thread-98200-1-1.html|DJI Forum Report]] and this  [[https://forum.dji.com/thread-106560-1-1.html|DJI Forum Report]]
  
 ===== Unusual findings ===== ===== Unusual findings =====
-More research is in progress on both of the items below+More research is in progress on of the item(s) below
   * [[https://twitter.com/Bin4ryDigit/status/894567704782401536|Data upload analysis]].    * [[https://twitter.com/Bin4ryDigit/status/894567704782401536|Data upload analysis]]. 
 +
 +===== Network Chatter =====
 +[[.:dataleakage/chatter|Details on some network analysis can be found here]]
 +
faq/dataleakage.1502241144.txt.gz · Last modified: 2017/08/09 01:12 by czokie