| Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
faq:dataleakage [2017/08/14 01:54]
czokie Add JSPatch |
faq:dataleakage [2017/08/27 03:39] (current)
czokie ↷ Links adapted because of a move operation |
| ====== DJI Data Leakage ====== | ====== DJI Data Leakage ====== |
| |
| This page will contain examples of where information "leaks" in ways that is unexpected to DJI consumers. Note also another page that will contain information on the [[tos|terms of service]] that are accepted as part of using the DJI ecosystem. | This page will contain examples of where information "leaks" in ways that is unexpected to DJI consumers. Note also another page that will contain information on the [[.tos:start|terms of service]] that are accepted as part of using the DJI ecosystem. |
| |
| |
| ==== IOS JSPatch ==== | ==== IOS JSPatch ==== |
| |
| Before IOS users start to feel confident about their choice, the news on IOS is not much better. IOS APK's have been found to contain JSPatch as an alternative to Tinker. As stated above, this is not permitted based on the [[https://www.theregister.co.uk/2017/03/09/apple_burns_bridge_for_hot_patching/|warning from apple]]. | Before IOS users start to feel confident about their choice, the news on IOS is not much better. IOS APK's have been found to contain JSPatch as an alternative to Tinker. According to [[https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html|fireeye research]] on the topic, the use of this technique can "//expose a similar attack vector that allows patching scripts to alter the app behavior at runtime, without the constraints imposed by the App Store’s vetting process.//" The research also states, "//malicious behavior can be temporary, dynamic, stealthy, and evasive. Such an attack, when in place, will pose a big risk to all stakeholders involved.//" |
| |
| | As stated above, [[https://www.theregister.co.uk/2017/03/09/apple_burns_bridge_for_hot_patching/|using hot patching frameworks that doing so violates its rules.]] |
| ==== The Response ==== | ==== The Response ==== |
| |
| DJI representatives initially claimed "//this has never been used in production//". DJI acknowledge this functionality is not permitted by google policy, and [[https://www.rcgroups.com/forums/showpost.php?p=38060360|they would not use this in a public setting]]. | DJI representatives initially claimed that hot patching "//has never been used in production//". DJI acknowledge this functionality is not permitted, and [[https://www.rcgroups.com/forums/showpost.php?p=38060360|they would not use this in a public setting]]. |
| |
| Regardless of the denial by DJI, you don't put a back door in your code for no good reason. | Regardless of the denial by DJI, you don't put a back door in your code for no good reason. |
| |
| DJI have subsequently advised: //"[[https://www.rcgroups.com/forums/showpost.php?p=38061281|The Tinker issue is being addressed. We have never used it as a company. It should be removed with the next revision]].//" | DJI have subsequently advised that the issue: //"[[https://www.rcgroups.com/forums/showpost.php?p=38061281|The is being addressed. We have never used it as a company. It should be removed with the next revision]].//" |
| |
| These findings do paint a sinister story. The capability to dynamically change the software on your device to do anything you likeis like opening up Aladdin's cave. Apps could be dynamically modified to allow access to anything that the DJI go app has permission to access. That would include all access to all vision, all telemetry, and all flight logs. At its worst, this could include a command to "bring down" a drone being used for military purposes. This is the whole pandora's box, and explains why the US Army have ordered the removal of all DJI software from Army devices. | These findings do paint a sinister story. The capability to dynamically change the software on your device to do anything you likeis like opening up Aladdin's cave. Apps could be dynamically modified to allow access to anything that the DJI go app has permission to access. That would include all access to all vision, all telemetry, and all flight logs. At its worst, this could include a command to "bring down" a drone being used for military purposes. This is the whole pandora's box, and explains why the US Army have ordered the removal of all DJI software from Army devices. |
| |
| |
| ===== DJI Forum - Disclosure of DJI sales history ===== | ===== DJI Forum - Disclosure of DJI sales history ===== |
