Following the news that China’s DJI drones could be collecting ‘unnecessary data’ from owners phones, Tod Beardsley, Research Director at Rapid7 has provided the below commentary.
“The investigative work by Synacktiv shows that even established companies sometimes wander outside the boundaries set by Google in how Android apps are delivered and updated. The analysis of the DJI 4 GO app from DJI, a popular China-based drone maker, shows that the “hobbyist” version of the Android app makes direct requests for software updates outside of the Play store, which means that future updates can install all sorts of things without Google noticing — including exploits for vulnerabilities.
“While this mechanism for installation and updates is fairly normal inside China — where Google Play isn’t permitted to operate at all — it’s suspect for users in the US and the EU where sideloading apps and updates is much less common. In other words, users of this application are right to be suspicious of this update mechanism outside of China, and I’d recommend not using your day-to-day Android device to pilot DJI drones. Rather, if you must use one of these versions of DJI 4 GO, you should stick with a “burner” device that doesn’t have immediate access to all your personal information. After all, Android platforms are fairly cheap, compared to the cost of a DJI drone. Finally, it’s important to note that while the research may or may not be applicable to DJI’s most recent app offering, “DJI Fly,” the advice about being leery of sideloading apps and updates remains the same.”
See more news here.