DJI Enhances Software Security In Its Flight Control Apps
August 28, 2017 – DJI has released important updates to its DJI GO and DJI GO 4 apps to address concerns about software elements within the apps that transfer data over the internet. The updates are available on both Android and iOS platforms. Customers are urged to download and use the newest version of these apps from the iOS AppStore or Google Play.
Many features of the DJI GO and DJI GO 4 apps use third-party plugins that serve important functions, such as livestreaming, sharing photos and paying for items in the DJI Store. However, we have removed some third-party plugins from our apps after discovering their operations do not meet our security standard.
DJI has removed a third-party plugin called JPush, which was introduced in March 2016 for iOS and May 2017 for Android. We implemented the plugin as a way to push notifications when video files are successfully uploaded to DJI’s SkyPixel video sharing platform. JPush assigns a unique JPush ID to each user and informs SkyPixel of this ID when the user chooses to upload a video. After uploading is complete, SkyPixel sends the user’s unique JPush ID back to the JPush server, triggering an “Upload Complete” notification on the user’s DJI GO or DJI GO 4 apps. By using JPush’s third-party plugin, DJI has allowed users to multitask while uploading large video files to SkyPixel occurs in the background of their app.
As a third-party company, JPush only needs to send and receive a minimal, narrowly-defined amount of data in order for this function to work properly. Recent work by DJI’s software security team and external researchers has discovered that JPush also collects extraneous packets of data, which include a list of apps installed on the user’s Android device, and sends them to JPush’s server. DJI did not authorize or condone either the collection or transmission of this data, and DJI never accessed this data. JPush has been removed from our apps, and DJI will develop new methods for providing app status updates that better protect our customers’ data.
DJI has also removed “hot-patching” plugins jsPatch for iOS and Tinker for Android, which enabled DJI to immediately update elements within our apps without updating the entire app. These plugins were implemented to speedily address emerging flight security concerns such as temporary no-fly zones and critical bugs. Nevertheless, DJI has removed these plugins to ensure all app updates undergo the same thorough screening before installation.
DJI will continue examining other third-party plugins and services in DJI GO and DJI GO 4, and is committed to thoroughly investigating any new third-party plugins before adopting them. Our existing plugins include YouTube and Facebook for livestreaming, Bugly for reporting app crashes and Alipay and Taobao for payment in the DJI Store. We will remove plug-ins that are found to cause software security or integrity concerns.
We have launched an internal educational program for our developers, as well as a more rigorous code review and testing process, to reinforce the importance of software security when developing new features.
DJI is also introducing a bug bounty program for external researchers to better aid our efforts to improve our products and apps, as well as a more robust research and academic outreach program to quickly identify and resolve potential security issues.
All of these efforts are a part of DJI’s continuing efforts to enhance the integrity of our software.
As a hardware manufacturer, we want to emphasize that DJI’s focus is to provide the best possible user experience with our products. Our business model does not include selling user data for profit. Instead, DJI collects data to fix bugs, offer more responsive customer service and support a seamless user experience by updating apps to provide local safe flight information and settings.
DJI does not access the flight logs, photos or videos generated during drone flights unless customers choose to share that data by taking affirmative action such as syncing flight logs with DJI servers, uploading photos or videos to SkyPixel, or physically delivering the drone to DJI for service.
DJI GO 4 versions have been updated to 4.1.7 for iOS and 220.127.116.11 for Android. DJI GO versions have been updated to 3.1.15 for iOS and 3.1.11 for Android.