In two reports, the researchers contended that an app on Google’s Android operating system that powers drones made by China-based Da Jiang Innovations, or DJI, collects large amounts of personal information that could be exploited by the Beijing government. Hundreds of thousands of customers across the world use the app to pilot their rotor-powered, camera-mounted aircraft.
The world’s largest maker of commercial drones, DJI has found itself increasingly in the cross hairs of the United States government, as have other successful Chinese companies. The Pentagon has banned the use of its drones, and in January the Interior Department decided to continue grounding its fleet of the company’s drones over security fears. DJI said the decision was about politics, not software vulnerabilities.
The security research firms that documented it, Synacktiv, based in France, and GRIMM, located outside Washington, found that the app not only collected information from phones but that DJI can also update it without Google reviewing the changes before they are passed on to consumers. That could violate Google’s Android developer terms of service.
The changes are also difficult for users to review, the researchers said, and even when the app appears to be closed, it awaits instructions from afar, they found.
“The phone has access to everything the drone is doing, but the information we are talking about is phone information,” said Tiphaine Romand-Latapie, a Synacktiv engineer. “We don’t see why DJI would need that data.”
Synacktiv did not identify any malicious uploads but simply raised the prospect that the drone app could be used that way.
A New York Times analysis of the software confirmed the functionality. An attempt to update the app directly from DJI’s servers delivered a message indicating that the phone The Times used “did not meet the qualifications for an update package.”
Note: nowhere do they say what data is supposedly being stolen, in fact they admit there has been no data stolen as far as they have seen. This is stirring the pot: you want your stuff to get updates in life. That’s called security.