Researchers at security firms Synacktiv and Grimm now say that the drone-controlling app, DJI Go 4, may not be safe. In fact, intended for DJI drones after the P4, the app contains several worrying components. At its worst, the app could be used to spy on users and install apps. But it also violates Google Play Store policies and the search giant is now investigating the matter, reports indicate.
The biggest Play Store Policy violation here, according to reports, is that aspects of the app allow the installation of other apps. That's through a self-update feature or dedicated installer from China's Weibo social network. Downloading code from outside of Google's dedicated Android market is against the rules.
But the app can also restart itself after being closed by the user and continue to run in the background, researchers say. That's without the user's knowledge and includes the ability to continue sending network requests.
Which DJI drone owners might be at risk from this app?
Now, the problems here only potentially make the DJI Go 4 app less safe and that limits the drone owners who might be impacted. But DJI is also arguably the most prominent and popular drone OEM on the market. So the app does have between 1 million and 5 million installs.
As noted above, that's drones that came after DJI's P4. At least according to the app's description in the Google Play Store, it applies to four drones in total. So it will likely impact owners of the DJI Phantom 4, Mavic Pro, Phantom 4 Pro, and Inspire 2.
Owners who have owned their drone for some time now will want to be extra careful too. An older variant of the app, researchers discovered, delivered yet another issue that's now been fixed. But that issue included the use of and SDK from MobTech. The SDK provided MobTech, based in China, with data regarding the installed smartphone's IMEI, SIM serial number, SD card information, Bluetooth addresses, and other unique identifiers.
What's DJI saying and what should drone owners do?
The most obvious course of action for owners of the DJI drones controlled by DJI Go 4 is to uninstall the app entirely. At least, that's going to be the case up until Google either verifies that everything is okay or removes it from the app market. In the interim, DJI has come forward with a statement on the matter.
A spokesperson for the company has claimed that the researcher-discovered vulnerabilities were "hypothetical" and that they'd never been exploited. The app update function that is described in the reports, it goes on to say, is important for mitigating the use of hacked apps that override geofencing and altitude limitation features. And the app, DJI says, won't restart without input. Or, at the very least, it's a bug that it's been entirely unable to replicate.
Finally, the company indicates in its full statement that it has removed SDKs where vulnerabilities have been found.