Please select Into the mobile phone version | Continue to access the computer ver.
DJI Enhances Software Security In Its Flight Control Apps
12Next >
16845 46 2017-8-29
Uploading and Loding Picture ...(0/1)
o(^-^)o
DJI Joe
Captain

Canada
Offline

Hi all. I wanted to share with you some exciting news regarding information security and DJI. (Bolding highlights are my own emphasis).
DJI Enhances Software Security In Its Flight Control Apps

August 28, 2017 – DJI has released important updates to its DJI GO and DJI GO 4 apps to address concerns about software elements within the apps that transfer data over the internet. The updates are available on both Android and iOS platforms. Customers are urged to download and use the newest version of these apps from the iOS AppStore or Google Play.

Many features of the DJI GO and DJI GO 4 apps use third-party plugins that serve important functions, such as livestreaming, sharing photos and paying for items in the DJI Store. However, we have removed some third-party plugins from our apps after discovering their operations do not meet our security standard.

DJI has removed a third-party plugin called JPush, which was introduced in March 2016 for iOS and May 2017 for Android. We implemented the plugin as a way to push notifications when video files are successfully uploaded to DJI’s SkyPixel video sharing platform. JPush assigns a unique JPush ID to each user and informs SkyPixel of this ID when the user chooses to upload a video. After uploading is complete, SkyPixel sends the user’s unique JPush ID back to the JPush server, triggering an “Upload Complete” notification on the user’s DJI GO or DJI GO 4 apps. By using JPush’s third-party plugin, DJI has allowed users to multitask while uploading large video files to SkyPixel occurs in the background of their app.         

As a third-party company, JPush only needs to send and receive a minimal, narrowly-defined amount of data in order for this function to work properly. Recent work by DJI’s software security team and external researchers has discovered that JPush also collects extraneous packets of data, which include a list of apps installed on the user’s Android device, and sends them to JPush’s server. DJI did not authorize or condone either the collection or transmission of this data, and DJI never accessed this data. JPush has been removed from our apps, and DJI will develop new methods for providing app status updates that better protect our customers’ data.

DJI has also removed “hot-patching” plugins jsPatch for iOS and Tinker for Android, which enabled DJI to immediately update elements within our apps without updating the entire app. These plugins were implemented to speedily address emerging flight security concerns such as temporary no-fly zones and critical bugs. Nevertheless, DJI has removed these plugins to ensure all app updates undergo the same thorough screening before installation.

DJI will continue examining other third-party plugins and services in DJI GO and DJI GO 4, and is committed to thoroughly investigating any new third-party plugins before adopting them. Our existing plugins include YouTube and Facebook for livestreaming, Bugly for reporting app crashes and Alipay and Taobao for payment in the DJI Store. We will remove plug-ins that are found to cause software security or integrity concerns.

We have launched an internal educational program for our developers, as well as a more rigorous code review and testing process, to reinforce the importance of software security when developing new features.

DJI is also introducing a bug bounty program for external researchers to better aid our efforts to improve our products and apps, as well as a more robust research and academic outreach program to quickly identify and resolve potential security issues.

All of these efforts are a part of DJI’s continuing efforts to enhance the integrity of our software.

As a hardware manufacturer, we want to emphasize that DJI’s focus is to provide the best possible user experience with our products. Our business model does not include selling user data for profit. Instead, DJI collects data to fix bugs, offer more responsive customer service and support a seamless user experience by updating apps to provide local safe flight information and settings.

DJI does not access the flight logs, photos or videos generated during drone flights unless customers choose to share that data by taking affirmative action such as syncing flight logs with DJI servers, uploading photos or videos to SkyPixel, or physically delivering the drone to DJI for service.

DJI GO 4 versions have been updated to 4.1.7 for iOS and 4.1.5.3 for Android. DJI GO versions have been updated to 3.1.15 for iOS and 3.1.11 for Android.


2017-8-29
Use props
Blériot53
Captain
Flight distance : 6188465 ft
  • >>>
France
Online

Thank you for a clear explanation - this looks like a real positive step forward.
2017-8-29
Use props
Aardvark
Captain
Flight distance : 384432 ft
  • >>>
United Kingdom
Offline

Thank you for the update Joe, were these the updates that were released last week ? Or is there a new V4.1.7 to come ? (for iOS).
2017-8-29
Use props
$gambino$
First Officer
Flight distance : 1563980 ft
United States
Offline

Did u read the last paragraph aardvark
2017-8-29
Use props
Landjet
Second Officer
Flight distance : 61496 ft
United States
Offline

Nice to know. Thank you.
2017-8-29
Use props
Ex Machina
Captain
Flight distance : 1806362 ft
United States
Offline

Excellent, kudos for the openness -- it's much appreciated.
2017-8-29
Use props
M1dn1ght N1nj4
lvl.4
Flight distance : 11522 ft
United States
Offline

I'm still showing v4.1.5 for Android.  Using the About App info built into Android.
2017-8-29
Use props
chuscadron
lvl.1
Flight distance : 515 ft
Argentina
Offline

Gracias por la actualización  dji   .. pero  para cuando  idioma   español app ?
2017-8-29
Use props
Aardvark
Captain
Flight distance : 384432 ft
  • >>>
United Kingdom
Offline

$gambino$ Posted at 2017-8-29 08:23
Did u read the last paragraph aardvark

V4.1.7 was released on 22nd, the opening paragraph suggests that they have just been released on 28th.
2017-8-29
Use props
Fractures
lvl.4
Flight distance : 635531 ft
United States
Offline

Awesome, glad to see DJI taking steps in the right direction!
2017-8-29
Use props
Ex Machina
Captain
Flight distance : 1806362 ft
United States
Offline

Aardvark Posted at 2017-8-29 10:04
V4.1.7 was released on 22nd, the opening paragraph suggests that they have just been released on 28th.

Not really -- if the press release stated "Today DJI released..." then you would expect a new build on the date of the press release. "Has released" implies something that already happened.

DJI and other app makers have to craft their press releases this way because they have no control over the actual app store release date, which is dependent upon Apple/Google reviews.
2017-8-29
Use props
Juanreta_garcia
Second Officer
Flight distance : 246004 ft
Spain
Offline

Great news!!  
2017-8-29
Use props
M1dn1ght N1nj4
lvl.4
Flight distance : 11522 ft
United States
Offline

Ex Machina Posted at 2017-8-29 10:17
Not really -- if the press release stated "Today DJI released..." then you would expect a new build on the date of the press release. "Has released" implies something that already happened.

DJI and other app makers have to craft their press releases this way because they have no control over the actual app store release date, which is dependent upon Apple/Google reviews.

They stated clearly in the second paragraph, that the updated apps were released August 28, 2018.  That was YESTERDAY.  As of right now, and uninstall, and clean download from the Play Store, pulls in v4.1.5(21-gpPhone).

That's why people are asking about it.  If like to know why v4.1.5.3 is still not available (Android).
2017-8-29
Use props
Ex Machina
Captain
Flight distance : 1806362 ft
United States
Offline

M1dn1ght N1nj4 Posted at 2017-8-29 10:24
They stated clearly in the second paragraph, that the updated apps were released August 28, 2018.  That was YESTERDAY.  As of right now, and uninstall, and clean download from the Play Store, pulls in v4.1.5(21-gpPhone).

That's why people are asking about it.  If like to know why v4.1.5.3 is still not available (Android).

I think you mean the first paragraph of the press release, which is:

August 28, 2017 – DJI has released important updates to its DJI GO and DJI GO 4 apps to address concerns about software elements within the apps that transfer data over the internet. The updates are available on both Android and iOS platforms. Customers are urged to download and use the newest version of these apps from the iOS AppStore or Google Play.

I can see why people assume the press release date and the releases of the apps occur on the same day, but that's just not possible for the reasons I mentioned. The releases were announced on this forum on the 22nd once both iOS and Android versions were in their respective stores. As for your question about the Android extended build version, my guess is that the .3 is just not normally exposed to the end user.

2017-8-29
Use props
M1dn1ght N1nj4
lvl.4
Flight distance : 11522 ft
United States
Offline

Ex Machina Posted at 2017-8-29 11:05
I think you mean the first paragraph of the press release, which is:

August 28, 2017 – DJI has released important updates to its DJI GO and DJI GO 4 apps to address concerns about software elements within the apps that transfer data over the internet. The updates are available on both Android and iOS platforms. Customers are urged to download and use the newest version of these apps from the iOS AppStore or Google Play.

The Play Store says that app was last updated August 17.  That's still prior to even the 22nd.  So in essence, the Android GO4 app has NOT been updated.  Unless someone managed to get a hold of it somehow.
2017-8-29
Use props
Ex Machina
Captain
Flight distance : 1806362 ft
United States
Offline

M1dn1ght N1nj4 Posted at 2017-8-29 12:19
The Play Store says that app was last updated August 17.  That's still prior to even the 22nd.  So in essence, the Android GO4 app has NOT been updated.  Unless someone managed to get a hold of it somehow.

This says the 21st under Additional Information: https://play.google.com/store/apps/details?id=dji.go.v4&hl=en and the Apple store says the 22nd. I'm surprised they were this close, actually.
2017-8-29
Use props
fansa7dc5944
Second Officer
Flight distance : 50988 ft
  • >>>
Thailand
Offline

Why debating about the release date? The new software might have been released before or will be released after the press release. In most case it comes days after. Just acknowledge and update it.
2017-8-29
Use props
Blackwood
Second Officer

United States
Offline

The biggest question is will it do anything to actually fix the problems or will we just be getting an update for drones we can't fly anyway?  All that jibber jabber about what they did doesn't mean a thing if you still can't fly.
2017-8-29
Use props
Genghis9
Captain
Flight distance : 961 ft
United States
Offline

M1dn1ght N1nj4 Posted at 2017-8-29 10:24
They stated clearly in the second paragraph, that the updated apps were released August 28, 2018.  That was YESTERDAY.  As of right now, and uninstall, and clean download from the Play Store, pulls in v4.1.5(21-gpPhone).

That's why people are asking about it.  If like to know why v4.1.5.3 is still not available (Android).

M1dnight,
I have the same question, I currently have v4.1.5, I cannot determine if I have v4.1.5.3 or not.  The download from store does what you say loads the same as I currently seem to have.  Obviously it would be nice to confirm if we have the most current or not in this respect?  We might, but just can't be confirmed???
2017-8-29
Use props
Genghis9
Captain
Flight distance : 961 ft
United States
Offline

Joe
Glad to hear of these changes, they are a step in the right direction, and a direction I hope they keep.  Looking forward to seeing all of this implemented as stated, and more.
Thank you
2017-8-29
Use props
Ex Machina
Captain
Flight distance : 1806362 ft
United States
Offline

fansa7dc5944 Posted at 2017-8-29 13:22
Why debating about the release date? The new software might have been released before or will be released after the press release. In most case it comes days after. Just acknowledge and update it.

The press release says at the bottom:

DJI GO 4 versions have been updated to 4.1.7 for iOS and 4.1.5.3 for Android. DJI GO versions have been updated to 3.1.15 for iOS and 3.1.11 for Android.

The sticking point for the poster with the question is whether version 4.1.5.3 referenced above is the same thing as the 4.1.5 currently in the app store and just wants to be reassured one way or the other.
2017-8-29
Use props
Ex Machina
Captain
Flight distance : 1806362 ft
United States
Offline

Blackwood Posted at 2017-8-29 13:39
The biggest question is will it do anything to actually fix the problems or will we just be getting an update for drones we can't fly anyway?  All that jibber jabber about what they did doesn't mean a thing if you still can't fly.

I flew several flights with .1000 over the weekend, works great. I think the jpg output is now less overcooked than in previous versions. When I take RAW+JPG and compare the two, the JPG now look very much like auto-leveled DNG with more compression and NR. I need to go back and look at earlier RAW+JPG sets to be sure, but I'm feeling pretty good about this update.
2017-8-29
Use props
KryptoNyte
Second Officer
United States
Offline

Am I reading that report differently than the rest of you, or did DJI just shirk responsibility for the questionable actions of the subcontractor that they hired to handle information?
2017-8-29
Use props
hallmark007
Captain
Flight distance : 9812789 ft
  • >>>
Ireland
Offline

Thanks for that. It helps to get a comprehensive statement rather than small leaks , I hope it helps those with real concerns, it's great to know that protection will be there for those who have been worried about it. Good job.
2017-8-29
Use props
dewein
Captain
Flight distance : 157746 ft
United States
Offline

And again I find myself wondering... does any of this affect the poor P4P+ users who don't get their updates from an app store?  Looks like NO:
2017-8-29
Use props
Iamz
lvl.4
Flight distance : 487480 ft
Thailand
Offline

Very nice to see this kind of openness. Hope it continues.
2017-8-29
Use props
Mari
Captain
Flight distance : 1308780 ft
Netherlands
Offline

dewein Posted at 2017-8-29 19:32
And again I find myself wondering... does any of this affect the poor P4P+ users who don't get their updates from an app store?  Looks like NO:
https://604968c6df5d4072e6d3-dcb590c306fda6a8bb80883006ea1208.ssl.cf1.rackcdn.com/dji.PNG[/img]

Updates for firmware have nothing to do with update of app... If you don't use DJI Go or DJI Go 4 for flying there you don't have these apps and don't have to update and don't have to read this thread...
2017-8-29
Use props
djiuser_zPABC2M
lvl.1
Flight distance : 114505 ft
Poland
Offline

no sign of update at google play store. The lats version is 4.1.5 , date 17 aug 2017
2017-8-29
Use props
Ex Machina
Captain
Flight distance : 1806362 ft
United States
Offline

djiuser_zPABC2M Posted at 2017-8-29 23:08
no sign of update at google play store. The lats version is 4.1.5 , date 17 aug 2017

What are you looking at? Says Aug 21 here:  https://play.google.com/store/apps/details?id=dji.go.v4&hl=en
2017-8-30
Use props
dewein
Captain
Flight distance : 157746 ft
United States
Offline

Mari Posted at 2017-8-29 21:17
Updates for firmware have nothing to do with update of app... If you don't use DJI Go or DJI Go 4 for flying there you don't have these apps and don't have to update and don't have to read this thread...

Mari;

I'm not sure of your point.  The original post of this thread was about updates to DJI Go which is pre-installed on my RC since I have the P4P+.  The app isn't updated through "app" stores.  

Perhaps my photo confused you.  What would you call DJI Go when you can't update it manually as you would in an app store?  When it's part of the RC itself?

Do you have a Phantom?
2017-8-30
Use props
Sparky_17
Captain
Flight distance : 62349 ft
Canada
Offline

Now we get clarification on the firmware update pushed and mandated earlier this month.
2017-8-30
Use props
PHOTOlulu
Captain
Flight distance : 952625 ft
  • >>>
United States
Offline

Just updated GO app to 4.1.8 on my Android phone.
2017-8-30
Use props
jh8
First Officer
Flight distance : 39685 ft
  • >>>
Netherlands
Offline

There seems to be an update from August 30:
https://play.google.com/store/apps/details?id=dji.go.v4

No sign of an update on my Android devices though...
2017-8-30
Use props
Peterx
Captain
Flight distance : 1499708 ft
Germany
Offline

Updated to 3.1.11 for android,delay time from Cam to mobile shorter as with 3.1.10.  
2017-8-30
Use props
WolfgangStiller
Captain
Flight distance : 599416 ft
United States
Offline

Really good to see these security exposures fixed!  This also indicates DJI is giving the App a serious review. I really appreciate that!
2017-8-30
Use props
MrRobert5823
Second Officer
Flight distance : 1385223 ft
United States
Offline

This is a positive step forward.  It makes me frustrated that they didn't examine the code of the 3rd party, but when they have admitted it, explained it and fixed it... Opened up to the public to identify other holes in the application... I think these are very positive steps.... Thanks DJI!
2017-8-30
Use props
fans99d24711
lvl.3
United States
Offline


I had posted on some strange behavior on my android but received very little response. The most important thing is it was storing files and connecting although I was not using the app.  Hopefully this will stop that practice.


http://forum.dji.com/thread-108572-1-1.html
2017-8-30
Use props
Saskebaby
Second Officer
Flight distance : 1017989 ft
Philippines
Offline

Wow thanks....
2017-8-30
Use props
JMR58
Captain
Flight distance : 627966 ft
  • >>>
Belgium
Offline

DJI GO 4 versions have been updated to 4.1.7 for iOS...???

After download (31/08) my version is 4.1.9

2017-8-31
Use props
LeafPeeper
First Officer
Flight distance : 450075 ft
  • >>>
United States
Offline

The version info in this thread is all over the place.....4.1.7, 4.1.8. 4.1.9, 3.1.10, 3.1.11, etc,... WTH?

LP
2017-8-31
Use props
12Next >
Advanced
You need to log in before you can reply Login | Register now

Credit Rules