Please select Into the mobile phone version | Continue to access the computer ver.
DJI Privacy & Security Analysis
127 0 7-24 20:38
Uploading and Loding Picture ...(0/1)
o(^-^)o
HedgeTrimmer
Captain
United States
Offline

DJI Android GO 4 application security analysis

{Snippet}

We found that :
  • Despite being under scrutiny, DJI did not improve the  transparency surrounding the potential abuse of its Android mobile  application: DJI GO 4 application makes use of the similar anti-analysis  techniques as malware, such as anti-debug, obfuscation, packing and  dynamic encryption.
  • After de-obfuscation, our research located two features of the  software that call home and wait for a file that orders the user’s phone  to install a forced update or install a new software. This mechanism is  very similar to command and control servers encountered with malwares.  Given the wide permissions required by DJI GO 4 5  (access contacts, microphone, camera, location, storage, change network  connectivity, etc.), the DJI or Weibo Chinese servers have almost full  control over the user’s phone. This way of updating an Android App or  pushing a new app completely circumvents Google feature module delivery 6 or in-app updates 7.  Google is not able then to do any verification on update and  modifications pushed by DJI. According to Google Play, the application  has been installed on more than a million personal devices, suggesting  any security risks are widespread.
  • The MobTech component embedded in recent versions of DJI Android GO 4  application collects personal data such as IMSI, IMEI, the serial  number of the SIM card, etc. This data is not relevant or necessary for  drone flights and go beyond DJI privacy policy 8.  For example, IMSI is used by cellular network operators. These  sensitive, unique, persistent data identifiers can be used by  intelligence agencies or malicious people to later track individuals or  eavesdrop communications.
  • The DJI GO 4 application on the Android platform does not close when  the user closes the app with a swipe right. The app continues to run in  the background and makes network requests.
  • Whereas our findings affect the Android version of DJI GO 4, the iOS  version of the application is not obfuscated and doesn’t have the  hidden update mechanisms.


Follow Up from GRIMM


DJI Privacy Analysis Validation

To provide an independent review of the findings, the vendor asked GRIMM  to validate Synacktiv’s findings. This blog describes GRIMM’s setup and  workflow for validating the Synacktiv’s research. Using the techniques  described in the following sections to perform static and dynamic  analysis on the DJI GO 4 Android application, GRIMM was able to verify  and confirm the findings from Synacktiv’s report.

{Snippets}


Findings Validation Once GRIMM was able to statically analyze the application’s decrypted  and decompiled source code and intercept and analyze the application’s  network requests, we proceeded to validate Synacktiv’s findings.

   Self-Update Mechanism Synacktiv’s report describes the DJI GO 4’s custom update mechanism.  This update service does not use the Google Play Store and thus, is not  subject to the review process. As such, there is no guarantee that the  application that is downloaded for one user matches that of another  user. If DJI's update server is malicious, or compromised by an  attacker, it could use this mechanism to target individual users with  malicious application updates. One thing to note, this behavior is a  violation of Google’s Developer Program Policies, which states:


Mob SDK Data Collection   In Synacktiv’s report, the researchers detail their analysis of the data collection capabilities within the MobTech  SDK framework. The researchers assert that the MobTech SDK framework is  used to collect a substantial amount of user data and transmit it back  to MobTech. GRIMM’s researchers were able to confirm the use of Mob SDK  for data collection in previous versions of DJI GO 4 through both static  and dynamic analysis.

App reloads in background As described in the Synacktiv’s report, when a user attempts to close  the app, it restarts itself in the background. As such, the app can only  be killed through the Android "Force Stop" option, as it will be  restarted if closed via the normal Android swipe close gesture. While  the app is in the background, it accesses the device's location. It is  unknown what is done with the location the device collects. It appears  from the logcat messages (shown below) that the restarted process uses  the MapBox Telemetry  service, which requires a setting to opt out of location telemetry. The  app does provide a switch to opt-out of "Coarse Location", however when  the switch is turned off, a message pops up (shown below) and prevents  the user from turning off this setting, and thus it is impossible to  disable. The popup does not specifically mention MapBox.


7-24 20:38
Use props
Advanced
You need to log in before you can reply Login | Register now

Credit Rules